字体： 小 中 大 特

by su27 (和稀泥) at 2007.9.14 10:15 (#3930779@0)

1) IT security will follow the pattern as IT services. Business needs as well as regulations and laws will become the main driving force for IT security. Both Non-Compliance and Over-Compliance should be avoid in practice.

2) As a policy maker, we should avoid touching detail technical contents. Following policies will cover the issue. 1) BCP excluding physical disaster. 2) System security policy. 3) Patching management. 4) Monitoring and incidents responding.
Personally, I don't think using one policy to mitigate one risk is a good idea. A frame work as as COBIT or ISO27001 will be a better approach. They will cover almost every thing ---- for those being addressed or omitted

3) Being an professional consultant as well as an interpreter around business teams, compliance & internal control team, IT team, the role will collect necessary information, discover risks and provide reasonable solution to satisfy all steak holders.