what are the compliance considerations during information security policy making?

Question is at last

Contingency plans are measures taken by organizations to prepare and deal with unusual events if they occur. These events are characterized by adverse effects that have the potential to hinder the operations of an organization. Contingency planning creates a blueprint of how the organization will mitigate the effects of a contingency regardless of the size of the organization (Flowerday & Tuyikeze, 2016). Information security policy forms an integral part of developing contingency plans in an organization. It provides a guideline with instructions, special considerations, and recommendations that provide an organization with ways to recover its data and information services in the event of a contingency.

The information security policy provides clear and concise steps to be followed as part of the protective measures to mitigate a contingency. It enhances the protection of data and organization assets in case a disaster or a data security breach occurs (Flowerday & Tuyikeze, 2016). The policy also gives an organization appropriate approaches to undertake when conducting a root cause analysis of a disaster or security breach (Whitman, Mattord, & Green, 2013). In this regard, the information security policy provides considerations on the collection and preservation of evidence.

The information security policy also plays a vital role in identifying the essential information systems, which are the most vulnerable. On the same note, the policy identifies the kind of risks that pose a threat to the organization’s data and information system. To prevent and decrease the impact of contingencies, the policy provides a number of particular measures and assessments that should be implemented to protect the information system (Whitman, Mattord, & Green, 2013). Importantly, the above measures should be compliant with the general organization’s policy.

A question that still remains is; what are the compliance considerations during information security policy making?