Should the CISO (Iris) be assessing HR policies?

  1. If the enterprise policy committee is not open to the approach that Mike and Iris want to use for structuring information security policies into three tiers, how should they proceed?
  2. Should the CISO (Iris) be assessing HR policies? Why or why not?