A mid-level company is rewriting its security policies and has halted the rewriting progress
because the company’s executives believe that its major vendors, who have cultivated a strong
personal and professional relationship with the senior level staff, have a good handle on
compliance and regulatory standards. Therefore, the executive level managers are allowing
vendors to play a large role in writing the policy. Having experienced this type of environment in
previous positions, and being aware that vendors may not always put the company’s interests first,
the IT Director decides that while vendor support is important, it is critical that the company writes
the policy objectively. Which of the following is the recommendation the IT Director should present
to senior staff?
A.
1) Consult legal, moral, and ethical standards; 2) Draft General Organizational Policy; 3)Specify
Functional Implementing Policies; 4) Allow vendors to review and participate in the establishment
of focused compliance standards, plans, and procedures
B.
1) Consult legal and regulatory requirements; 2) Draft General Organizational Policy; 3)Specify
Functional Implementing Policies; 4) Establish necessary standards, procedures, baselines, and
guidelines
C.
1) Draft General Organizational Policy; 2) Establish necessary standards and compliance
documentation; 3) Consult legal and industry security experts; 4) Determine acceptable tolerance
guidelines
D.
1) Draft a Specific Company Policy Plan; 2) Consult with vendors to review and collaborate with
executives; 3) Add industry compliance where needed; 4) Specify Functional Implementing
Policies