Assessment item 2 – Security policy and standards

The CISO’s priority is to revise ACME’s enterprise information security policy and specific security control standard requirements. To facilitate this the CISO has published a strategic security view, which supports ACMEs corporate aspirations. This strategic view reads as follows:

The Information Security division of ACME Widgets Inc. will strive to ensure that all sensitive corporate and customer information is always protected when being sent, received, processed, or stored in any medium as part of any business process. ACME will identify, implement and operate world-class preventative, detective and responsive security controls to always protect our business information. Furthermore, ACME will actively seek to attract and retain appropriate skills and expertise to ensure that all phases of the business systems’ lifecycle are protected, including architecture, design, build, and operations.

The security policy will provide a clear vision of ACME’s commitment to protecting its business information. A security policy explains the “what” of the enterprise security strategy – the senior management expectations of what broad goals ACME will set itself for preventing, detecting and responding to cyber incidents.