Chapter 6. Security Policy Overview

Solutions in this chapter:

▪ The Role of Policy and Procedures in Information Systems Defense
▪ Interpreting Policy as an Auditor
▪ Identifying Preventive, Detective and Corrective Controls
▪ Security Policy Development
Summary

Introduction

Policy protects people and information. Without policy the organization is like a ship without a rudder. Most critically, policy is the primary guideline against which an audit is conducted. If the policy and procedures are lacking, the audit will also lack rigor.
There are numerous examples that have been taken from the SANS security Policy project (www.sans.org/resources/policies/) throughout this chapter. These excerpts have been used with permission from SANS.
SMART methodology ...

Get The IT Regulatory and Standards Compliance Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.