Assignment
1. If the Enterprise Policy Review Committee is not open to the approach that Mike and Iris want to use for structuring information security policies into three tiers, how should they proceed?
2. Should the CISO (Iris) be assessing HR policies? Why or why not?
Prior to the first meeting of the RWW Enterprise Policy Review Committee, Mike and Iris met in Mike's office to formulate a common IT and information security approach to the upcoming policy review cycle. Here is part of their conversation:
Mike motioned for Iris to sit down, and then said, "You've convinced me that IT and InfoSec policy are tightly integrated, and that InfoSec policy is critical to the enterprise. I would like you to join me as a member of the Enterprise Policy Review Committee. Okay?"
Iris, who knew how important policy was to her program's success, replied, "Sure. No problem."
Mike continued, "Good. We'll work together to make sure the EISP you've drafted gets equal status with the other top-level enterprise policies and that the second-tier issue and third-tier system policies are also referenced in all other top-level policies, especially those of the HR department."
Iris nodded. Mike went on, "I want you to take the current HR policy document binder and make a wish list of changes you need to be sure we get the right references in place. Let me see your HR policy change plan by the end of the week."