Ensuring that the Information Security policies are maintained and current

The greatest challenge with the Information Security / Cyber security policy is to ensure that they are current and maintained. Most Organizations succeed in publishing the set of policy, however maintaining them current is a different ballgame altogether. The key to overcome the challenges is in delegating the responsibility of authoring, reviewing and maintaining the policy content to the respective stakeholders across the business units. That responsibility should include those that the respective stakeholders being aware of emerging legislative and regulatory requirements, major incidents that impacted similar Organizations and are likely to occur at their own Organization. Besides these, the stakeholders should have a good visibility and understanding into their Organization’s granted exceptions, issues, identified risks, and the treatment activities in their respective policy area. This would in turn require the respective stakeholders to be directly or indirectly involved in reviewing the submitted policy exceptions, understanding the issues or potential risks and participate in the risk treatment decisions. These stakeholders should also be able to continually evaluate the risk tolerance in their respective areas. They should undertake the responsibility of reviewing and revising of the policy content periodically, adding necessary additional security controls that may become necessary. Additionally, the drafted or revised policy should be reviewed by peers, supervisors and subordinates who are part of the eco cycle. Finally, the GRC lead has the responsibility to highlight whether the individual policy and/or controls are comprehensive and realistic to adhere and implement. Policy that are vague and/or too stringent would result in greater non-conformance and potential risks to the Organization.