Re: Mandate for Security forum

[Mani Akella <mani () kidatwork com>]

Hi Tore,

One thing I can validate is that each organization has it's own special needs, requirements and expectations that will 
make working out of a template an "interesting" task.

In my own experience, the following steps, followed in order, have allowed me to come up with a mandate and policy 
space that stay and grow in the organization, instead of dying a shorter-than-average corporate death.

1) (and this needs repetition till everyone is sick of you :)  ) - Invite representatives from all areas of the 
business, even those that do not have any seeming relation to the effort.
Have them provide input and understand expectations as well as requirements.

2) Share drafts and have everyone provide written inputs (even if they have nothing to add/subtract, have them say so 
in writing/email)

3) Make everyone signatories - or better, owners - of the final draft.

So now, pointers to the mandate:

The business of the team is to 
        a) provide appropriate and relevant guidance on how to reasonably protect the information assets of the 
organization.
        b) be resourceful and creative in the way they allow authorized users appropriate access while ensuring no 
access for everyone else
        c) understand the business of the organization properly so that they can model InfoSec to be effective for the 
organization
        d) be owners of the responsibility of InfoSec, so that the rest of the organization can focus on their own 
areas of work.

Information Security is always about effective business rules, not the technology or toys. The rules will provide 
guidance and direction that will help drive the correct technology choices.

Hope this helps.

- Mani


 

On Jul 28, 2012, at 4:53 PM, sikkoor () gmail com wrote:

> Hello,
> I have responsibility for security in a medium sized company..
> We have recently established an information security management system which is based on ISO 27001. As part of this 
> work it was decided that we should establish a security forum consisting of employees from different departments.
>
> I am now responsible for writing a mandate for the Security forum :( Although I have been working on information 
> security for a while, I honestly do not know where to start from.
>
> Have any of you been out in similar work before? Can anyone give me some tips about how such a mandate should look 
> like?
>
> I appreciate all your help.
>
> Thanks in advance.
>
> With friendly greetings.
>
> Tore.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------