I have been tasked to produce an IT Security Policy as our current one is outdated. I am currently considering approaching such policy in two folds : Information Security and Information Technology Security.
Since they’re both intertwined because of the CIA of information and related security controls (information, assets, physical security, networks, collaboration tools, online sharing, cyber space, etc.), is it worth to separate them or one encompassing both is sufficient and valuable from an audit standpoint?
The policy is driven by *** which includes 8 pillar requirements as far as security controls go.
So, I just need few tips and guidance to build an up-to-date policy reflective of new policy requirements based on new operational trends driven by new technologies and services (PaaS, SaaS, CaaS, to name a few). Also, such policy must be simple enough to optimize comprehension and adherence from Senior Management. Our organization is not looking to implement a framework on its own.