How to establish an information security policy

Source: Internet
Author: User
Tags final

Determine the scope of application

A necessary step before developing a security policy is to confirm the scope that the policy applies to, for example, throughout the organization or in a department. The formulation of strategies without a clear scope is tantamount to random.

Get management support

In fact, any project advancement cannot leave management support, as is the implementation of the security policy. There are a number of benefits to getting enough commitment from management to pave the way for the rest of the work, and to understand how well the organization generally attaches importance to security policies, and communication with management is also an opportunity to further the security effort to a more desirable state.

Conduct security analysis

This is a frequently overlooked work step and is an important step in the security policy formulation effort. The main objective of this step is to identify the information assets that need to be protected and their absolute and relative value to the organization, and to take into account the information obtained from this step in determining the protection measures. Key issues to be considered in carrying out this work include what needs to be protected, what threats need to be guarded against, the likelihood of attack, the loss that may occur at the time of the attack, what precautions can be taken, the cost and effectiveness of preventive measures, and so on.

Meeting with key personnel

In general, there should be at least some meetings with the technical departments and those responsible for the operations, at which they should be infused with the conclusions reached at the analysis stage and the identification of those individuals should be sought. If there are other business units that are within the scope of the security policy application, then it should also be allowed to join the work.

Formulation of a draft strategy

Once you have agreed on the information gathered within the application and have sufficient support within the organization, you can begin to establish the actual strategy. This policy version forms the framework and main content of the final strategy and serves as a benchmark for the final assessment and validation effort.

Conduct strategic evaluations

has previously communicated with management and key personnel involved in security policy execution, and this part of the work has been further validated with all stakeholders on the security policy, resulting in a revised, formal version of the policy. There will often be more people involved in this phase, and the support of all relevant personnel should be further sought, at least with sufficient authorization to ensure the implementation of the security policy.

Publish Security Policy

After the security policy has been completed, it is also necessary to publish successfully within the Organization so that the members of the organization read and fully understand the content of the policy. Security policies can be widely distributed through the organization of major information dissemination channels, such as the Organization's internal information systems, regular meetings, training activities, and so on.

On-Demand revision policy

As the application environment changes, the information security strategy must be changed and developed to continue to play a role. Typically, an organization should make a policy assessment every quarter, and a policy update should be made at least once a year.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.