How frequently should the policy for ICT security be reviewed?

Security & GRC
2.7k views2 Comments
Sort By:
Oldest
Information Security Analyst in Government6 months ago
Common industry best practice is to review security policies and procedures at least annually. However, organizations should also review and update their policies whenever there are major changes, such as:
- Compliance with new laws and regulations (e.g. recent launch of PCI 4.0, GDPR, new cybersecurity regulations etc..)
- Experiencing a data breach or other security incident
- Adopting new technologies or business processes
- Changes in organizational leadership or structure
- Identification of new security threats or risks

Guidance from NIST as per Special Publication 800-53 
- Review and update the access control policy and procedures at an organization-defined frequency
- Develop, document, and disseminate security policies and procedures to relevant personnel
- Ensure security policies and procedures are sufficiently current to accommodate the information security environment and agency mission and operational requirements
1
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Sr. Mgr. Enterprise Risk in Manufacturing6 months ago
While we are not subject matter experts specific IT / ICT within our company, in general from a governance/policy perspective and best practice it would be common to review policies annually (even though no revisions may be required) or when certain events occur that may trigger a review or update (i.e. org restructure, new internal controls, new procedures, etc.)

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & PlatformsCloudData & Analytics+15 more
Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago
Strategy & Architecture
Read More Comments
39k views5 Upvotes34 Comments

What types of third-party risks are most concerning to your organization? 

Security & GRC

Cyber attacks & Data breaches48%

Supply chain disruptions40%

Regulatory non-compliance41%

Financial risks28%

Reputation risks24%

All of the above23%

None of the above

View Results
11.6k views9 Upvotes1 Comment

What are some of the challenges faced in terms of managing data privacy?

Security & GRCData & Analytics
Manager, Cybersecurity in Travel and Hospitalitya month ago
Being transparent
1
Read More Comments
1.5k views2 Upvotes2 Comments

What is your primary third-party risk management strategy?

Security & GRCThird Party Risk Management (TPRM)

Regular vendor assessments45%

Contractual requirements61%

Due diligence on third-party vendors54%

Risk-sharing agreements18%

View Results
9k views3 Upvotes1 Comment

I'm interested in creating few reports in Power BI, including tracking the number of sign-ins from unusual geographical locations, monitoring permissions added, and identifying new resources created in Azure, among others. While these logs are accessible in the log analytics workspace, I'm unsure about the process of importing them into a Power BI dataset. Could anyone share insights on how they populate their datasets and provide additional ideas on security reporting they're currently implementing?

Security & GRCPublic CloudSecurity+2 more
492 views1 Upvote