You are asked to develop an information security policy for an organization. You can choose any non-for-profit organization or publicly traded company.

 

Assume the following:

 You are given the mandate to develop the information security policy for the organization you have selected. You have been hired by the president/CEO of the organization and are given "carte blanche" on developing the policy.

 The information security policy includes following:

• An introduction (in a very brief format)
• Scope (applicability of the policy)
• Objectives
• A list of roles and corresponding responsibilities in terms of information security. The roles can include that of the Board of directors of the organization, the president/CEO, the CISO (which you will have to position within the organization), senior managers, first line managers, employees, along with any other applicable role such as that of internal audit, legal affairs, IT, etc.
• Policy statement: A set of information security principals and rules applicable throughout the organization. These should cover the main domains of the ISO 27001 international standard.
• Applicable laws and regulations (related to information security)
• Compliance to the policy (verification requirements)
• Requirements regarding the update, revision, approval of the policy 
• Glossary
• Version control