IT Examiner School

Security Policy: The “Why”

• Security policy • Short • Stable • Supports mission statement

• Establish roles & responsibilities “Authority” • Approval from highest level of management • Outline consequences of non-compliance • Must result in a positive cost benefit!

Security Policy

49

Security Standards: The “What” • Content validity measured against security policy • Set specific requirements/quantify the risk • Establish • Key Risk Indicators • Key Performance Indicators • Describe the consequence of non-compliance • Documents may refer to other standards, policies & laws

Security Policy

50