Talk:IT Security Policy

Broad overview

One of the early pieces of feedback we had on these from a Trustee was that there was not enough distinction between

1. Policy - a strategic level document, laying out an organisational commitment to standards, specifying the respective roles of Trustees, Staff and volunteers and linking to descriptive procedures, that may require key staff and volunteers to sign to demonstrate their understanding and compliance
2. Proceedures - Semi-technical/administrative documents describing what actions must be taken by Staff and Volunteers to comply with a given policy
3. Checklists - Purely administrative documents designed to ensure that procedures are being complied with

- What do we think? Is this overkill, or will it help? Any suggestions as to how we break up these drafts to create these separations would be gratefully received! Katherine Bavage (WMUK) (talk) 12:08, 21 December 2012 (UTC)

• Looking through the list in the 'Policies' section, some of these are procedures and checklists rather than policy. E.g. Annual security audit checklist is definitely not a policy. It would be good to separate these out from the policies, and only noting that the policy documents need to be approved by the board. Thanks. Mike Peel (talk) 20:41, 21 January 2013 (UTC)

Some notes from Richard S

A few rambling points:

• Are the 'Key Principles' actually principles? Does it matter whether they are or not? Probably not.
• Come to think of it, is this actually a policy in and of itself, or is it just a collection of sub-policies?

All the best, Richard Symonds (WMUK) (talk) 13:42, 10 January 2013 (UTC)