Cybersecurity policies and procedures must be reviewed
annually, or more frequently, as risk or circumstances
dictate. Following the review, policies and procedures
must be updated if necessary.
An example of a circumstance that would dictate a policy update sooner
than annually is a cyber attack. Using the lessons learned from the attack
would help strengthen a Member’s cybersecurity policy.
Another management item. This one requiring a review of policies and procedures. This review may result in changes for IT staff.