The organization should have clearly defined security policies and procedures. The security policies should be at least similar to, or better than, regulatory and industry specific requirements. The policies and procedures should at least:
- Be appropriate to the business, nature and size of the data center / organization.
- Identify the boundaries of what is within the scope of the organization and what falls under the scope of the authorities (AHJ – Authority Having Jurisdiction).
- Be approved, endorsed and signed off by senior management.
- Include a regular review (internal/external) and continuous improvement plan.
- Be readily available to relevant individuals within the organization, its customers, suppliers and visitors.
- Be communicated on regular basis.
- Be sensitive and respect cultures, gender, etc.
- Be reviewed and revised at regular planned intervals, when major changes occur, and immediately after a security incident.