6.3. A Living Document: The Security Policy Lifecycle
Like with many of the policies that you deal with on a day-to-day basis as part of your job, the security needs of your organization continue to adapt and evolve over time. In some cases, new business initiatives drive security concerns. In other cases, new threats determine how you adapt security. Regardless of the reason, your security policies need to adapt, if only to add new policies when the security landscape changes or to remove old ones that no longer apply to your business needs.
You might think that you should change policies every time that a new threat comes to your attention. Nix that idea because end users and the people who must implement those policies will be hesitant to change frequently, and will likely be slow to adopt new changes.
Instead, we recommend that you
Make major policy changes only when absolutely necessary.
Roll out new policies only when you're sure that the organization needs them, and they'll stay current and applicable for the foreseeable future (in other words, you don't think that you will be changing them again next week).
6.3.1. Up to date
Keep tabs on the IT, and more specifically, the security industry. Monitoring new types of products, staying up to date by reading trade journals, and speaking regularly with peers in other organizations can help you stay on top of new developments in the security field.
While hackers exploit new classes of vulnerability and develop new types of attacks, ...
Get Network Access Control For Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
