Beyond Policy
The Policy process is just the start of a comprehensive security plan The policy defines the organization’s attitude towards security and makes clear that all members have a part to play in creating and enforcing a suitable culture of security.
The best policy and security functions are to no avail if they are not observed or not used.
Next is the task of converting the policy into practice, which requires an explicit plan.
Identify the assets, tangible and intangible and estimate their criticality and value Assess the threat to those assets Determine the level of acceptable risk Make available the resources to deploy measures to address that level of risk Put in place the training and support necessary to make those measures effective Establish a timetable for a regular review of this process so as to keep up with changing needs in the internal and external environment.
All this leads back into Risk Management and Audit & Assessment.
