One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2664448 |
| Date de publication | 2021-04-19 14:51:35 (vue: 2021-04-19 03:05:29) |
| Titre | Policy development process: phase 2 |
| Texte |  Today we completed and published a new "topic-specific" information security policy template on clear desk and screen.Having previously considered information risks within the policy scope, writing the policy involved determining how to treat the risks and hence what information security or other controls are most appropriate. Here we drew on guidance from the ISO27k standards, plus other standards, advisories and good practices that we've picked up in the course of ~30 years in the field, working with a variety of industries and organizations - and that's an interesting part of the challenge of developing generic policy templates. Different organizations - even different business units, departments, offices or teams within a given organization - can take markedly different attitudes towards clear desk and screen. The most paranoid are obsessive about it, mandating controls that would be excessive and inappropriate for most others. Conversely, some are decidedly lax, to the point that information is (to my mind) distinctly and unnecessarily vulnerable to deliberate and accidental threats. We've picked out controls that we feel are commonplace, cost-effective and hence sensible for most organizations.COVID19 raises another concern, namely how the risks and controls in this area vary between home offices or other non-corporate 'working from home' workplaces, compared to typical corporate offices and other workplaces. The variety of situations makes it tricky to develop a brief, general policy without delving into all the possibilities and specifics. The approach we've taken is to mention this aspect and recommend just a few key controls, hoping that workers will get the point. Customers can always customise the policy templates, for example adding explicit restrictions for particular types of information, relaxing things under certain conditions, or beefing-up the monitoring, oversight and compliance controls that accompany the policies - which is yet another complicating factor: the business context for information security policies goes beyond the written words into how they are used and mandated in practice.Doing all of this in a way that condenses the topic to just a few pages of good practice guidance, well-written in a motivational yet generic manner, and forms a valuable part of the SecAware policy suite, explains the hours we've sunk into the research and writing. Let's hope it's a best seller! |
| Envoyé | Oui |
| Condensat | here about accidental accompany adding advisories all always another approach appropriate are area aspect attitudes beefing best between beyond brief business can certain challenge clear commonplace compared completed compliance complicating concern condenses conditions considered context controls conversely corporate cost course covid19 customers customise decidedly deliberate delving departments desk determining develop developing development different distinctly doing drew effective even example excessive explains explicit factor: feel field forms from general generic get given goes good guidance having hence home hope hoping hours how inappropriate industries information interesting involved iso27k just key lax let makes mandated mandating manner markedly mention mind monitoring most motivational namely new non obsessive offices organization organizations other others out oversight pages paranoid part particular phase picked plus point policies policy possibilities practice practices previously process: published raises recommend relaxing research restrictions risks scope screen secaware security seller sensible situations some specific specifics standards suite sunk take taken teams template templates that things threats today topic towards treat tricky types typical under units unnecessarily used valuable variety vary vulnerable way well what which will within without words workers working workplaces would writing written years yet ~30 |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.