Processes

Previous page
Table of content
Next page


The ISSO must also develop procedures, functions, and processes to comply with the CIAPP policies, as an organizational manager. In addition, the ISSO must lead the effort to develop functions that the InfoSec organization will perform in order to lead and support the IWC CIAPP.

The IWC ISSO decided that the best approach is through the drivers' (CIAPP-InfoSec requirements) baseline. So, based on the drivers, one is then able to develop a "needs" statement or statements. These can be set forth in various ways such as the vision, mission, and quality statements and incorporated into plans, for example, strategic, tactical, and annual as previously discussed. Regardless of how and in what form you state these needs for InfoSec, they must support IWC's plans, policies, objectives, and goals and must also eventually be tied to action items.

These action items are then analyzed and are implemented—for example, established as InfoSec functions that are then incorporated into the ISSO's InfoSec organization as its charter of responsibilities and accountabilities, as stated in the previous chapter. One step to look at is the process. A process is basically a "a series of actions directed toward a particular aim."[2] After the drivers and needs are identified, the ISSO must establish a process for meeting the identified requirements. The process is such a method and is basically the details of how a function is to be performed. One way of envisioning this process is noted in Figure 8.1.

click to expand
Figure 8.1: How the process flow from drivers to action items to functions can be viewed.

The action items should be part of a formal project management program where, as stated earlier, you as the ISSO determine that there is a need for some sort of InfoSec action that will take time and must be incorporated into the CIAPP or the InfoSec organization. Remember, the project plans have:

  • Objectives to accomplish;

  • Beginning and ending dates;

  • Tasks identified and assigned;

  • Personnel assigned to tasks;

  • Budget allocated; and

  • Time allocated for completing those tasks.

There are many InfoSec- and CIAPP-related functions; however, at IWC the ISSO determined that the functions identified in the ISSO's charter were the main functions that were driven by or related to the baseline CIAPP. Therefore, they are the basic functions that should be established, and a flow process description should be developed relative to how the functions should be performed. For example[3]:

  • InfoSec requirements identification;

  • InfoSec plans, policies, processes, and procedures;

  • Awareness education and training;

  • Access control;

  • Evaluation of hardware, firmware, and software for impact on the security of the information systems;

  • Security tests and evaluations;

  • Noncompliance inquiries;

  • Risk management; and

  • Disaster recovery/contingency planning.

[2]Encarta World English Dictionary & (P) 1999, Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

[3]Others can be added, but using these basic examples gives the reader a good idea of what is needed.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
GO! with Microsoft Office 2003 Brief (2nd Edition)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy