Re: FW: process for creating Information security policies and guidelines

["A. Harry Williams" <Harry () MARIST EDU>]

On 9/12/2011 4:28 PM, Valdis Kletnieks wrote:
> On Mon, 12 Sep 2011 15:00:03 CDT, Drew Perry said:
>
> > *However, the best "rider" we could have thought to tack on was the ability
> > of the university president to approve changes or additions once the
> > policies were approved, without the need of the board's approval. Talk about
> > a time- and headache-saver.*
>
> Like I said in my posting - we did that with our AUP in the late 90s, and it's
> only needed 2 revs (the most recent in 2002).  Having the nuts-n-bolts in a
> 'Guidelines' has been a lifesaver - probably the single most brilliant thing
> Randy has ever come up with. ;)
>   
We also added a "rider" to deal with 1c on your list,

1c - Things that get in the way - places where the policy has actively impeded
legitimate business processes.

so we have things like:

The CISO with the coordination, advice and consent of the Executive Vice
President and Chief Information Officer deems it necessary for the
efficient and effective operation of the Colleges information resources,

The CISO is directed to do so by the College President.

and for 1a - new technologies, we made sure every list included something like "or other technology" or stated that the 
list was not exhaustive.

/ahw