One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2148842 |
| Date de publication | 2020-08-07 16:05:08 (vue: 2021-01-06 20:37:57) |
| Titre | NBlog July 23 - infosec roles & responsibilities |
| Texte |  For the next phase of SecAware ISMS, I'm documenting the management process for determining and allocating information risk and security responsibilities. The procedure itself is straightforward - just one page of written instructions covering a simple four step process - but a raft of examples of the activities various functions perform in relation to information risk and security takes it up to six pages, even though the examples are presented tersely as bullet points.It turns out there may be several corporate functions, teams and individuals, each performing numerous activities relating to information risk and security. Admittedly, my knowledge in this area has accumulated in the course of working mostly for large, relatively mature organisations, a couple of which had all of the functions staffed by professionals busily performing virtually all of the activities. Small-to-medium sized organisations don't have the luxury of being able to carve-up the work among dedicated teams of specialists, so they usually get by with multi-tasking and perhaps assistance from third parties. Information risk and security is tougher for micro-organisations, particularly if they don't even have anyone who appreciates the need to manage information risk and security, privacy, compliance, business continuity etc. The ISO27k framework can help all types and sizes of organization provided it is interpreted and applied sensibly according to the business context and needs. Even though a multinational bank, say, might have specialists within HR and other functions whose job it is to prepare job descriptions, vacancy notices, training plans etc., our generic list of information risk and security activities may be a useful prompt to confirm that they have all the bases covered. A micro-company will not need to perform every listed activity, and will have no choice but to concentrate on the few that matter most. Either way, the process of management deciding what the necessary activities should involve and, where appropriate, assigning responsibilities to the relevant workers, corporate functions or third parties, is much the same and hence worth laying out in a generic procedure.As I'm drafting the procedure, I'm itching to mention related aspects such as governance, accountability, access cont |
| Envoyé | Oui |
| Condensat | admittedly as the 27001 able about access according accountability accumulated acknowledged activities activity again all allocating among annex anyone applied applies appreciates appropriate are area aspects assigning assistance away bank bare bases be several being big blog bones brought bullet busily business but can carve cathartic certain choice commonplace company competence compliance compliant concentrate confirm context continuity control controls corporate corporate functions couple course cover covered covering customers customise deciding dedicated descriptions details determining distracting documenting don drafting drawn each either elaborating enchilada essentials etc even even though every examples expected experience fall focus focusing four framework from functions general generic get governance had hand happen hard has have help hence important including individuals information infosec inspiration instructions intention interpreted involve isms ismss iso/iec iso27k issues itching itself job july just key knowledge large laser laying like list listed luxury manage management matter matters mature may meanwhile medium mention micro might monitoring more most mostly much multi multinational myself nature nblog necessary need needs next not notices now numerous off one organisations organization other out outline oversight page pages paring particularly parties peace per perform performing perhaps peripheral phase picture place plans point points prepare presented privacy probably procedure process professionals prompt provided providing providing: quality quantity raft related relating relation relatively release relevance relevant relief remind requirements resilience responsibilities risk role roles running sale same say secaware security sensibly should side significant simple six sized sizes small some specialists staffed stating step straightforward such take takes tasking teams template templates terms tersely them thinker third those though tolstoy tougher training turning turns two types typical update: useful usually vacancy valve: various virtually war way week what where which who whole whose will within without work workers working worth would written |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.