How frequently should the policy for ICT security be reviewed?
Sort By:
Oldest
Sr. Mgr. Enterprise Risk in Manufacturing6 months ago
While we are not subject matter experts specific IT / ICT within our company, in general from a governance/policy perspective and best practice it would be common to review policies annually (even though no revisions may be required) or when certain events occur that may trigger a review or update (i.e. org restructure, new internal controls, new procedures, etc.)
- Compliance with new laws and regulations (e.g. recent launch of PCI 4.0, GDPR, new cybersecurity regulations etc..)
- Experiencing a data breach or other security incident
- Adopting new technologies or business processes
- Changes in organizational leadership or structure
- Identification of new security threats or risks
Guidance from NIST as per Special Publication 800-53
- Review and update the access control policy and procedures at an organization-defined frequency
- Develop, document, and disseminate security policies and procedures to relevant personnel
- Ensure security policies and procedures are sufficiently current to accommodate the information security environment and agency mission and operational requirements