Prior to the first meeting of the RWW Enterprise Policy Review Committee, Mike asked Iris to meet him in his office.
“You’ve convinced me that IT and InfoSec policy are tightly integrated,” Mike said, motioning for Iris to sit down. “And you’ve convinced me that InfoSec policy is critical to this enterprise.
Since we are each members of the Enterprise Policy Review Committee, I think we may want to coordinate our efforts when we bring issues up in that group. You agree?”
Iris, who knew how important policy was to her program’s success, smiled.
“Sure, no problem” she said. “I see it the same way you do, I think.”
“Good,” Mike said. “We’ll work together to make sure the EISP you’ve drafted is integrated with the other top-level enterprise policies. What we need to watch out for now is all the cross references between the top-level policies and the second-tier and third-tier policies. The entire problem of internal consistency between supporting policies is a problem, especially with getting the HR department policies to integrate fully.”
Iris nodded while Mike continued.
“I want you to take the current HR policy document binder and make a wish list of possible changes,” he said. “You should focus on making sure we get the right references in place. If you can send me the change plan by the end of the weekend, I will have time to review it.”

Questions:
1. If the Enterprise Policy Review Committee is not open to the approach that Mike and Iris want to use for structuring InfoSec policies into three tiers, how should Mike and Iris proceed?
2. Should the CISO (Iris) be assessing HR policies? Why or why not?