A consistent set of policies and supporting documents should be developed to define the organization’s approach to security, which is supported by all levels of management in the organization.
These policies should be made available to customers and users, and their compliance should be referred to in all SLRs, SLAs, contracts and agreements. The policies should be authorized by top executive management within the business and IT, and compliance to them should be endorsed on a regular basis. All security policies should be reviewed and, where necessary, revised on at least an annual basis.
The overall Information Security Policy should consist of a number of sub-components or sub-policies, covering:
* The use and misuse of IT assets
* Access control
* Password control
* Information classification
* Document classification
* Remote access
* Supplier access
* Asset disposal.