Matthew Hackling, provider of outlandish security punditry from an Australian perspective, has posted a suggested list of artefacts that a CISO should have to act as the conduct of the information security symphony in an organisation,
- Audit issue register (lead violin, sometimes a bit too screechy)
- Enterprise risk register
- Significant business unit risk registers
- Compliance requirement register (the timpani)
- Mapping of compliance requirements to your Information Security Management System (ISMS)
- Control testing management reports and database
- Management reporting template
- Existing enterprise security plan and perhaps security plans of significant business units
- List of business units by criticality
- List of business processes by criticality within business units
- List of business applications by criticality with function descriptions
- Current security budget
- Business case template and submission procedures
- Document map of ISMS with status of documents within it (approved, under review, drafted, not started)
- Organisation chart
- List of security projects with budget and status
- List of business projects by criticality to business success
- Enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
- Data classification scheme
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a666cba0-4b5e-43ea-8d49-2769c9d7a440)
Posts
No comments:
Post a Comment