As I mentioned on the blog yesterday, we are working our way systematically through the suite of ~70 information security policies, making sure they are all up to
scratch.
For context, the suite consists of 60-odd topic-based
policies, plus an overarching high-level Corporate Information Security Policy, plus a
handful of ‘acceptable use policies’ which are really guidelines with a misleading name.
We have here the bare bones of a typical policy pyramid with
policies supported by corporate standards, guidelines and procedures and, of
course, stacks of awareness and training stuff beneath.
The 60+ topic-based policies cover a wide range of information risk and security topics
such as:
- Awareness and training;
- Identification and authentication;
- Access control;
- IPR;
- BYOD;
- Insider threats;
- Whistleblowing (new!);
- IoT security;
- Assurance.
Looking at
the existing cross-references, I’ve realized that all 60+ policies need to
refer to the overarching Corporate Information Security Policy and almost all refer to the policy on information risk management. Information governance, information
ownership and accountability, compliance and assurance policies feature in most of them
too. Several refer to polices on general/infrastructure controls such as information
classification and security awareness. In other words, I think I’ve
stumbled across a 3-layer structure within the policy suite, in addition to the policy
pyramid above. It’s not exactly clear yet, though.
