Level of Board Involvement – Does the board discuss security issues and the organization’s response?
It is necessary to review several official meeting protocols to determine if such aspects as security problems and the reaction of the organization are discussed by the senior management. The choice is appropriate in this case because it is possible to determine the time spent on this subject matter, and how frequently it is mentioned. It would be appropriate to inform the management team about the importance of the problem and provide all the required information in case such topics are disregarded.
Quality of Risk Assessment Process – How well does the organization assess its risks?
It is imperative to review available risk assessment documents to make sure that the organization acknowledges possible complications that may occur and is focused on the quality. This selection is reasonable because it is possible to determine the frequency of such activities and their primary objectives (Landoll, 2016). It is important to pay close attention to even the smallest details in such cases. Also, it would be reasonable to monitor the whole process to determine some of the weaknesses that should be addressed, but the analysis of the documentation is also appropriate.
Adequacy of Program to Management and Control Risk – Does the program actually treat the risk that has been observed?
It is paramount to request security programs to determine if risks that have been identified have an impact on the decisions made in the company, and appropriate modifications are considered. Such documents were chosen because they contain all the crucial information regarding the activities. Moreover, it is possible to compare them to determine if any progress has been shown, and aspects related to risks are discussed. Security presentations may also be analyzed in such situations because they help to identify the issues viewed as the most important by the professionals in the enterprise (Talabis & Martin, 2012).
Oversight of Service Providers – Does the organization make sure service providers protect information?
It is reasonable to access audit documents to identify if the firm devotes enough to the quality of services provided by the provider. They should contain the information regarding assessment reports, and analyze the findings of an auditor. The review of such data is crucial because external specialists identify strengths and weaknesses that a particular system has, and an internal professional should be capable of analyzing such results (Talabis & Martin, 2012). Also, documents should include an analysis of several providers. It is incredibly important because an enterprise must make the decisions based on evidence, and the most efficient options should be selected.
Effective Method to Adjust the Program – Does the ISP change in response to risk dynamics?
Security plans should be requested if it is necessary to evaluate if the ISP is changed depending on the risk dynamics. The use of such documents is reasonable in this case because they contain information about core activities and primary objectives. They should be compared with risk assessments to determine if the approach has been modified based on the available information (Wheeler, 2011). The analysis of the policies may also be incredibly helpful, and it is possible to identify the alterations that were made over the last few years.
ISO Function – Is there a designated security officer?
It would be reasonable to request a detailed financial report or the latest exemption from taxes to determine if a security officer has been assigned. It should contain information regarding all the employees, their position, work hours, and compensation. Access to such information is vital because it will help to get a better understanding of the experience of the professional, and it would be much easier to cooperate if such knowledge is utilized.
What’s the difference between the ISP and the Information Systems Risk Assessment?
The primary difference between the ISP and the Information Systems Risk Assessment is that the first one is focused on the development of policies related to the operations of the enterprise, and the second one determines possible risks and complications (Greene, 2014). Another dissimilarity that needs to be highlighted is that the participation of supervisors in the first one is critical, and the second one can be conducted without any support.
What does the ISP have to do with corporate governance?
The management should be interested in this subject matter because the protection of information is of utmost importance for modern businesses, and it has a direct influence on most of their activities. It is necessary to develop an assessment plan, and the CEO should get access to the information that was gained (Whitman & Mattord, 2013). It is nearly impossible to implement such systems without the support of senior management because it needs to be approved.
What should our vendors have in THEIR ISPs?
It would be reasonable to tell the vendors to utilize such approaches as risk management, system testing, legal assessment, incident response, planning, centralized authentication, project supervision, and others. Also, most attention should be devoted to such aspects as the security of the networks and the determination of their vulnerabilities (Whitman & Mattord, 2013).
Why are you wasting the time of senior management talking about computer topics when we should be spending our time running the organization?
The time spent on the discussion of such topics is not wasted because a better understanding of some of the aspects is crucial, and this factor should be recognized by the senior management. Moreover, it would help to increase the efficiency of the process of decision-making related to security systems and should be beneficial in the long-term. The introduction of company policies related to information safety is crucial, and the knowledge on this subject matter would help to ensure that they are well-developed.
Greene, S. S. (2014). Security program and policies: Principles and practices (2nd ed.). New York, NY: Pearson Education.
Landoll, D. (2016). The security risk assessment handbook: A complete guide for performing security risk assessments (2nd ed.). Boca Raton, FL: CRC Press.
Talabis, M., & Martin, J. (2012). Information security risk assessment toolkit: Practical assessments through data collection and data analysis. Waltham, MA: Syngress Publishing.
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Elsevier Publishing.
Whitman, M. E., & Mattord, H. J. (2013). Management of information security (4th ed.). Boston, MA: Cengage Learning.