Sample Threat Assessment and Monitoring Policy:
Sample Threat Assessment and Monitoring Policy
As stated in the Company Sample Information Security Program Charter, the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will counter threats by establishing policies to assess, identify, prioritize, and monitor threats.
This Threat Assessment and Monitoring Policy defines Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets. Company information assets are defined in the scope of the Sample Asset Identification and Classification Policy.
I. Scope
All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.
Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets. Threats are a combination of intent, capability, and opportunity. Threat sources may include individuals, organizations or groups, legislative or regulatory changes, civic unrest, floods, explosions, and other natural or man-made disasters.
II. Objectives
The Company will periodically identify, analyze, and prioritize threats to information assets and their supporting infrastructure. Findings from the threat assessment activities will be integrated, as appropriate, into the Security Awareness Program. Specific instructions and requirements for assessing threats are provided in the Sample Threat Assessment Standard.
The Company will develop and exercise procedures for screening or identifying potential threat sources through means such as background checks, site evaluations, and financial ratings.
The Company will perform real-time intrusion detection monitoring and periodic intrusion detection analysis to detect threat and intrusion activity. The Company must establish and track representative metrics for gauging progress in this area. Specific instructions and requirements for monitoring and detecting threats are provided in the Sample Threat Monitoring Standard.
The Company will develop and exercise formal plans for responding to Information Security intrusions and incidents. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions for responding to Information Security incidents are provided in the Sample Incident Response Standard.
III. Responsibilities
The Chief Information Officer (CIO) is the approval authority for the Threat Assessment and Monitoring Policy.
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Threat Assessment and Monitoring Policy and associated standards and guidelines.
Company management is accountable for ensuring that the Threat Assessment and Monitoring Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving, and implementing procedures in its organizational units, and ensuring their consistency with the Threat Assessment and Monitoring Policy and associated standards and guidelines.
All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Threat Assessment and Monitoring Policy and associated standards and guidelines.
IV. Enforcement and Exception Handling
Failure to comply with the Threat Assessment and Monitoring Policy and associated standards, guidelines, and procedures can result in disciplinary actions, up to and including termination of employment for employees, or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Threat Assessment and Monitoring Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.
V. Review and Revision
The Threat Assessment and Monitoring Policy will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Officer
- Chief Information Officer