30 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
there be a proactive and consistent awareness program that extends beyond
the initial employee indoctrination eorts. Promotion of policies via memos,
e-mails, newsletters, banners, senior management presentations, town hall
meetings, and so forth, can be used.
Be Reviewed Regularly: As the organization changes, the policy will need to
change and grow to support those changes. All policy changes must be docu-
mented to include who approved the change, when, and what caused the
change. Reasons for changing policies include changes in threats and vul-
nerabilities, mergers, acquisitions, testing and exercise results, and so forth.
Routine reviews should be scheduled at least annually.
Track Exceptions: Although the entire organization is supposed to comply
with the organization’s policies, there are situations where exceptions must be
made. Whenever exceptions are made, the following must be documented:
the exemption, justication and time period for the exemption, who autho-
rized the exemption, and when. is documentation needs to be centrally
located with the enterprise’s policy documents.
Create One Central Location: e organization should have one central location
where all polices are maintained so everyone can access them. is supports the
requirement that all employees should be aware of an organization’s policies.
Leverage Technology and Expertise: Enterprise security policies should always
leverage two things: technology and the experience of other experts, e.g., the
previously mentioned use of PMI for project management.
Leveraging technology to automate manual processes and procedures can
be either very cost-eective or not. Having technology that replaces the manual
updating of each computer by pushing down patches and antivirus updates for a
very large, dispersed system should be considered when building a security policy.
But not all technology can be leveraged without the additional implementation of
more controls, like using an automated tool for system personnel to document and
report their security control status, when the system personnel do not understand
security. Another example is stating a policy that everyone will use smartcards for
system access, and when smartcards are deployed the systems are not congured
with smartcard readers. Do leverage technology, but ensure that it is practical and
not vulnerable. Also be aware of what will have to be done when established enter-
prise security policies are confronted with technology inherited from acquisitions
and mergers. Integration of old and new technologies can be very expensive, and
planning the transition of the two security policies can be very complicated.
Leveraging the expertise of others does not specically mean hiring an expert.
Remember the policy for a specic enterprise system must be tailored to each orga-
nization, but the ISSMP should take advantage of the examples that have already
been proven successful by others. As previously mentioned, other security experts
have contributed their experiences, so ISSMPs do not have to make the same costly
mistakes made previously. ey have provided their knowledge, recommendations,