A High-Level View of Documentation
A security professional can learn a great deal about an organization by reviewing the strategic plan and examining the company’s policies and procedures. In the best-managed companies, high-level documents such as policies reflect management’s view of the company. During the last 10 to 15 years of doing security assessments, we’ve found many companies that do not have complete or in-depth policies needed to cover key areas of operation. Policies should exist to cover most aspects of organizational control, since companies have legal and business requirements to have policies and procedures in place. One example of this is the Sarbanes-Oxley Act (SOX). This mandate places strict controls on companies and requires them to have policies and procedures in place. For those that are not compliant, there are fines and possible imprisonment of up to 20 years for those responsible. Policy should dictate who is responsible and what standards...