Navigable structures
I mentioned before that I'm getting glimpses of structure within the policy suite. In fact, there are several structures, different ways to group, link and use them which complicates matters. It's a mesh of multiple partially-overlapping categories, and a number of possible viewpoints reflecting the perspectives and interests of the various users.
Much the same issue affects ISO/IEC 27002: numerous possible controls addressing a plethora of risks can be groups and arranged in several ways. At the same time the standard is aimed at a wide variety of people and organizations, with perspectives and needs that, by the way, aren't static but change as they get stuck in the subject and their interests develop.
ISO/IEC JTC 1/SC 27 is tackling this issue by systematically 'tagging' the controls with labels, allowing users to select whichever ones interest them. It's an obvious application for a database ... but how it will work with corporate security policies is not entirely obvious.
Suggestions on the table so far include:
ISO/IEC JTC 1/SC 27 is tackling this issue by systematically 'tagging' the controls with labels, allowing users to select whichever ones interest them. It's an obvious application for a database ... but how it will work with corporate security policies is not entirely obvious.
Suggestions on the table so far include:
- General-purpose database or document management systems
- [Security] policy [and procedure, standard and guideline] management systems
- Documents, simple or compound with a fixed structure but numerous cross-references
- Web sites and wikis with relatively fixed structures and loads of hyperlinks
- Something more dynamic and flexible, yet usable.