A good rule of thumb is this: Information security policy documents should be updated at least once a year, or whenever a major change occurs in the business that would impact the risk of the organization. Examples of these changes could be a merger, a new product or line of business, a major downsizing or […]
Part 6. A Verified Audit Trail Security policy documents will not be effective unless they are read and understood by all members of the target audience intended for each document. For some documents, such as Internet Acceptable Use or Code of Conduct, the target audience is likely the entire organization. Each policy document should have […]
Legal precedents are beginning to dictate a new standard for the notification of policy changes to your customers and employees. In the “old days” organizations would post changes to information security policies on the corporate intranet, and perhaps even notify employees that these changes occurred via email or some other means. However, in legal actions […]