Relationships – Part 1
Did someone say Relationships define life? Well in the context of Information Risk Management (IRM) it would. Do you agree? Let’s see.
We have all seen the extensive IT policies that companies come up with. Some of them are very point - eg- Clean Desk policy while others are broad in nature - eg - Privacy policy. For starting points on what policies should be, SANS institute has a very useful section in the resources area
Most of these policies (especially the external facing ones) have passed through an array of reviews by legal and other internal folks.
Yet they do have to be refreshed. Certain organizations have become good at modifying and updating these policies on a frequent basis. Others continue to live in the old world - last updated in 2004! - Yes it’s true. It exists.Here's a radical thought! - Do we really need all these policies?
Apart from serving the real world tasks of "educating" the population with guidelines, policies serve as anchors that hold the organization at a uniform level. For example - 2 companies in different industries, having a similar policy around 'encryption of data' for communications that go over partner networks.So overall the answer would still be yes we need policies- however lets pause and think about another point.
What good is a policy if there isn't any way to determine that the policy is actually being followed throughout the organization?Is there any reporting on the effectiveness of the policy? The real question is this "Is there a control or a set of controls that guarantees the effectiveness of the policy? Also doesn't policy reporting depend on the reporting from these built in controls?
Simply put - What is the Relationship between the Policy and the stated control?Also are there controls that have nothing to do with policies? Would surely like to know about those.
More in Part 2!
