Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers how we'll manage the policy lifecycle. Chances are good that when you assume the role of CISO at an organization that there are already good policies in place. Effective management of the policy lifecycle, from creation to retirement will involve: - Reviewing the existing policies - Consolidation of policy Policy review should be regularly scheduled and executed at least once a year. Policy review should also be executed in the event of: - Changes to management structure - Changes to network infrastructure - On the occasion of major upgrades - When there were acquisitions Reviewers and approvers of policy must be identified. - Utilize Information Security Team, SME's, Auditors, legal, etc. - Determine who should be the reviewers and approvers for each update - Remember that ultimately it's up to the system owner to approve - Notify them that they will be asked to provide input - beforehand! - Provide an approximate schedule if possible When conducting reviews, you must: - Carefully review the materials that were sent - Determine whether the content and wording are acceptable - Be careful not to base an approval decision on whether or not the company is currently in compliance with the policy Approval should be based on the appropriateness of the requirements