InfoSec policies say “what”, procedures say “how”

InfoSec policies say “what”, procedures say “how”. We all know that we need to have a full set of Information Security policies. But, how many of us do not include procedures in policies? Getting a policy approved can be a big deal, often needing Exec Mgmt, HR, and possibly union approval. They typically do not change very often, but procedures change regularly. You don’t want to jump through all the approval hoops to make the required change in procedures. Keep them separate! Of course, you do want to review policies annually and when significant infrastructure changes occur. #informationsecurity #infosec #cybersecurity #dataprotection #policiesandprocedures