84 Managing Network Vulnerability Assessment
as those discussed in the NIST Special Publication 800-12, “An Introduction
to Computer Security.”
The Information Security Policy should be approved by management,
published, and communicated, as appropriate, to all employees. It should
state management commitment and set out the organization’s approach to
managing information security. As a minimum, the following material should
be included:
A definition of information security
A statement of management intent, supporting the goals and principles of
information security
A definition of general and specific responsibilities
References to documentation that may support the policy
The Asset Classification Policy is developed to maintain appropriate pro- ...