bcs-ismp-bk-en-GB March 30, 2010 - 08:51 71
Information Security Framework
such policies to ensure the proposed course of action complies fully with all
employment legislation as well as other relevant national laws.
However, it is a waste of time having a policy in place unless the organ-
isation is prepared to enforce it. Senior management, and those that have to
enforce the rules, need to support the processes to deal with any violations.
If violations have not been dealt with appropriately, or have been ignored by
line management, then this should also be considered as a violation of policy
and treated seriously.
Miss Peacock has asked you to prepare an end-user code of practice for
GANT. Identify the main areas that you would include in the policy.
INFORMATION SECURITY GOVERNANCE
There is an increasing amount of legislation and regulation that requires
senior management to ensure that adequate controls are in place to pro-
tect the enterprise’s information assets. To fulﬁl these obligations, senior
management needs to understand the current status of existing assurance
controls, where such controls are inadequate and how the risk proﬁle of the
organisation is changing. The necessary effort can then be made to improve
security mechanisms and manage the risk effectively. This section covers
the principles of the governance processes that should be implemented to
enable this to happen and to provide senior management with sound and
up-to-date information on the state of assurance within the enterprise.
The intention of this section is to provide the reader with the basic knowledge
needed to understand the principles of Information assurance governance.
Once completed the reader should be able to explain and justify not only the
main concepts but also to establish procedures and draft documents to meet
the general requirements in the following areas.
Review, evaluation and revision of security policy
The production of policies, standards, procedures and guidelines has already
been covered in the previous section but to ensure that they remain current,
relevant and effective they should be reviewed regularly. Reviews should take
place after any signiﬁcant changes to either systems or resources or as part
of a regular review schedule (e.g. annually).
A management review process should be established to ensure that policy
reviews take place in an organised and timely manner. The review schedule