16.06.2009
7. Specific designation of well-established responsibilities (e.g. the technology department is the sole provider of telecommunications lines)
8. Consequences for non-compliance (e.g. up to and including dismissal or termination of contract)
This list of items will suffice for information security policy completeness with respect to current industry best practice as long as accountability for prescribing specific security measures is established within the "supplementary documents" and "responsibilities" section. While items 6 and 7 may contain a large variety of other agreed-upon details with respect to security measures, it is ok to keep them to a minimum to maintain policy readability, and rely on sub-policies or supporting documents to include the requirements. Again, it is more important to have complete compliance at the policy level than to have the policy include a lot of detail.
Note that the policy production process itself is something that necessarily exists outside of the policy document itself. Documentation with respect to policy approvals, updates, and version control should also be carefully preserved and available in the event that the policy production process itself is audited.
, ,
» Android » Blackberry » Cloud Computing » iPad » iPhone
» Linkedin » Office 365 » Projektmanagement
» Rolle des CIO » SaaS » Scrum » SWOT-Analyse
Newsletter von CIO.de
