A.2 ABC Inc. InfoSec Risk Assessment Policy


A.2 ABC Inc. InfoSec Risk Assessment Policy

Policy No. 1

Effective date Month / Day / Year

Implement by Month / Day / Year

1.0 Purpose

To empower InfoSec to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation .

2.0 Scope

Risk assessments can be conducted on any entity within ABC Inc. or any outside entity that has signed a Third Party Agreement <Insert Link> and the Acceptable Use Policy <Insert Link> with ABC Inc. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained .

3.0 Policy

The execution, development, and implementation of remediation programs are the joint responsibility of InfoSec and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Entity: Any business unit, department, group , or third party, internal or external to ABC Inc., responsible for maintaining ABC Inc. assets.

Risk: Those factors that could affect confidentiality, availability, and integrity of ABC Inc.'s key information assets and systems. InfoSec is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________




Wireless Operational Security
Wireless Operational Security
ISBN: 1555583172
EAN: 2147483647
Year: 2004
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net