A policy is an aggregate of management intent, directives, rules, and practices, which specifies the correct or expected behavior. It’s written at a broad level and needs other artifacts, such as standards, procedures, and guidelines, for elaboration. Which of the following statements is incorrect? (Wentz QOTD)
A. A policy is always created by senior management only.
B. Standards are normally compulsory within an organization.
C. Policy, standards, procedures, and guidelines can be mixed in one manual.
D. Policy can be used to establish an organization’s information security program.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. A policy is always created by senior management only.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Stakeholders play an important role in developing comprehensive, yet practical, policy. Therefore, it is imperative to remember that policy is not created by management personnel only.
Source: NIST SP 800-12 R1
The following is an excerpt from The Effective CISSP: Security and Risk Management:
Policies play a crucial role in strategic execution. A policy stands for the “intentions and direction of an organization, as formally expressed by its top management.” (ISO 22301) It affects people’s behavior and directs an organization’s operations.
Depending on the intention, some policies are issued to respond to and be compliant with laws or regulations (regulatory policies), while some may be advisory or informative. Besides intention, a policy has a scope and may apply to different audiences or targets in terms of organizational structure, products or services, geographic locations, information systems, or initiatives, etc.
There are three common types of security-related policies. Program policies are used to create programs. Issue-specific policies address specific issues of concern. System-specific policies focus on the protection of systems.
A policy typically comprises fundamental elements such as objectives, scope, and roles and responsibilities, etc. It can be developed with a top-down or bottom-up approach. Either way, however, has to be approved to proceed; that is, before developing the policy document, approval should be granted to proceed. The policy document shall be approved by the policy approval authority to be published and implemented. The policy approval authority is ultimately responsible for subsequent compliance.
Reference
政策是管理意圖、指示、規則和實踐的集合,它指定了正確或預期的行為。 它是在廣泛的層面上編寫的,需要其他工件(例如標準、程序和指南)進行詳細說明。 以下哪個說法是不正確的? (Wentz QOTD)
A. 政策始終僅由高級管理人員創建。
B. 標准通常在組織內是強制性的。
C. 政策、標準、程序和指南可以混合在一本手冊中。
D. 政策可用於建立組織的資訊安全計畫(program)。