Security Governance
Information security starts at the top, and this series of activities helps organizations act towards building a sustainable cyber security program.
| Category | Sub-Category | Name | Activity |
|---|---|---|---|---|
Security Governance | Policy Governance | Policy and Standard Review | [The organization's] policies and standards are reviewed, approved by management, and communicated to authorized personnel [in accordance with the organization-defined frequency]. | |
Security Governance | Policy Governance | Exception Management | [The organization] reviews exceptions to policies, standards, and procedures; exceptions are documented and approved based on business need and removed when no longer required. | |
Security Governance | Policy Governance | Document Control | [The organization]'s document management criteria is periodically reviewed, approved by management, and communicated to authorized personnel; management determines the treatment and retention of documentation according to legal and regulatory requirements. | |
Security Governance | Security Documentation | Information Security Program Content | [The organization-defined security leader] conducts a periodic staff meeting to communicate and align on relevant security threats, program performance, and resource prioritization. | |
Security Governance | Security Documentation | Procedures | [The organization's] key control capabilities are supported by documented procedures that are communicated to authorized personnel | |
Security Governance | Privacy Program | Privacy Readiness Review | [The organization] performs privacy readiness reviews to identify high-risk processing activities that impact personal data; identified non- compliance with [the organization] privacy practices is tracked through remediation. | |
Security Governance | Privacy Documentation | Document Management Standard: HIPAA | Documentation that impacts personal health information, including policies, procedures, and the documentation of actions, activities, or assessments, are retained for 6 years from the date of its creation, or the date when it last was in effect, whichever is later. | |
Security Governance | Workforce | Proprietary | [Workforce personnel as defined by the organization] consent to a proprietary rights agreement. | |
Security Governance | Workforce Agreements | Review of Confidentiality Agreements | [The organization's] proprietary rights agreement and network access agreement are reviewed [in accordance with the organization-defined frequency]. | |
Security Governance | Workforce Agreements | Key Custodians Agreement | Cryptographic Key Custodians and Cryptographic Materials Custodians (CMC) acknowledge in writing or electronically that they understand and accept their cryptographic-key-custodian responsibilities. | |
Security Governance | Information Security Management System | Information Security Program | [The organization] has an established security leadership team including key stakeholders in [the organization's] Information Security Program; goals and milestones for deployment of the information security program are established and communicated to the company. | |
Security Governance | Information | Information | Information Security Management System (ISMS) boundaries are formally defined in an ISMS scoping document. | |
Security Governance | Information Security Management System | Security Roles and Responsibilities | Roles and responsibilities for the governance of Information Security within [the organization] are formally documented within the Information Security Management Standard and communicated on the [the organization] intranet. | |
Security Governance | Information Security Management System | Security Roles and Responsibilities: PCI Compliance | Roles and responsibilities and a program charter for the governance of PCI DSS compliance within [the organization] are formally documented and communicated by management. | |
Security Governance | Information | Information | Information systems security implementation and management is included as part of the budget required to support [the organization's] security program. | |
Security Governance | Information Security Management System | Management Review | The Information Security Management System (ISMS) steering committee conducts a formal management review of ISMS scope, risk assessment activities, control implementation, and audit results on an annual basis. | |
Security Governance | Software Licensing | Software Usage Restrictions | [The Organization] maintains software license contracts and monitors its compliance with usage restrictions. |