 |
||||||||||||
 |
About IR&C | | | Services | | | Resources | | | What's New | | | Search | | | Home | |
- identification and classification of assets held or managed within the department
- identification of vulnerabilities and threats that put those assets at risk
- identification of controls to address vulnerabilities
- identifies the individual(s) responsible for security,
- establishes procedures for reporting suspicion or detection of compromised computers,
- implements controls to safeguard equipment and data, and
- ensures appropriate security education and training for all employees.
Departmental Security Review and Planning
Departments or units must review their environment and processes to determine how best to protect electronic information resources and information assets in their jurisdiction. As a result of the review, an information security plan must be developed that specifies effective strategies to strengthen information security.
|
Security Review A security review includes the following steps: Information Security Plan After completing the security review, the department or unit must develop an information security plan that identifies an acceptable level of risk and cost-effective strategies to address that risk consistent with their business goals and activities. The plan should outline the processes and controls that will be implemented to enhance security. The plan The information security plan should be written in easily understood language as guidelines and procedures. It should be communicated to current departmental staff through meetings (it is essential that all staff participate), local Intranets or Web sites, manuals, or newsletters. Further, the plan must be communicated to new staff upon hire. The plan must be reviewed at least annually, and whenever changes occur in equipment or software, workflow, physical relocation, or assignment of new responsibilities. |
Please submit your questions, comments, and suggestions at feedback.html