Security Policy Library Sample

Each pre-written security policy statement within the library follows a standard format shown below.

Category: 6.1.2 Information security co-ordination

1. Centralized Information Security (Quick Policy Reference Title)

Policy: Guidance, direction, and authority for all information security activities are centralized for the entire organization in the Information Security Department. (Policy Statement)

Commentary: This policy clearly communicates to all workers that the Information Security Department calls the shots when it comes to information security matters. Many organizations have internal arguments about who is ultimately responsible for information security. This area is particularly problematic with local area networks, personal computers, client-server systems, and other small systems that have been largely managed by user departments rather than a centralized Information Systems Department. This policy does not imply that all the information security work will be done by the Information Security Department. For example, there should be departmental coordinators, local Security Administrators, and others specifically charged with information security work. To be effective in the age of integrated networks, information security policies, standards, architectures, and related infrastructure matters must be dictated centrally by an organization-wide information security group. (Expert commentary on policy implementation and risk)

Related Policies: "Information Security Management Committee," "Systems Development Conventions," "Requests For Organization Information," and "Network Central Point Of Failure." (Other Related information Security Policies with Hyperlink References)

Audience: Management and technical staff (Target Policy Audience)

Security Environments: All (Target Policy Environment)