Which of the following is the BEST approach for an information security manager when developing new information security policies?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When developing new information security policies, an information security manager should take a comprehensive approach to ensure that the policies align with organizational objectives and effectively address risks.
Option A suggests creating a stakeholder map. This approach can be helpful as it helps to identify and prioritize stakeholders who will be impacted by the policies. However, it is not sufficient as it does not provide guidance on the content of the policies.
Option B suggests referencing an industry standard. This approach can be useful as industry standards provide best practices for information security policies. However, blindly adopting an industry standard without considering the specific needs and risks of the organization can result in policies that are not effective or practical.
Option C suggests establishing an information security governance committee. This approach can be beneficial as it ensures that the policies are developed in collaboration with representatives from different areas of the organization. However, it may be time-consuming to establish such a committee, and it may not be feasible for smaller organizations.
Option D suggests downloading a policy template. This approach can be risky as it may not address the specific needs and risks of the organization, resulting in policies that are ineffective or incomplete.
Therefore, the best approach for an information security manager when developing new information security policies is to take a comprehensive approach that involves: