How frequently should the policy for ICT security be reviewed?

2.7k views2 Comments

Sort by:

Sr. Mgr. Enterprise Risk in Manufacturinga year ago

While we are not subject matter experts specific IT / ICT within our company, in general from a governance/policy perspective and best practice it would be common to review policies annually (even though no revisions may be required) or when certain events occur that may trigger a review or update (i.e. org restructure, new internal controls, new procedures, etc.)

Information Security Analyst in Governmenta year ago

Common industry best practice is to review security policies and procedures at least annually. However, organizations should also review and update their policies whenever there are major changes, such as:
- Compliance with new laws and regulations (e.g. recent launch of PCI 4.0, GDPR, new cybersecurity regulations etc..)
- Experiencing a data breach or other security incident
- Adopting new technologies or business processes
- Changes in organizational leadership or structure
- Identification of new security threats or risks

Guidance from NIST as per Special Publication 800-53
- Review and update the access control policy and procedures at an organization-defined frequency
- Develop, document, and disseminate security policies and procedures to relevant personnel
- Ensure security policies and procedures are sufficiently current to accommodate the information security environment and agency mission and operational requirements

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Do folks think the impact of the social media addiction cases in the state court JCCP and MDL N.D. California will be far and wide, seeping into insurance industry changes as well as technological, or will Section 230 save the day once more for platforms?

The case will settle; zero to minimal impact70%

Yes! But effects and repercussions are unknown30%

Is anyone using a 3rd party Microsoft 365 governance tool, such as CoreView or Rencore? Interested in any thoughts about these tools or other similar.

Compliance with InfoSec standards (SOC 2, ISO/IEC 27000 family, PCI-DSS & more) is crucial for:

Scaling the business32%

Preserving existing deals40%

Business reputation56%

Business continuity37%

Security33%

View Results

How frequently should the policy for ICT security be reviewed?

Sort by:

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Do folks think the impact of the social media addiction cases in the state court JCCP and MDL N.D. California will be far and wide, seeping into insurance industry changes as well as technological, or will Section 230 save the day once more for platforms?

Is anyone using a 3rd party Microsoft 365 governance tool, such as CoreView or Rencore? Interested in any thoughts about these tools or other similar.

Compliance with InfoSec standards (SOC 2, ISO/IEC 27000 family, PCI-DSS & more) is crucial for:

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go