Shulou(Shulou.com)06/01 Report--

Determine the scope of application

A necessary step before formulating a security policy is to confirm the scope of the policy's application, such as in the entire organization or in a department. To formulate a strategy without a clear scope is tantamount to aiming at nothing.

Get management support

In fact, no project can be promoted without the support of management, and so is the implementation of security policy. Getting enough commitment from management first has many benefits, paving the way for subsequent work, and understanding the overall importance the organization attaches to security policy. and communication with management is also an opportunity to further lead security work to a more ideal situation.

Conduct a security analysis

This is an often overlooked work step and an important step in security policy development. The main objective of this step is to identify the information assets that need to be protected and their absolute and relative value to the organization, and the information obtained by this step needs to be taken into account when determining protection measures. The key issues to be considered in carrying out this work include what needs to be protected, what threats need to be protected, the possibility of being exposed, the losses that may be caused in the event of a crime, what preventive measures can be taken, the cost and effectiveness assessment of preventive measures, and so on.

Meet with key personnel

Generally speaking, at least some meetings should be held with the people in charge of the technical department and the business department, at which they should be inculcated with the conclusions reached during the analysis phase and won their approval. If there are other business units that fall within the scope of the security policy application, you should also allow them to join the job.

Formulate a draft strategy

Once you have agreed on the information collected within the scope of application and have sufficient support within the organization, you can begin to establish a practical strategy. This version of the strategy will form the framework and main elements of the final strategy and serve as a benchmark for final evaluation and validation.

Carry out strategy evaluation

Previously, we have communicated with the management and the key personnel related to the implementation of the security policy, and this part of the work further confirms the security policy with all stakeholders on the basis of the previous work, thus resulting in a revised formal version of the policy. At this stage, more people tend to be involved, and the support of all relevant personnel should be further enlisted, or at least sufficient authorization should be obtained to ensure the implementation of security policies.

Publish security policy

When the security policy is completed, it also needs to be successfully published in the organization, so that the members of the organization can read and fully understand the contents of the policy. Security policies can be widely distributed through the organization's main information release channels, such as the organization's internal information systems, regular meetings, training activities, and so on.

Revise the strategy as needed

With the change of the application environment, the information security strategy must change and develop in order to continue to play a role. Typically, the organization should conduct a policy review once a quarter and update the policy at least once a year.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.