December 04, 2009, 6:39 PM — WHEN IS THE BEST TIME TO UPDATE CORPORATE SECURITY POLICIES? At least once a year. This update should be part of an overall risk-management process, says Charles Cresson Wood, independent security consultant and author of Information Security Policies Made Easy. Corporations that have gone through any of a number of adverse situations – a bad audit, a lawsuit, a lost business deal, an intrusion, or complaints related to security – should review their policy following the incident.
Tip: Once a policy has been reviewed, proposed changes must be run by all stakeholders and then an adoption plan should be crafted, says Wood. The plan should take into consideration the technology and training required for implementation.
The process of updating security policies "takes a whole lot longer than many people would like, but if you go through the steps and cross all the t's and dot all the i's, then you can be assured of something that is reasonable, cost-effective, acceptable to users, and widely anticipated before cut-over," says Wood.
This is part of ITworld's "Best Time" series. See the full list of Best Times to do all sorts of technology-related things. Think you know the "Best Time" to do something? Send to firstname.lastname@example.org. We'd love to hear from you.