Determine the scope of application
A necessary step before developing a security policy is to confirm the scope that the policy applies to, for example, throughout the organization or in a department. The formulation of strategies without a clear scope is tantamount to random.
Get management support
In fact, any project advancement cannot leave management support, as is the implementation of the security policy. There are a number of benefits to getting enough commitment from management to pave the way for the rest of the work, and to understand how well the organization generally attaches importance to security policies, and communication with management is also an opportunity to further the security effort to a more desirable state.
Conduct security analysis
This is a frequently overlooked work step and is an important step in the security policy formulation effort. The main objective of this step is to identify the information assets that need to be protected and their absolute and relative value to the organization, and to take into account the information obtained from this step in determining the protection measures. Key issues to be considered in carrying out this work include what needs to be protected, what threats need to be guarded against, the likelihood of attack, the loss that may occur at the time of the attack, what precautions can be taken, the cost and effectiveness of preventive measures, and so on.
Meeting with key personnel
In general, there should be at least some meetings with the technical departments and those responsible for the operations, at which they should be infused with the conclusions reached at the analysis stage and the identification of those individuals should be sought. If there are other business units that are within the scope of the security policy application, then it should also be allowed to join the work.
Formulation of a draft strategy
Once you have agreed on the information gathered within the application and have sufficient support within the organization, you can begin to establish the actual strategy. This policy version forms the framework and main content of the final strategy and serves as a benchmark for the final assessment and validation effort.
Conduct strategic evaluations
has previously communicated with management and key personnel involved in security policy execution, and this part of the work has been further validated with all stakeholders on the security policy, resulting in a revised, formal version of the policy. There will often be more people involved in this phase, and the support of all relevant personnel should be further sought, at least with sufficient authorization to ensure the implementation of the security policy.
Publish Security Policy
After the security policy has been completed, it is also necessary to publish successfully within the Organization so that the members of the organization read and fully understand the content of the policy. Security policies can be widely distributed through the organization of major information dissemination channels, such as the Organization's internal information systems, regular meetings, training activities, and so on.
On-Demand revision policy
As the application environment changes, the information security strategy must be changed and developed to continue to play a role. Typically, an organization should make a policy assessment every quarter, and a policy update should be made at least once a year.
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/