One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2619342 |
| Date de publication | 2021-04-11 14:52:31 (vue: 2021-04-11 03:05:22) |
| Titre | Infosec policy development |
| Texte |  We're currently preparing some new information risk and security policies for SecAware.com. It's hard to find gaps in the suite of 81 policy templates already on sale (!) but we're working on these four additions:Capacity and performance management: usually, an organization's capacity for information processing is managed by specialists in IT and HR. They help general management optimise and stay on top of information processing performance too. If capacity is insufficient and/or performance drops, that obviously affects the availability of information ... but it can harm the quality/integrity and may lead to changes that compromise confidentiality, making this an information security issue. The controls in this policy will include engineering, performance monitoring, analysis/projection and flexibility, with the aim of increasing the organisation's resilience. It's not quite as simple as 'moving to the cloud', although that may be part of the approach.Information transfer: disclosing/sharing information with, and obtaining information from, third party organisations and individuals is so commonplace, so routine, that we rarely even think about it. This policy will outline the associated information risks, mitigating controls and other relevant approaches.Vulnerability disclosure: what should the organisation do if someone notifies it of vulnerabilities or other issues in its information systems, websites, apps and processes? Should there be mechanisms in place to facilitate, even encourage notification? How should issues be addressed? How does this relate to penetration testing, incident management and assurance? Lots of questions to get our teeth into!Clear desks and screens: this is such a basic, self-evident information security issue that it hardly seems worth formulating a policy. However, in the absence of policy and with no 'official' guidance, some workers may not appreciate the issue or may be too lazy/careless to do the right thing. These days, with so many people working from home, the management oversight and peer pressure typical in corporate office settings are weak or non-existent, so maybe it is worth strengthening the controls by reminding workers to tidy up their workplaces and log off. It's banale, not hard! The next release of ISO/IEC 27002 will call these "topic-specific information security policies" focusing on particular issues and/or groups of people in some detail, whereas the organisation's "information security policy" is an overarching, general, |
| Envoyé | Oui |
| Condensat | the 27002 about absence additions:capacity addressed affects aim already although among analysis/projection and/or anyway appreciate approach approaches apps are associated assurance availability banale basic but call can capacity changes clear cloud com commonplace comply compromise confidentiality controls corporate currently days desks detail development disclosing/sharing disclosure: does drops early encourage engineering even evident existent facilitate find flexibility focusing formulating four framework from fundamental gaps general get groups guidance hard hardly harm help high home how however incident include includes increasing individuals information infosec insufficient iso/iec issue issues its later laying lazy/careless lead level log lots making managed management management: many mature may maybe mechanisms mitigating monitoring moving need new next non not notification notifies obtaining obviously off office official opportunity optimise organisation organisations organization other out outline overarching oversight part particular party peer penetration people performance place policies policy preparing pressure principles processes processing product published quality/integrity questions quite rarely relate release relevant reminding resilience review right risk risks routine sale screens: secaware security seems seize self set settings should simple some someone specialists specific stay strengthening such suite systems teeth template is templates testing these thing things think third tidy too top topic transfer: typical updated usually vulnerabilities vulnerability weak websites what when whereas will workers working workplaces worth year |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.