Managing security policies
It doesn't stop with implementing security policies. We need to have governance in place to manage the policies. Governance is required on two levels:
- The security policies themselves, auditing these to the compliancy frameworks that a business has to adhere to.
- The technical implementation of the security policies, keeping the monitoring up to date, making sure that all assets are indeed tracked against the policies.
The first level is the domain of people concerned with the security governance in a business, typically, a Chief Information Security Officer (CISO) or Chief Information Officer (CIO). They need to set directions for security policies and make sure that the business is compliant with the security strategy, industry, and company frameworks. The CISO or CIO is also responsible for assurance from internal and external auditing.
Level two is more about security management, concerning how to deal with security...