You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are developing the information security policy to build a policy framework for related supporting policies, and considering its objectives, scope, and roles and responsibilities. Which of the following is the best to be enlisted in the policy scope?
A. Levels of data sensitivity
B. Senior management
C. Stakeholders covered by the policy
D. Confidentiality, integrity, and availability
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Stakeholders covered by the policy.
A policy stands for the management intent; it affects people’s behavior. Objectives, scope, and roles and responsibilities are the most fundamental policy elements.
A policy has a scope and applies to different audiences or targets. Some policies are organization-wide, while others are function or department-based. Its scope can also be defined in terms of organizational products or services, geographic locations, information systems, and so forth.
A policy can be developed top/down or bottom/up; either way has to be approved to proceed or put into effect. Before developing the policy document, approval should be granted to proceed. The policy document shall be approved by the policy approval authority to be published and implemented. The Approval Authority is ultimately responsible for subsequent compliance.
- It’s common to include stakeholders covered by the policy in the scope of information security policy.
- Senior management may be delegated as the approval authority for certain types of policy.
- Confidentiality, integrity, and availability are security objectives.
- Levels of data sensitivity for asset classification may be part of the policy itself.
- The Process: How Policies are Created and Approved
- Policy Development and Approval Process
- Policy Cycle Tips: Approval Authorities