• No se han encontrado resultados

El aprendizaje de segundas lenguas Todo proceso de enseñanza-aprendizaje en cualquiera de las áreas del conocimiento, lleva implícitos intereses diferentes por

2.2 MARCO TEÓRICO

2.2.2 El aprendizaje de segundas lenguas Todo proceso de enseñanza-aprendizaje en cualquiera de las áreas del conocimiento, lleva implícitos intereses diferentes por

policy and scope

Once the management structure has been thought through, the initial ISMS establishment issues have been completely understood and the initial training of the key personnel who will be involved in the development of the policy has been completed, the next step in the Plan phase can commence.

Information security policy

The first step in the establishment of an ISMS is the definition of the infor- mation security policy. This requirement is set out in clause 4.2.1 of the standard (and control A.5.1). It is not always, however, as straightforward as it seems. It may be an iterative process (particularly in complex organizations dealing with complex information security issues and/or multiple domains), and the final form of security policy that is adopted may therefore have to reflect the final risk assessment that has been carried out and the statement of applicability that emerges from that.

Clause 4.2.1 sets out clearly the components of the ISMS policy. Its scope, and the policy itself, must take into account the characteristics of the business, its organization, location, assets and technology. The policy must include a framework for setting its objectives and establish the overall sense of direction. It must take into account all relevant business, legal, regulatory and contractual security requirements. It must establish the strategic context (for both organization and risk management) within which the ISMS will be established. It must establish criteria for the evaluation of risk and the structure of the risk assessment. Of course, management must approve it.

The security policy will also have to be regularly reviewed and updated in the light of changing circumstances, environment and experience. As a minimum, if there is no earlier reason for the board to review its policy, it should be reviewed annually and the board should agree that the policy remains appropriate (or otherwise) to its needs in the light of any changes to the business context, to the risk assessment criteria or in the identified risks. There may be components of the policy that ought to be reviewed very regularly, even monthly, and these should be identified through the risk assessment.

Initially, the information security policy is a short statement (we think organizations should aim for a maximum of two pages of A4) that is designed to set out clearly the strategic aims and control objectives that will guide the development of the ISMS. The policy may go through a number of stages of development, particularly in the light of the risk assessment, but the final version must satisfy clause 5.1.1 of the standard and appropriately reflect the good practice that is set out in clause 5 of ISO27002, and the guidance in the introduction should also have been read and taken into account. Proof that the policy has been approved by management, that it has been published and communicated internally and that it is reviewed regularly (usually annually, as a minimum), with any changes similarly published and communicated, will enable the organization to satisfy control A.5.1 of the standard, ‘Security policy’.

The key questions that the initial policy statement must succinctly answer are:

ᔢ Who?

ᔢ Where?

ᔢ What?

ᔢ Why?

Usually, the manager who has been charged with leading the implementation of the ISMS will be charged with drafting a security policy and board paper that proposes how these questions should be answered. This paper should

seek to be as objective as possible in working through the possible answers to these four questions so that the board can identify and focus on those issues that require clarification or where difficult decisions may be necessary.

A copy of that section of the minutes (preferably initialled by the chairman as a correct copy) of the board meeting in which the security policy was debated and adopted should be filed with the security policy documentation. It can be a controlled record and it does, for audit purposes, provide useful and immediate evidence of the process by which the policy was adopted, and of any amendments to it. This, together with the proposal that was put to the board, is the first part of the evidence that clause 4.3 (‘Documentation require- ments’) of the standard requires in order to demonstrate that the actions set out in clause 4.2 did take place.

The policy itself should then be issued as a controlled document and made available to all who fall within its scope; in general, members of the senior management team should receive individual copies, and copies could be posted on all internal noticeboards, both the physical and electronic ones. There are other methods of communication; what matters is that the commu- nication is effective. These copies of the policy document should of course be clearly marked as controlled copies, to ensure that they are updated to reflect any changes that take place. Copies handed out as part of training or awareness seminars should be marked as uncontrolled copies.

Who?

‘The board and management’ have to be completely behind and committed to the ISMS; therefore, the policy statement must be issued under their authority and there should be clear evidence, in the form of written minutes, that the policy was debated and agreed both by the board as a whole and by the management steering group. Any revisions to the policy should also be debated and agreed by both the board and the steering group. From a prac- tical point of view, it is worth keeping the policy statement as simple, as comprehensive and as broad as possible so as to allow management adequate freedom to respond to changing business and security circumstances in implementing it without needing to return to the board and the forum for the policy itself to be freshly agreed.

It will also require participation by all employees in the organization and may require participation from customers, suppliers, shareholders and other third parties. This is part of the context of the ISMS referred to earlier. In thinking through the security policy, the board and the forum will need to consider how it will impact on these constituents and/or audiences and the benefits and disadvantages that the business will experience as a result of this.