security policy management Archives

security policy development, security policy management

Security Policies, Standards and Procedures: What’s the Difference?

Posted on October 27, 2014 by David Lineman

One of the key challenges to developing effective information security policies is agreeing on a proper nomenclature. Even before writing the first line of a security policy, many organizations get dragged into lengthy discussions regarding the definitions and nuances of these three key elements: Information security policies, standards and procedures. In this article we will […]

Continue reading →

security policy management

Effective Security Policy Management – Part 7

Posted on July 11, 2009 by David Lineman

Part 7. A Written Exception Process It may be impossible for every part of the organization to follow all of the information security policies at all times. This is especially true if policies are developed by the legal or information security department without input from business units. Rather than assuming there will be no exceptions […]

Continue reading →

security policy management

Effective Security Policy Management – Part 5

Posted on May 11, 2009 by David Lineman

Part 5. An Effective Date Range Written information security policies should have a defined “effective date” and “expiration” or “review” date. This is critical so that individuals and organizations know when they are subject to the rules outlined in the policy, and when they can expect updates. The effective dates within your security policies should […]

Continue reading →

employee security policy, security policy management, security policy ownership

Effective Security Policy Management – Part 4

Posted on April 11, 2009April 4, 2022 by David Lineman

4. Targeted User Groups Not all information security policies are appropriate for every role in the company. Therefore, written information security policy documents should be targeted to specific audiences with the organization. Ideally, these audiences should align with functional user roles within the organization. (See Information Security Roles and Responsibilities Made Easy, by Charles Cresson [...]

Continue reading →

ISO 17799 Security, security policy management

Effective Security Policy Management – Part 1

Posted on January 27, 2009April 4, 2022 by David Lineman

How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night? This is the first article in the [...]

Continue reading →

security policy management

About Security Policy University

Posted on January 11, 2005March 28, 2022 by David Lineman

Security Policy University is blog devoted to IT or information security professionals responsible for writing, publishing, maintaining and enforcing information security and data privacy policies. The blog has posts from a variety of experts in the field of information security and data privacy and encourages thoughtful comments. This Information Security Policy University blog is maintained [...]

Continue reading →

Login

Register