Things to Watch

There are a number of failings that are seen time and time again for this section. Often an organisation will publish the paper form of the policy and send it as a desk drop to all staff - this does not guarantee that they read it. One cannot implement adequate security by sitting in an ivory tower and just sending diktats to staff. Staff need to be persuaded to comply and to see that it is their, as well as the organisations, best interests to have a secure working environment. The second major failing is the failure to ensure that non-permanent staff (such as contractors) has the same level of exposure to the requirements of information security as permanent staff. Often non-permanent staff are not handled by the corporate Personnel Department but handled in the management chain, and this requirement is overlooked. The other failing often seen is the failure to regularly review the policy for continued relevance. The policy should be reviewed on a yearly basis as well as after any technology change or serious security incident. The proof of the review should be evident in the document control section of the policy.

An Introduction To Information, Network and Internet Security
Things to Watch There are a number of failings that are seen time and time again for this section. Often an organisation will publish the paper form of the policy and send it as a desk drop to all staff - this does not guarantee that they read it. One cannot implement adequate security by sitting in an ivory tower and just sending diktats to staff. Staff need to be persuaded to comply and to see that it is their, as well as the organisations, best interests to have a secure working environment. The second major failing is the failure to ensure that non-permanent staff (such as contractors) has the same level of exposure to the requirements of information security as permanent staff. Often non-permanent staff are not handled by the corporate Personnel Department but handled in the management chain, and this requirement is overlooked. The other failing often seen is the failure to regularly review the policy for continued relevance. The policy should be reviewed on a yearly basis as well as after any technology change or serious security incident. The proof of the review should be evident in the document control section of the policy.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security