An information security policy is the foundation of an enterprise security program, ideally establishing in clear language what the organization expects from its security operations based on both its tolerance for risk and on its regulatory obligations.
Yet security advisers say many organizations fail to give adequate attention to writing and maintaining strong information security policies, instead filling in blanks on generic templates and filing them away.
“It’s too often seen [by enterprise leaders] as an exercise to do, so that they can just check the box as done,” says John Pescatore, director of emerging security trends for SANS Institute, a research and education organization focused on information security.
On the other hand, organizations that tailor the information security policy to their own needs and circumstances based on enterprise risk, risk tolerance, regulatory requirements and desired best practices and who opt to actively manage their policy with scheduled reviews and updates when needed create a strong basis for their entire security program. As a result, they’re better positioned to achieve the security posture they seek.
Here are answers to…