The objective of the Information Security policy is to articulate the Organization’s aspirations and goals at a strategic level. Under each policy, a set of controls may outline the means to achieve these objectives. A recommended approach in publishing the Information Security policy is to ensure that every user within the Organization acknowledges, reads, understands, and complies with it. Despite efforts, instances of policy non-compliance are inevitable.
Implementing a formal process that encourages users to identify and report policy exceptions is a more effective strategy for identifying broader instances of policy non-compliance. Such a process helps in recognizing non-compliance issues that might otherwise be challenging to pinpoint through formal assessment and analysis alone. Moreover, this would facilitate a proactive approach to maturing Cyber security.
Following this, the Policy owner ought to review every submitted policy exceptions, to assess whether they pose potential risks that necessitate an appropriate treatment plan. These exceptions might also highlight areas for potential amendments or revisions to the Policy. It’s important to note that policy exceptions should only be granted for a limited period of time; allowing them indefinitely is not advisable.
Leave a Reply