Electronic Books

Such an example might
be that you need to develop security policies that are consistent with the culture, because to do
otherwise puts you in danger of being either overly restrictive or not su?¬? ciently diligent. Security
policies and practices must blend with the culture rather than attempt to change it??”unless such
a change is necessary to reduce or eliminate a legitimate risk.
Some security chiefs ?¬? nd it useful to assemble a steering committee or program management
o?¬? ce involving key personnel from around the organization willing to serve. If you choose this
management strategy, it should be the ?¬? rst thing that you do before framing any initiatives. Such
an advisory group can be a powerful ally but it will take some time to get it up and running.
A key to success for a steering committee or advisory board is to ensure that they have real work
to do and real decisions to make. For example, you can use such a body to bless your drafts of
organization security policies, thus ensuring that your policy framework is both widely accepted
116
Information Security Management Handbook
and aligned with the interests of key players in the organization. A steering or advisory committee
is a double-edged sword that can hurt your e?¬? orts as well as help them. If you choose to use one,
assemble and nurture it with great care. Communicate often and e?¬? ectively with its members and
never assume that everyone is automatically on the same page with you or that you can use the
committee to ???rubber stamp??? anything.


Pages:
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233