Review and Modification Policy
Grantham University
Introduction
For the purposes of this policy, electronic resources are defined as all computer-related equipment, software/network applications, interconnecting networks, fax machines, telephone systems, and all information contained therein (collectively, “electronic resources”) owned by Mahtmarg Manufacturing (“the company/the organization”).
Review and Modification Policy
This policy shall outline the procedures and practices for the reviewing and modification of the Mahtmarg Manufacturing ISP.
Reviewing
In efforts to ensure that Mahtmarg Manufacturing continues to operate with best practices as it pertains to information security, the Mahtmarg Information Security Policy (ISP) shall be reviewed semi-annually to determine if any of the procedures that have been set forth need to be altered, or if any additions need to be made. During the review, at a minimum, the listed topics shall be discussed:
Incidents/Disasters occurred or thwarted
Known threats
Know Vulnerabilities
Risk Assessment
Obsolete practices
If there are any changes to be made to the ISP, please refer the “Modification Policy” of the ISP.
Modification Policy
As the ISP is a “living document”, there will be instance where protocols and procedures will need to be modified. If there are any modifications that are needed, the following procedure should be followed:
Modifications will only be made after semi-annual reviews unless an emergency protocol must be enacted.
All changes shall be voted on by the ISP committee members:
Information Security Manager
IT Manager
Network Manager
HR
Legal
Changes to any of the protocols or procedures will require an amendment.
Amendment proposals must be typed, and emailed with digital signature attached to the committee members for discussion and vote.
Change request shall be logged by Information Security Manager.
Amendment proposals may be sent back for further detail or changes.
If vote is passed for amendment, a policy modification form, along with the attached amendment, will need to be approved/signed off by the CISO.
Once approved, the amendment will be added to the policy, and the revision will be sent out company-wide by email, and a hard copy maintained by the Information Security Manager.