One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2148837 |
| Date de publication | 2020-08-10 11:44:49 (vue: 2021-01-06 20:37:57) |
| Titre | NBlog Aug 8 - musing on ISO/IEC 27014 & infosec governance |
| Texte |  This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security", partly to update ISO27001security.com but mostly out of my fascination with the topic.Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture":"Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important. To establish a positive information security culture, top management should require, promote and support coordination of interested party activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs. Information security responsibilities should be integrated into the roles of staff and other parties, and they should support the success of each ISMS by taking on these responsibilities."Not bad that although, personally, I would have mentioned senior management setting 'the tone at the top', in other words influencing the entire corporate culture through their leadership, decisions, direction and control, particularly in the way they behave.For example, even though management may formally insist upon ethical behaviour as a policy matter, if managers in fact act unethically, push the boundaries of ethicality through their decisions and priorities, or simply tolerate (turn a blind eye to, fail to address) unethical/dubious activities, that can severely erode if not destroy the value of the policy. Workers observant enough to spot the disconnect between theory and practice are, in effect, enabled or even encouraged to decide for themselves whether to comply with the policy. In a disciplinary situation, management's failure to enforce compliance with |
| Envoyé | Oui |
| Condensat | and another in to 27014 accompanying accountability accused achieve act activities activity address adequately all although and other any anyone approach appropriate are aren arrangements aside aspects assurance aug avoid awareness bad been behave behaviour being between bigger blind bolster boundaries bricks built but can coherent com complementary compliance comply concerted conflict control coordinated coordination corporate culture cunning deal decide decisions defence delivery destroy direction directives disciplinary disconnect documenting don draft each edition education effect either elements enabled encouraged enforce enough entire entity erode establish ethical ethicality even evolving example expect eye fact fail failure falls fascination final formalising formally insist formulating forthcoming foster from fully fundamental governance harmonisation have human identify important including influencing information infosec insist integrated interested isms iso/iec iso27001security issue leadership least lego level liability literally management managers mandate materials matter may meet mentioned merely might models monitoring morning mostly musing nblog needs noncompliance not objective objectives observant one organisation orientation other others otherwise out oversight part particularly parties partly party perfectly personally place plan policies policy positive practice priorities processes programs promote push putting reasonable require resources responsibilities resulting risk role roles second section security senior separate setting severely should simply since situation specifies spot staff standard structure studying success such suitable support taken taking talk technique templates and them themselves theory therefore these think third those though through tolerate tone top topic training truly turn unenforceable unenforced unethical/dubious unethically unreasonable unworkable update upon value various very viable walk way when whether which why will willing within words worker workers would |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.