Information Risk & Security Policies
All documents are in PDF 1.4 format, compatible with Adobe Reader 5.0 and higher
A light-hearted appraisal of the often deficient quality of ‘off the shelf’ security policies.
A framework is needed to coordinate corporate security policy development – a generic tree structure can be one of the most effective.
Security policies will never be effective while they fail to mesh with business processes. The two must be closely integrated so that policy objectives cease to be viewed as externalities.
Security policies should specify what you are trying to achieve, not blow by blow how – that's what procedures are for. But policies must explain why and define KPIs as well.
When did you last review your security policies in terms of whether they actually work?