1. If the Enterprise Policy Review Committee is not open to the approach that Mike and Iris want to use for structuring information security policies...

1. If the Enterprise Policy Review Committee is not open to the approach that Mike and

Iris want to use for structuring information security policies into three tiers, how should

they proceed?

2. Should the CISO (Iris) be assessing HR policies? Why or why not?

Prior to the first meeting of the RWW Enterprise Policy Review Committee, Mike and Iris met

in Mike’s office to formulate a common IT and information security approach to the upcom-

ing policy review cycle. Here is part of their conversation:

Mike motioned for Iris to sit down, and then said, “You’ve convinced me that IT and InfoSec

policy are tightly integrated, and that InfoSec policy is critical to the enterprise. I would like

you to join me as a member of the Enterprise Policy Review Committee. Okay?”

Iris, who knew how important policy was to her program’s success, replied, “Sure. No

problem.”

Mike continued, “Good. We’ll work together to make sure the EISP you’ve drafted gets equal

status with the other top-level enterprise policies and that the second-tier issue and third-tier

system policies are also referenced in all other top-level policies, especially those of the HR

department.”

Iris nodded. Mike went on, “I want you to take the current HR policy document binder and

make a wish list of changes you need to be sure we get the right references in place. Let me

see your HR policy change plan by the end of the week.”