Management needs to develop a comprehensive set of security policies before designing and implementing specific control procedures. Top management is essential because they understand the organizations mission and goals to asses the impact of security.
Policy Development and documenting policies
users must receive regular, periodic reminders about security policies and training in how to comply with them.
Effectively communicating policies to all authorized users
Both CEO and CFO are accountable for ensuring that the organization has implemented a thorough risk assessmnet program and regularly monitors it.
Designing and employing appropriate control procedures to implement policies.
Continuous cycle of developing polocies t address threats, communicating those policies to all employees, implementing specific control procedures to mitigate risk, monitoring performance and taking corrective actions in response to identified problems.
Monitor the system and take corrective action to maintain compliance with policies.