微软IT安全管理.pptVIP

Policy Management Challenges Diverse Business Group Structure. Microsoft must enforce all of its unique security policies consistently to maintain credibility. Involving key executives at the authorization phases of implementation lends influence and credence. Consistent Repeatable Process. Implementing a repeatable process ensures that the appropriate roles, responsibilities, and administrative controls are in place. Terminology and Clarity. Policies must be clear and comprehensive to be followed, yet flexible enough to accommodate a wide range of data, activities, and resources. Policies are high-level statements that define what is to be protected, but do not provide details about processes or technology. Standards include technology-specific mechanisms and solutions that are required for compliance. Standards define how settings should be configured and detail which settings are required. Statement of Positions (SOPs) contain the “how-to” details for compliance with the policies and standards. It can be challenging to ensure policies do not include standards and best practices. Care must also be taken to ensure the wording is simple, clear, and concise for those who speak English as a second language. Timing for Approval and In-Effect. If a policy is to be applied company-wide, approval must come from an executive who has authority to deploy the policy. All policies must be approved by the CISO. If a policy applies to the entire organization, it must also go to the Information Security Governance Board (ISGB) for review. The CSC provides final approval (this group includes Microsoft CEO, Steve Ballmer). A policy can take up to 3 to 6 months after the review process before it is approved. After a policy has gone through the review cycle, it is published as a draft on the policy Web site. After the policy is approved, the “draft” tags are removed and an Effective Date is posted. Awareness. If users are not aware of policies, they cannot be held accountab