(8) Guidelines And Exceptions

Question 1

In terms of an information security program, what are guidelines?

Answer 1

Guidelines are best practices, but aren’t required to happen, they are provided in the spirit of being helpful

Question 2

What else should orgs include in their policy and guideline documents?

Answer 2

There should be a process of exceptions and compensating controls. These are out of the ordinary situations where an approved deviation from the normal way of doing things should happen

Question 3

What should compensating control procedures include?

Answer 3

Compensating control procedures should include what standard provides for the situation, the justification for why the process or procedure is not going to be followed, risks, description of other controls that will be put in place, and identification of any unmitigated risks