Sunday, May 9, 2010

What are the CISO's most useful instruments?

Matthew Hackling, provider of outlandish security punditry from an Australian perspective, has posted a suggested list of artefacts that a CISO should have to act as the conduct of the information security symphony in an organisation,
  1. Audit issue register (lead violin, sometimes a bit too screechy)
  2. Enterprise risk register
  3. Significant business unit risk registers
  4. Compliance requirement register (the timpani)
  5. Mapping of compliance requirements to your Information Security Management System (ISMS)
  6. Control testing management reports and database
  7. Management reporting template
  8. Existing enterprise security plan and perhaps security plans of significant business units
  9. List of business units by criticality
  10. List of business processes by criticality within business units
  11. List of business applications by criticality with function descriptions
  12. Current security budget
  13. Business case template and submission procedures
  14. Document map of ISMS with status of documents within it (approved, under review, drafted, not started)
  15. Organisation chart
  16. List of security projects with budget and status
  17. List of business projects by criticality to business success
  18. Enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
  19. Data classification scheme
Reblog this post [with Zemanta]

No comments: