As I mentioned on the blog yesterday, we are working our way systematically through the suite of ~70 information security policies, making sure they are all up to scratch.
For context, the suite consists of 60-odd topic-based policies, plus an overarching high-level Corporate Information Security Policy, plus a handful of ‘acceptable use policies’ which are really guidelines with a misleading name.
We have here the bare bones of a typical policy pyramid with policies supported by corporate standards, guidelines and procedures and, of course, stacks of awareness and training stuff beneath.
The 60+ topic-based policies cover a wide range of information risk and security topics such as:
- Awareness and training;
- Identification and authentication;
- Access control;
- Insider threats;
- Whistleblowing (new!);
- IoT security;
Looking at the existing cross-references, I’ve realized that all 60+ policies need to refer to the overarching Corporate Information Security Policy and almost all refer to the policy on information risk management. Information governance, information ownership and accountability, compliance and assurance policies feature in most of them too. Several refer to polices on general/infrastructure controls such as information classification and security awareness. In other words, I think I’ve stumbled across a 3-layer structure within the policy suite, in addition to the policy pyramid above. It’s not exactly clear yet, though.