(4)Policy策略(GV.PO):
Organizational cybersecurity policy is established, communicated, and enforced
建立、沟通和执行组织网络安全策略
GV.PO-01:
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
根据组织语境、网络安全战略和优先事项,建立管理网络安全风险的策略,并予以沟通和执行
- Ex1: Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction
创建、传播和维护一个可理解的、可用的风险管理策略,并说明管理意图、期望和方向 - Ex2: Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy
定期审查策略和支持流程和程序,以确保它们与风险管理战略目标和优先事项以及网络安全策略的高层方向保持一致 - Ex3: Require approval from senior management on policy
策略需要高级管理层的批准 - Ex4: Communicate cybersecurity risk management policy and supporting processes and procedures across the organization
在整个组织内沟通网络安全风险管理策略以及支持策略的过程和规程 - Ex5: Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated
要求员工(正式的)承认接收到了策略或策略更新,包括在被首次雇佣时、每年一次以及每当策略更新时
🧡检查落实
🌹文件和台账
- 网络安全策略
- 可接受的使用策略
- 风险管理计划
🌹预期结果
- 网络安全策略是完整的,并且其开发、批准、发布等符合组织内部治理架构
- 策略得到定期审查,确保与风险管理战略目标和优先事项相一致
- 这些策略被传达给全员及必要相关方
- 雇员被要求在雇用时确认收到策略,并在此后定期确认收到策略(至少每年一次,或当发生变化时等)
GV.PO-02:
Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
评审、更新、沟通和执行管理网络安全风险的策略,以反映需求、威胁、技术和组织使命的变化
- Ex1: Update policy based on periodic reviews of cybersecurity risk management results to ensure that policy and supporting processes and procedures adequately maintain risk at an acceptable level
基于对网络安全风险管理结果的定期评审来更新策略,以确保策略以及支持策略的过程和规程充分地将风险维持在可接受的水平 - Ex2: Provide a timeline for reviewing changes to the organization’s risk environment (e.g., changes in risk or in the organization’s mission objectives), and communicate recommended policy updates
提供评审组织风险环境变化(如风险或组织任务目标的变化)的时间轴,并沟通关于更新策略的建议 - Ex3: Update policy to reflect changes in legal and regulatory requirements
更新策略以反映法律法规要求的变化 - Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial intelligence) and changes to the business (e.g., acquisition of a new business, new contract requirements)
更新策略以反映技术的变化(如人工智能的采用)和业务的变化(如获得新业务,新合同要求)
🧡检查落实
🌹文件和台账
- 网络安全策略
🌹预期结果
- 定期或当发生重大变化时审查和更新政策,并与网络安全风险管理相协调
- 根据法律或法规要求的变化,对政策进行审查和更新
- 这些策略被传达给全员及必要相关方