One Article Review

Accueil - L'article:
Source NoticeBored.webp NoticeBored
Identifiant 2628026
Date de publication 2021-04-13 11:17:11 (vue: 2021-04-13 00:05:31)
Titre Policy development process: phase 1
Texte On Sunday I blogged about preparing four new 'topic-specific' information security policy templates for SecAware. Today I'm writing about the process of preparing a policy template.First of all, the fact that I have four titles means I already have a rough idea of what the policies are going to cover (yes, there's a phase zero). 'Capacity and performance management', for instance, is one requested by a customer - and fair enough. As I said on Sunday, this is a legitimate information risk and security issue with implications for confidentiality and integrity as well as the obvious availability of information. In my professional opinion, the issue is sufficiently significant to justify senior management's concern, engagement and consideration (at least). Formulating and drafting a policy is one way to crystallise the topic in a form that can be discussed by management, hopefully leading to decisions about what the organisation should do. It's a prompt to action.At this phase in the drafting process, I am focused on explaining things to senior management in such a way that they understand the topic area, take an interest, think about it, and accept that it is worth determining rules in this area. The most direct way I know of gaining their understanding and interest is to describe the matter 'in business terms'. Why does 'capacity and performance management' matter to the business? What are the strategic and operational implications? More specifically, what are the associated information risks? What kinds of incident involving inadequate capacity and performance can adversely affect the organization?Answering such questions is quite tough for generic policy templates lacking the specific business context of a given organisation or industry, so we encourage customers to customise the policy materials to suit their situations. For instance:An IT/cloud service company would probably emphasise the need to maintain adequate IT capacity and performance for its clients and for its own business operations, elaborating on the associated IT/cyber risks.A healthcare company could mention health-related risk examples where delays in furnishing critical information to the workers who need it could jeopardise treatments and critical care.A small business might point out the risks to availability of its key workers, and the business implications of losing its people (and their invaluable knowledge and experience i.e. information assets) due to illness/disease, resignation or retirement. COVID is a very topical illustration. An accountancy or law firm could focus on avoiding issues caused by late or  incomplete information - perhaps even discussing the delicate balance between those two aspects (e.g. there a
Envoyé Oui
Condensat  an  their businesses about accept accountancy accuracy action adequate adversely affect afford all already angles answering any appropriate are area around article aspects assets associated availability avoiding background balance between blog blogged briefly business can capacity care caused clients company conceptual concern confidentiality consideration context costly could cover covid critical crystallise customer customers customise decisions delays delicate describe determining development direct discuss discussed discussing discussion distilling does done down drafting due easy elaborating emphasise encourage engagement enough essentials even examples expand experience explaining explicit fact fair finished firm first flesh focus focused form formulating four fundamental furnishing gaining general generic given going have health healthcare hence hope hopefully how idea illness/disease illustration implications important inadequate incident included incomplete industries industry information instance instance:an integrity interest introductory invaluable involved involving issue issues it/cloud it/cyber its jeopardise treatments justify key kinds know knowledge laborious lacking late law leading least leave legitimate lengthier losing maintain makes management managers materials matter may means mention might more most must namely need new next not obvious availability one only operational operations opinion opinionated or  order organisation organization orient out own pages passionate people performance perhaps phase piece point point: policies policy premise preparing press principles probably process process: professional prompt questions quite related relevant remain requested research resignation retirement risk risks rough rules said scenarios secaware section security senior service should significant simply situations slow small someone something soon space specific specifically statements stimulate stimulating strategic succinctly such sufficiently suit sunday surprisingly take takes template templates terms than that them there things think those timeliness titles to their management to their organisations today topic topical tough trumps two typical understand understanding versa very vice waffle way well what where which who why will wordsmithing: workers worth would write writing zero
Tags Guideline
Stories
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: