Sample Threat Assessment and Monitoring Policy:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
==Document History==
==Sample Threat Assessment and Monitoring Standard==
<br>
The Threat Assessment and Monitoring Standard define Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets. Company information assets are defined in the scope of the [[Sample Asset Identification and Classification Policy:|'''Asset Identification and Classification Policy''']].<br>
{| id="table1" width="100%" border="1"
 
| bgcolor="#C0C0C0" | '''Version'''
==Objectives==
| bgcolor="#C0C0C0" | '''Date'''
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| 1.0
| 1 January 2009 <Current date>
| Michael D. Peters '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - 180 - '''365''' '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| 1 January 2010 '''<Date>'''
|}
<br>
=='''Sample Threat Assessment and Monitoring Policy'''==
<br>
As stated in the Company [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']], the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will counter threats by establishing policies to assess, identify, prioritize, and monitor threats.<br>
<br>
This Threat Assessment and Monitoring Policy defines Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets. Company information assets are defined in the scope of the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.<br>
<br>
Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets. Threats are a combination of intent, capability, and opportunity. Threat sources may include individuals, organizations or groups, legislative or regulatory changes, civic unrest, floods, explosions, and other natural or man-made disasters.<br>
<br>
=='''II. Objectives'''==
<br>
The Company will periodically identify, analyze, and prioritize threats to information assets and their supporting infrastructure. Findings from the threat assessment activities will be integrated, as appropriate, into the Security Awareness Program. Specific instructions and requirements for assessing threats are provided in the [[Sample Threat Assessment Standard:|'''Sample Threat Assessment Standard''']].<br>
The Company will periodically identify, analyze, and prioritize threats to information assets and their supporting infrastructure. Findings from the threat assessment activities will be integrated, as appropriate, into the Security Awareness Program. Specific instructions and requirements for assessing threats are provided in the [[Sample Threat Assessment Standard:|'''Sample Threat Assessment Standard''']].<br>
<br>
<br>
Line 48: Line 11:
The Company will develop and exercise formal plans for responding to Information Security intrusions and incidents. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions for responding to Information Security incidents are provided in the [[Sample Incident Response Standard:|'''Sample Incident Response Standard''']].<br>
The Company will develop and exercise formal plans for responding to Information Security intrusions and incidents. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions for responding to Information Security incidents are provided in the [[Sample Incident Response Standard:|'''Sample Incident Response Standard''']].<br>
<br>
<br>
=='''III. Responsibilities'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
The Chief Information Officer (CIO) is the approval authority for the Threat Assessment and Monitoring Policy.<br>
<br>
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Threat Assessment and Monitoring Policy and associated standards and guidelines.<br>
<br>
Company management is accountable for ensuring that the Threat Assessment and Monitoring Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving, and implementing procedures in its organizational units, and ensuring their consistency with the Threat Assessment and Monitoring Policy and associated standards and guidelines.<br>
<br>
All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Threat Assessment and Monitoring Policy and associated standards and guidelines.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Threat Assessment and Monitoring Policy and associated standards, guidelines, and procedures can result in disciplinary actions, up to and including termination of employment for employees, or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Threat Assessment and Monitoring Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Threat Assessment and Monitoring Policy will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Officer<br>
<br>
<br>
<gallery>
Image:Threat Assessment and Monitoring Standard.png|Threat Assessment and Monitoring Standard page one of six.
Image:Threat Assessment and Monitoring Standard(1).png|Threat Assessment and Monitoring Standard page two of six.
Image:Threat Assessment and Monitoring Standard(2).png|Threat Assessment and Monitoring Standard page three of six.
Image:Threat Assessment and Monitoring Standard(3).png|Threat Assessment and Monitoring Standard page four of six.
Image:Threat Assessment and Monitoring Standard(4).png|Threat Assessment and Monitoring Standard page five of six
Image:Threat Assessment and Monitoring Standard(5).png|Threat Assessment and Monitoring Standard page six of six
</gallery>

Latest revision as of 19:25, 14 January 2014

Sample Threat Assessment and Monitoring Standard

The Threat Assessment and Monitoring Standard define Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets. Company information assets are defined in the scope of the Asset Identification and Classification Policy.

Objectives

The Company will periodically identify, analyze, and prioritize threats to information assets and their supporting infrastructure. Findings from the threat assessment activities will be integrated, as appropriate, into the Security Awareness Program. Specific instructions and requirements for assessing threats are provided in the Sample Threat Assessment Standard.

The Company will develop and exercise procedures for screening or identifying potential threat sources through means such as background checks, site evaluations, and financial ratings.

The Company will perform real-time intrusion detection monitoring and periodic intrusion detection analysis to detect threat and intrusion activity. The Company must establish and track representative metrics for gauging progress in this area. Specific instructions and requirements for monitoring and detecting threats are provided in the Sample Threat Monitoring Standard.

The Company will develop and exercise formal plans for responding to Information Security intrusions and incidents. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions for responding to Information Security incidents are provided in the Sample Incident Response Standard.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.