Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using ISO 27002 as your Official Policy?

From: Greg Schaffer <newtnoise () GMAIL COM>
Date: Tue, 18 Jan 2011 19:29:51 -0600
Or...you can have a high level policy, a mid level plan, and individual
departmental procedures to comply to the high level policy.  The plan
bridges the procedures (many) to one policy.

Greg

On Tue, Jan 18, 2011 at 4:08 PM, Stewart James <Stewart.James () vu edu au>wrote:


 Hi Daniel,



If memory serves correctly policies can be layered. So in theory you can
have a high level policy, then a faculty/department policy and then even a
system specific policy. This requires that some central authority take
responsibility for managing and even auditing in a decentralised
environment.



Cheers,



Stewart



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Sarazen, Daniel
*Sent:* Wednesday, 19 January 2011 4:37 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Using ISO 27002 as your Official Policy?



Hi All.



Have any of you started to use ISO 27002 as official policy over IT
controls?



If so, how did you handle the controls regarding Internal Organization
(6.1) ? As decentralized as we are, we’re finding complications and I’d be
appreciative if anyone who’s solved this problem already could share their
approach/solution.



Thanks,







[image: Description: http://media.umassp.edu/pix/mail/umass.gif]

:: *Daniel Sarazen*, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu







This email, including any attachment, is intended solely for the use of the
intended recipient. It is confidential and may contain personal information
or be subject to legal professional privilege. If you are not the intended
recipient any use, disclosure, reproduction or storage of it is
unauthorised. If you have received this email in error, please advise the
sender via return email and delete it from your system immediately. Victoria
University does not warrant that this email is free from viruses or defects
and accepts no liability for any damage caused by such viruses or defects.
Previous By Date Next
Previous By Thread Next

Current thread: