Welcome to Rothstein Publishing!

Information Security Roles and Responsibilities Made Easy

$495.00

Information Security Roles and Responsibilities Made Easy by security expert Charles Cresson Wood, provides over 70 pre-written information security job descriptions, mission statements, and organization charts that you can easily customize for your own organization.

SKU: DR571 Categories: , Tags: , , Product ID: 15521

Description

Save Thousands Documenting Your Information Security Program

Includes time-saving tools and practical, step-by-step instructions on how to develop and document specific information security responsibilities for over 40 different key organizational roles.

Information Security Roles & Responsibilities Made Easy, Version 3.0 provides:

Over 70 pre-written, time-saving information security documents

  • 29 information-security-related committee, board, and department mission statements, with information security responsibilities reflecting the latest technical and legal requirements.
  • Over 40 information-security-related job descriptions.
  • 12 separate information security organization structures with discussions of pros and cons of each.
  • Specification and discussion of 29 critical information security documents that every organization should have.
  • Standard practices that have been shown to be effective at over 125 organizations around the world.
  • How to persuade management to properly document information security roles and responsibilities, including an easily-customized sample management memorandum.
    • Reducing the total cost of information security services by properly documented roles and responsibilities.
    • Discussion of responsibility and liability as it relates to documented information security roles, including citations supporting the legal notion of the standard of due care.
    • Information security staffing data and analysis to help gain management support for additional resources.
    • Common mistakes many organizations make and how to avoid them.

     

  • Justification to help increase management’s awareness and funding of information security

    • How to persuade management to properly document information security roles and responsibilities, including an easily-customized sample management memorandum.
    • Reducing the total cost of information security services by properly documented roles and responsibilities.
    • Discussion of responsibility and liability as it relates to documented information security roles, including citations supporting the legal notion of the standard of due care.
    • Information security staffing data and analysis to help gain management support for additional resources.
    • Common mistakes many organizations make and how to avoid them.
  • Specific advice on how to plan, document and execute an information security infrastructure project

    • Information on how to properly review and update information security roles and responsibilities, including department interview techniques.
    • How to schedule project resources and time lines for documenting roles and responsibilities.
    • Detailed discussion of the Data Owner, Custodian and User roles.
    • Actions you should take to reduce your organization’s exposure to workers in information security related positions of trust.
    • The synergy between role based access control (RBAC) and clarification of information security roles and responsibilities.

     

  • How to Maintain Information Security Dealing with Third Parties

    • Pros and cons of outsourcing security functions, including validation and security when outsourcing.
    • The security roles and responsibilities of software and hardware vendors.
    • Decision-making criteria for releasing or withholding roles and responsibilities documentation to/from various external parties

     

  • Valuable staffing advice for information security professionals

    • Characteristics of effective information security professionals, including discussion about the pros and cons of hiring hackers and others who have been on the wrong side of the law.
    • Specific performance criteria for individuals and teams.
    • An expanded list of new information professional certifications with web sites, phone numbers, and addresses for each.

    Distributed via secure download. Does NOT include a book or CD.

     

     

1: What This Tool Can Do For You

2: Reasons To Establish Clear Roles & Responsibilities

3: Persuading Management To Document Roles and Responsibilities

Sample Memo To Management – Why Document Security Roles and Responsibilities

4: Before You Document Roles & Responsibilities

5: Updating Roles & Responsibilities

6: Who Should Write Roles & Responsibilities Documents

7: Review & Approval Of Roles &Responsibilities

8: Resources Required To Document Roles & Responsibilities

9: Time Estimates To Document Roles & Responsibilities

10: Key Information Security Documents

Information Security Department and Other Department Missions
Information Security Staff and Other Staff Job Descriptions
Information Security Department Reporting Relationships Diagram
Information Security Awareness Pamphlet
Information Security Awareness Reminder Memos
Information Security Policy Manual
Information Security Standards Document
Information Security Architecture Document
Information Security Action Plan
Information Security Forms
Systems Administration Procedures Manual
Risk Acceptance Memos
Information Systems Contingency Planning Manual
Organizational Code of Conduct
Standard Operating Procedures (SOP) Manual
Systems Development Process Manual
Application System Requirements Documents
User and Computer Operations Application Manuals
Records Management Policies and Procedures Manual
Worker Performance Reviews
Systems Usage Responsibility Agreements
Outsourcing and Consulting Agreements
Confidentiality and Non-Compete Agreements
Human Resources Manual
Physical Security Pamphlet

Sample Organizational Mission Statements (Ch. 11)

Information Security Department
Physical (Industrial) Security Department
Internal Audit Department
EDP Audit Unit
Ethics and Compliance Unit
External Auditing Firm
Records Management Department
Information Technology Department
Help Desk Unit
Network Operations Unit
Computer Operations Unit
Systems Administration Unit
Database Administration Unit
Data Administration Unit
Insurance and Risk Management Department
Contingency Planning Unit
Computer Emergency Response Team
Legal Department
Human Resources Department
Information Security Management Committee
Information Technology Steering Committee
Board of Directors – Audit Committee
Internal Control Committee
Facilities Management Outsourcing Firm

Sample Job Descriptions For Specific Roles

Information Security Department Manager
Access Control System Administrator
Internal Information Security Consultant
Information Security Engineer
Information Security Documentation Specialist
Information Systems Contingency Planner
Local Information Security Coordinator
Chief Information Officer
Information Systems Analyst/Business Analyst
Systems Programmer
Business Applications Programmer
Computer Operations Manager
Computer Operator
Information Systems Quality Assurance Analyst
Help Desk Associate
Archives Manager/Records Manager
Telecommunications Manager
Systems Administrator/Network Administrator
Web Site Administrator/Commerce Site Administrator
Database Administrator
Data Administration Manager
Physical Security Department Manager
Physical Asset Protection Specialist
Building and Facilities Guard
Office Maintenance Worker
Internal Audit Department Manager
EDP Auditor
Internal Intellectual Property Attorney
Human Resources Department Manager
Human Resources Consultant
Receptionist
Outsourcing Contract Administrator
In-House Trainer
Insurance and Risk Management Department Manager
Insurance and Risk Management Analyst
Business Contingency Planner
Public Relations Manager
Chief Financial Officer
Purchasing Agent
Chief Executive Officer

Chapter 13: Information Security Reporting Relationships

Option 1: Information Technology
Option 2: Security
Option 3: Administrative Services
Option 4: Insurance & Risk Management
Option 5: Strategy & Planning
Option 6: Legal
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance through I.T.
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations
Summary

Chapter 14: Template Customization Factors

Local Laws and Regulations
Industry Category
Criticality to the Business
Line or Staff Organizational Culture
Scope of Information Security Function
Information Security Effort Sophistication
Size of Organization
Outsourcing
Intended Audience
Separation of Duties
Cross-Training and Backup
Formatting

Chapter 15: Owner, Custodian, And User Roles

Chapter 16: Roles & Responsibilities Of Product Vendors

Chapter 17: Roles & Responsibilities Of Outsourcing Firms

Chapter 18: Adjustments For Smaller Organizations

Chapter 19: A Centralized Organizational Structure

A Few Critical Distinctions
Information Security Activities That Should Be Centralized
Why Centralized Information Security Management Is Advisable
Drawbacks Of Centralized Information Security Management
Resolving A Variety Of Implementation Issues

Chapter 20: Workers In Information Security Related Positions Of Trust

Nature Of The Problem
Suggested Strategies

Chapter 21: Common Mistakes You Should Avoid

Appendix A: Information Security Staffing Levels Information Security Staffing: Calculating the Standard of Due Care

Appendix B: Personal Qualifications

Excellent Communication Skills
Ability to Resolve Conflicts Between Security and Business Objectives
Ability to See the Big Picture
Basic Familiarity with Information Security Technology
Commitment to Staying on Top of the Technology
Familiarity with Information Security Management
Tolerance for Ambiguity and Uncertainty
Ability to Manage Many Important Projects Simultaneously
Ability to Work Independently
A Certain Amount of Polish

Appendix C: Performance Criteria

Information Security Department Metrics
Individual Worker Metrics

Appendix D: Professional Certifications

Appendix E: Responsibility and Liability

Appendix F: Sample User Responsibility Agreement

Appendix G: Disclosing Roles and Responsibilities

Appendix H: Role Based Access Control

About the Author: Charles Cresson Wood

Information Security Roles and Responsibilities Made Easy, Version 3 is the new and updated version of the best-selling security resource by Charles Cresson Wood, CISSP, CISA, CISM. Version 3 is based on the 30 year consulting and security experience of Mr. Wood and contains these new, updated features to help you save money while establishing a due-care information security organization:

New Department Mission Statements

1. Updated information-security-related committee, board, and department mission statements, including new descriptions for Disaster Recovery Team, Change Control Committee, Privacy Oversight Committee, and a Board Of Directors Governance Committee.

New information-security-related job descriptions

2. Over forty updated information-security-related job descriptions including brand new job descriptions for Chief Privacy Officer (CPO), Chief Security Officer (CSO), Chief Knowledge Officer (CKO), Ethics Officer and Data Librarian.

3. Expanded job descriptions and mission statements reflecting the latest business and technological developments (such as digital rights management systems and wireless networks) and legislative and regulatory requirements such as those of the Sarbanes Oxley Act.

More Expert Advice on Building the Security Organization

4. Additional management justifications for compiling, documenting and updating roles and responsibilities, including ways in which this effort minimizes the cost of providing adequate information security services.

5. A significantly expanded discussion of the pros and cons of outsourcing the information security function, including outsourcing-firm due-diligence, secure outsourcing procedures, and possible conflicts of interest when retaining a third party.

6. Actions you should take to reduce your organization’s exposure to workers in information security related positions of trust.

7. Added citations supporting the legal notion of the standard of due care as it relates to management responsibility, including discussion of the Hooper Doctrine, to help justify an investment in information security organizational infrastructure.

8. An expanded discussion of the personality characteristics needed for work in information security, including discussion about the pros and cons of hiring hackers and others who have been on the wrong side of the law

9. New decision-making criteria for releasing or withholding roles and responsibilities documentation to/from various external parties.

10. Updated information security professional certifications with web sites, phone numbers, and addresses so the reader can easily get more information about them.

11. A new appendix which explores the synergy between role based access control (RBAC) and clarification of information security roles and responsibilities.

Information Security Roles and Responsibilities Made Easy, Version 3.0 contains easily-customized documents in MS-Word format

by John Machin, SC Magazine

The many aspects of setting up a security function program in an organization can be hard to understand, let alone perform. Charles Cresson Wood’s latest book, …aims to help organizations through the issues. Though written largely with a North American audience in mind, the book includes many standard practices, which have been effective worldwide.

Information Security Roles and Responsibilities Made Easy is best described as a reference manual, although it is also more than that, as explained below. It is aimed at large organizations that can afford to implement a fully scaled security function. The author, however, recognizes that smaller organizations often have to operate with restricted budgets and resources that are not required on a full-time basis. There is a chapter that deals specifically with options available to smaller organizations.

The book provides, in an easy-to-digest format, what is required to develop information security job descriptions, mission statements and reporting relationships. The author recognizes that IT security is not merely the responsibility of the IT security department, but of the whole enterprise.

The earlier sections of the book deal with information security roles and responsibilities within an organization. The author describes, at some length, the steps required. The book gives good examples of various security based memos and manuals such as risk acceptance memos and the information security policy manual that should be found in a large organization.

The middle section of the book deals with what the author calls mission statements. These are designed to be partial mission statements dealing with the wide-ranging information security responsibilities of various departments. The examples given are informative and cover a wide range of departments, from internal audit to facilities management and outsourcing. Information security staff responsibilities and duties are extensively detailed. The author also touches on information security-related responsibilities and roles for the likes of the chief financial officer and the purchasing agent, in line with the premise that the whole organization must be involved in security.

A further chapter is devoted to information security reporting lines and responsibilities, including the relative merits of centralized and decentralized structures. Here the author discusses various possible reporting lines for information security in organizational chart format and goes on to discuss the pros and cons of each. Examples of these include reporting via the technology department to the strategy and planning department.

A crucial feature of this publication is not merely the information and guidance contained in the 255 pages of the hardcover book. Included in the price is an organization-wide license to republish materials. The accompanying CD-ROM contains what Information Shield describes as “cut-and-paste ready-to-go words” – in other words, do-it-yourself security documents, which the licensed organization may utilize quickly and easily to set up their own documentation.

In conclusion, although this book may not portray anything radically new, it brings the various information on IS under one roof. With the inclusion of the… publication license it is more than just a source of good reference material, it is an excellent resource designed to be easily adapted to an organization’s needs.

About Charles Cresson Wood

About Charles Cresson Wood

Recipient of Computer Security Institute’s Lifetime Achievement Award

Charles Cresson Wood, CISSP, CISM, CISA is an author, researcher, and management consultant based in Mendocino, California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.

He has published over 375 technical articles and six books in the information security field. In addition to various TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe.

For over 10 years, Mr. Wood was a Senior North American Editor for the Elsevier academic research journal called “Computers &Security” and the practitioner’s newsletter entitled “Computer Fraud & Security Bulletin.” For over 17 years, for the Computer Security Institute, he wrote a monthly column about information security policies for the newsletter entitled “Computer Security Alert.” He as also been an information security strategy columnist for the global technology media company called TechTarget.

He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has also passed the Certified Public Accountant (CPA) examination. He is a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.” Mr Wood is currently attending St. Francis School of Law, on a part-time basis, and when he graduates and passes the California bar exam, he intends to specialize in intellectual property protection and privacy matters.

Here is a sampling of the over 375 security related articles by Charles Cresson Wood:


“Researchers Must Disclose All Sponsors And Potential Conflicts,”
Computer Security Alert, No. 197, March 2000; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.220]
“Integrated Approach Includes Information Security,”
Security, pp. 43-44,February 2000; Publisher: Cahners, Des Plains, IL. [pub. no.219]

“Get Data Safety Policies In Place,” American Banker, 11 February 2000, p. 7;Publisher: American Banker, New York, NY.[pub. no. 218]
“All Internet Personal Data Gathering Techniques Must Be Disclosed,”
Computer Security Alert, No. 196,
February 2000; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 217]

“The Information Security Profession: Evolutionary Career Paths,” Information Security, November 1999;Publisher: published by ICSA.net, Norwood, MA. [pub. no. 214]

“Disclosures Of Private Information Without Data Subject Consent,” Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.212]

“Termination Of Outsourcing Contracts For Security Violations,” Computer Security Alert, No. 191, September 1999; Publisher:Computer Security Institute, San Francisco, CA. [pub. no. 210]

“Top Ten Impediments To Implementing An Information Security Policy,” Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story). [pub. no.209]
“A Functional Comparison Of Tandem Data Replication Software Packages,”
an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino,CA. [pub. no. 207]

“Subjects Given Opportunity To Block Private Information Disclosures,”Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 205]

“Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information,” Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute,
San Francisco, CA. [pub. no.202]

“All Systems Access Privileges Cease When Workers Terminate,” Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.202]

“Non-Compliance And Disciplinary Action,” Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 198]

“Convenience Versus Multi-Factor User Authentication,” Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.196]

“Twelve New Vulnerabilities Introduced by Internet Commerce,” Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no.195]

“All Telephone Transactions Require Positive Caller Identification,” Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute,San Francisco, CA. [pub. no.193]

“The Truth About Masquerading and Spoofing,” Network Magazine, February 1998; Publisher: Miller Freeman,San Francisco, CA. [pub. no.183]

“Unauthorized Information Disclosure and Loss of Stock Options,” Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.185]

“Managing Perceptions About Internet Electronic Commerce Security,” Computer Security, Audit & Control, February 1997; Publisher: Management Advisory Services Publications, Wellesley Hills,MA. [pub. no. 165]

“Information Security: Are We Winning the Game?” Computer Fraud &Security Bulletin, January 1997;
Publisher: Elsevier Science Technology,Oxford, England. [pub. no.162]

“Encryption for Files Left on Anonymous FTP Servers,” Computer Security Alert, No. 163, October 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.159]

“Encryption Systems Must Include Key Escrow,” Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 152]

“Cryptography Plays Central Role in Future Electronic Commerce,” March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England. [pub. no.151]

“Users Must Not Attempt to Eradicate Viruses,” Computer Security Alert, No. 156, March 1996; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.150]

“EDP Audit Must Be Independent of Information Security,” Computer Security Alert, No. 155, February1996; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.147]

“Reliance on Information Downloaded From Internet,” Computer Security Alert, No. 153, December 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.145]

“When to Report Computer Crimes to Law Enforcement,” Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.141]

“New Intellectual Property and the Need for Information Security,” Computer Fraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England. [pub.no. 139]

“Require Approval for Official Statements Posted to the Internet,” Computer Security
Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.136]

“Internet Anarchy and the Effectiveness of Laws,” Computerworld, 12 June1995. Expanded version also appears as “Need for Worldwide Internet Laws,” in Computer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England. [pub. no.133]

“ISO9000 and Information Security,” Computers & Security, vol. 14, no. 4,pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford,England (co-author Karen Snow). [pub.no. 131]

“Why SATAN Should Not Have Been Distributed As It Was,” Computer Security Alert,No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA.[pub. no. 128]

“Destroy Archived Electronic Mail Periodically,” Computer Security Alert, No. 142, January 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.124]

“Wireless Network Security,” Proceedings of Wireless Datacom ’94 Conference held in Washington, DC, 6-8 December 1994;Publisher: Business Communications Review,Hinsdale, IL. [pub. no.122]

“Fifty Ways to Secure Dial-Up Communications,” Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England. [pub. no.118]

“Identity Token Usage at American Commercial Banks,” Computer Fraud & Security Bulletin, March 1995; Publisher:Elsevier Science Publishers, Oxford England, pp. 14-16. [pub. no.114]

“Security Problems in Collaborative Computing,” Network World, October 1994; Publisher: International Data Group, Framingham,MA. [pub. no. 113]“The Newest Threat to Information Security: Open Book Management,” EDPACS, August 1994; Publisher: WarrenGorham Lamont, Boston,MA. [pub. no. 110]

“Principles of Secure Information Systems Design with Groupware Examples,” Proceedings of the Groupware ’92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA. [pub. no. 75]“A Strategy for Developing Information Security Documents,”
Journal of Information Systems Security, vol. 1, issue 2,Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New
York, NY (co-author: Juhani Saari). [pub. no. 68]

“Using Information Security to Achieve Competitive Advantage,” Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California.[pub. no. 58]“Data Dictionaries and Information Security,” Proceedings of SECURICOM ’84 International Conference, Cannes, France,29 February – 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris,
France. [pub. no. 24

“International Barriers to Information Flows,” SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA. [pub. no. 10]

“Computer Crime: Criminal Justice Resource Manual,” with Parker, Donn B., Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710,
1979. [pub. no. 1]

Featured Sample Information Security Policies

Classification Of Information Security Policies And Procedures

(These sample policies and commentary are from over 1500 security policy templates from Information Security Policies Made Easy, Copyright ©2017.)

Policy: All Company X information security documentation including, but not limited to, policies, standards, and procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners.

Commentary:

This policy prevents workers from disclosing to outsiders the specifics of how Company X secures its information and systems. These details could be used to compromise Company X information and systems. For example, knowledge about an internal process may help an industrial spy commit credible social engineering fraud. Because some information security policies are made public (for example on a web page), some workers may get the impression that other information security policies may be publicly released without adverse consequence. Information security policies should be revealed to outsiders only when it is required for business reasons, legal requirements, or because it is the ethical thing to do. Not all of the information security policies need to be released in these instances, and a summary statement is not only advisable but is appreciated by the recipients. Each information security policy document should be marked with an appropriate classification in order to communicate whether or not the policies are public information.

 

Risk Assessment – Documented Methodology

Policy: Company X must specify and document a formal methodology for performing risk assessments. The specification must include, at a minimum, the risk methodology (quantitative or qualitative) used, specific criteria for ranking assets, sources of vulnerability and threat data, and acceptable risk thresholds.

Commentary: This policy ensures that Company X uses a consistent, documented methodology for performing system risk assessments. By their very nature, risk assessments can be very subjective. By providing documentation of the risk methodology used, the organization can provide some level of consistency between different organizational units or teams performing risk assessments. One example of such a methodology is the Facilitated Risk Assessment (FRA). This process, which utilizes a qualitative risk analysis, is geared to a specific application, system or network. It allows risks to be addressed in financial and non-financial terms, as well as taking into consideration secondary impacts. It is a formal methodology that is driven by the system’s owners, conducted by a facilitator, and can be completed in a relatively short period of time.

Annual Review of Applicable Security Policies

Policy: All Company X employees and contractors must review and acknowledge acceptance of the information security policies which apply to them at least on an annual basis.

Commentary:

One of the key controls in any information security program is the education and training of users on both generic information security principles and specific company policies. This policy requires each user within the organization to read each set of security policies which applies to them, and sign an agreement to acknowledge that they have read and agree to abide by these policies. This policy has been in practice for many years in some organizations, without being formally documented. While many organizations require a user to sign an agreement to abide by policies when they first join the company, many times this form ends up in a personnel file never to be seen again. This policy is not only required by many security-related laws, it is critical documentation for any potential lawsuit involving employee violations of policy. While this seems like a large administrative burden, automated security policy tools that automate much of this process are now available.

 

You may also like…