Security Policy

The development of effective information security policy is essential to any information security program. The legal pitfalls associated with ineffective policy can undermine even the most well-intentioned process. This chapter overviews the development of information security policy: the investigation, analysis, design, implementation, and maintenance and change of the policy documents. It also examines the requirements of effective policy in ensuring that the developed policy is distributed, read, understood, and agreed to by employees, and uniformly applied by the organization in order to stand up to external scrutiny and potential legal challenge.