“The organisation” certifies that, through its director, the security of information systems and networks is vital to its operation, and even its survival. Indeed, the availability of certain data or certain tools, the non-disclosure of certain information to third parties or the impossibility of modifying certain data is crucial for “the organisation”.
As a consequence, the management is introducing a document detailing the security policy to be respected within “the organisation”. The management therefore undertakes to support any initiatives which fall within the scope of this document and to make available the resources necessary for their performance, where financially possible.
All employees must also support this process by:
To ensure that the applicable security policies and procedures are known to all concerned, they should be posted up in the common areas of the premises and distributed by the management.
Specific geographical locations may be indicated such as “secretariat” or “reception hall”. Similarly, more specific indications about people may be mentioned.
If the security policy includes confidential information, a more slimmed-down version should be created for public consumption, while the full version should remain in the hands of the management and specific relevant parties (IT and owners of the data).
This document (policies and procedures) is reviewed each year by the management, in association with the persons directly involved in security management.
The responsibility for this review lies with the management. This review is intended to verify that the content of the document still meets the requirements of “the organisation” in terms of IT security.
The following, in particular, should be performed:
The persons responsible for the review may be mentioned more specifically. Ideally, the occasion giving rise to the review should also be stated, as well as how the persons responsible were notified. It is recommended here to choose a date which falls within a generally quiet period, crucially to avoid this review being cancelled for operational reasons.