After the security policy has been in place for some period of time, the company’s information security controls should be audited against the applicable policies. A review process should be developed that is appropriate to the procedures and resources of the company. Make sure that each policy is both A) being followed as per guidelines, and B) still appropriate to the companies situation.
Regularly review the security policy to ensure that it still meets your company’s requirements. Create a process so that the policy is periodically reviewed by the appropriate persons. This should occur both at certain intervals (i.e., once per year), and when certain business changes occur (i.e., the company opens a new location).
During reviews you will likely find that changes need to be made. Often, policy changes will be needed to accommodate changes in the company, security technology, or applicable regulations. Sometimes you will find that the policy is still appropriate for the company, but the users are no longer adhering to the policy. In this case, re-educating your users on the security policy is in order.
Regular policy review, along with taking actions dictated by the review, will ensure that the policy does not grow “stale” and will continue to be a useful management tool for years to come.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment