
Adapting Best Practice to the Corporate Security Policy
It is unlikely that any given organization will exactly match every Best Practice recom-
mendation. Those recommendations that absolutely cannot be put into use at a
company should be documented. Documentation should include:
The reason the objective cannot be met in the environment
The steps taken to mitigate the risk caused by not meeting the objective
The signature of a person of authority who undertakes responsibility for the risk
assumed by not meeting the objective.
This information should be made available to both Internal and External Audit,
when requested or when the security staff responds ...