A Practitioner's Approach for Developing Information Security Policy

An institution developing its information security policy by basing it on lofty ideals and stringent standards may demand far more than its staff is capable of delivering, which risks frustrating staff to the point of resistance, outright rebellion, or clandestine noncompliance. This strategy can also create a risk of legal liability, as an institution may instantly place itself out of compliance with its own documented policy. This session will outline a strategy for phasing in policy provisions, inclusive of key executive, managerial, and technical staff members, and provide a template of policies, standards, and procedures.