Reviewing your security policy
Perhaps the first question should be—”Do you even have a security policy in place?” Even if the answer is “Yes,” you still need to continue asking these questions. The next question is—”Do you enforce this policy?” Again, even if the answer is “Yes,” you must follow up with—”How often do you review this security policy, looking for improvements?” OK, now we’ve got to the point where we can safely conclude that a security policy is a living document—it needs to be revised and updated.
Security policies should include industry standards, procedures, and guidelines, which are necessary to support information risks in daily operations. These policies must also have a well-defined scope.
It is imperative to understand the scope of applicability of the security policy. The policy should state the area(s) to which it can be applied.
For example...