CASES.LU

Knowhow

Security Policy – Security policy

Management commitment

“The organisation” certifies that, through its director, the security of information systems and networks is vital to its operation, and even its survival. Indeed, the availability of certain data or certain tools, the non-disclosure of certain information to third parties or the impossibility of modifying certain data is crucial for “the organisation”.

As a consequence, the management is introducing a document detailing the security policy to be respected within “the organisation”. The management therefore undertakes to support any initiatives which fall within the scope of this document and to make available the resources necessary for their performance, where financially possible.

All employees must also support this process by:

  • familiarising themselves with the content of the policies applicable to their activities,
  • applying the policies within their activities, keeping themselves informed about any developments to which they may be subject,
  • notifying their colleagues and external contacts of the rules applicable to them,
  • verifying the suitability of the security procedures in their day-to-day activities and putting forward any suitable improvements.

To ensure that the applicable security policies and procedures are known to all concerned, they should be posted up in the common areas of the premises and distributed by the management.

Specific geographical locations may be indicated such as “secretariat” or “reception hall”. Similarly, more specific indications about people may be mentioned.

If the security policy includes confidential information, a more slimmed-down version should be created for public consumption, while the full version should remain in the hands of the management and specific relevant parties (IT and owners of the data).

Review and assessment

This document (policies and procedures) is reviewed each year by the management, in association with the persons directly involved in security management.

The responsibility for this review lies with the management. This review is intended to verify that the content of the document still meets the requirements of “the organisation” in terms of IT security.

The following, in particular, should be performed:

  • checks that the procedures set out herein are effectively applied;
  • take stock of the security events which have taken place (analysis of audits, events logs, incidents and associated corrective measures);
  • checks that any changes which have taken place within “the organisation”, be they technical or structural, do not require any adaptation of the policies (this would constitute a preventive action);
  • organisation of the implementation of any amendments which may appear necessary;
  • communication of the results of the review to staff.

The persons responsible for the review may be mentioned more specifically. Ideally, the occasion giving rise to the review should also be stated, as well as how the persons responsible were notified. It is recommended here to choose a date which falls within a generally quiet period, crucially to avoid this review being cancelled for operational reasons.

Table of Contents