ABSTRACT

Aside from the original development of security policies, there are many reasons for an organization to add or change one or more security policies.

• Annual review of security policies vis-à-vis the changing security landscape and revised risk analysis: All security policies should be reviewed annually. Considerations should include • Does this policy serve an important purpose (prevention, control, or

recovery)? • Is the goal of the policy still valid? • Is the policy being observed or are there active efforts to get around the policy? • Is this the most effective way to achieve the goal of the policy?