Matthew Hackling, provider of outlandish security punditry from an Australian perspective, has posted a suggested list of artefacts that a CISO should have to act as the conduct of the information security symphony in an organisation,
- Audit issue register (lead violin, sometimes a bit too screechy)
- Enterprise risk register
- Significant business unit risk registers
- Compliance requirement register (the timpani)
- Mapping of compliance requirements to your Information Security Management System (ISMS)
- Control testing management reports and database
- Management reporting template
- Existing enterprise security plan and perhaps security plans of significant business units
- List of business units by criticality
- List of business processes by criticality within business units
- List of business applications by criticality with function descriptions
- Current security budget
- Business case template and submission procedures
- Document map of ISMS with status of documents within it (approved, under review, drafted, not started)
- Organisation chart
- List of security projects with budget and status
- List of business projects by criticality to business success
- Enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
- Data classification scheme
No comments:
Post a Comment