Wednesday, September 3, 2008

Security governance: The Initial Skirmish

1. Get executive commitment to a security charter with a principle for each of the ten ISO 27002 domains and appoint yourself to act on behalf of the executives in accordance with charter.
2. Do a sing and dance you have cracked the hardest piece of the puzzle
3. Write up security governance docs to establish an Information Security Management System (include exemption management, metrics, compliance testing, sanctions for non-compliance and a document map)
4. Create draft security policy statements for the key security policies
5. Workshop draft policies with anyone who will listen (HR, IT ops, IT architecture, risk, internal audit etc.)
6. Record and refine stakeholder input (and put in version history of docs)
7. Issue security policies as draft for comment on Intranet
8. Take in feedback and refine (if any)
9. Get security policies endorsed
10. draft security standards and include KPIs
11. workshop with stakeholders
12. refine
13. issue as draft
14. get endorsed
15. execute security awareness campaign
16. write processes
17. write procedures
18. write baselines and use these to guide construction of SOEs
Posted by Matthew Hackling at 3:33 PM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Infamous Agenda © 2008. Design by :Yanku Templates Sponsored by: Tutorial87 Commentcute
This template is brought to you by : allblogtools.com Blogger Templates