How To Develop Information Security Policies
Prerequisites
There are no prerequisites for this course.
Follow-On Courses
There are no follow-ons for this course.
This course is not currently offered by Global Knowledge. Information here is provided for reference only.
CSI Members:
Please call 1-800-COURSES ext. 7072 to register for this class at the member
price of $845.
Note: Please have your member number available.
Learn how to tie security goals to business objectives. Review the key elements that form the foundation of an effective set of policies and procedures. We will critique examples of existing information security policies and identify pitfalls to void. Your instructor will lead a number of exercises that allow attendees to draft an information protection policy statement, an information security mission statement, and an information security procedure table of contents. You'll explore the creation of a review panel for the documents and how to obtain management support for the completed documents.
Course Outline
1. Getting Started
The development of enterprise-wide policies and procedures should be managed as any project. We will examine each of the phases of a typical project development life cycle (analysis, construction, test, production and maintenance) and what the deliverables are for this project. We will identify where to obtain the background information needed to begin the project. Finally, we will establish definitions of policy, procedure, standard, guideline, and regulation.
2. Project Scope Management
Includes the processes required to ensure that the policy and/or procedure development project includes all the work required, and only the work required, to complete this specific project. We will review the contents of project scope statements and then the attendees will assemble into their groups and create a scope statement for their project. When the drafts are completed, the group will critique each of the scope statements.
3. Policy Statement Development
We will examine the key components of an effective policy statement and identify key pitfalls to be on the alert for. Using a policy development checklist, we will examine existing policy statements and critique them for effectiveness. Using the information presented, the attendees will form work groups and will draft an information protection policy that will be critiqued by the other groups.
4. Information Security Policy
Using industry-accepted standards, we will identify what key items should be included in an information security policy statement. We will address the enterprise's definition of information security, management's intentions, explanation of requirements and laws, definition of general and specific goals, and the process for reporting security incidents.
5. Establishing Review Teams
Since every document that is published will have to be reviewed for form and content, we will examine the methods used to get the document you create reviewed, readable and ready for publication. We will explore the concept of a core team and a support team, identifying common problem areas to avoid.
6. Gaining Senior Management Support
Even though one group of senior management has been charged with implementing the information security policies and procedures document, much of senior and middle management may be unaware of this mandate. We will identify key elements in making your document marketable across all management groups and to the employees at large.
Classroom Dates and Locations
Date |
Location Details |
To request a location or date, use our By Request service.
RSS