Risk_Assessment_Policy

Risk_Assessment_Policy - are further expected to work with...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
Risk Assessment Policy Created by or for the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to stephen@sans.edu 1.0 Purpose To empower InfoSec to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation. 2.0 Scope Risk assessments can be conducted on any entity within <Company Name> or any outside entity that has signed a Third Party Agreement with <Company Name>. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained. 3.0 Policy The execution, development and implementation of remediation programs is the joint responsibility of InfoSec and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees
Background image of page 1
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan. 4.0 Risk Assessment Process For additional information, go to the Risk Assessment Process. 5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Definitions Terms Definitions Entity Any business unit, department, group, or third party, internal or external to &lt;Company Name&gt;, responsible for maintaining &lt;Company Name&gt; assets. Risk Those factors that could affect confidentiality, availability, and integrity of &lt;Company Name&gt;'s key information assets and systems. InfoSec is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity. 7.0 Revision History...
View Full Document

This note was uploaded on 09/25/2010 for the course SIT 284 taught by Professor Lei during the Two '08 term at Deakin.

Ask a homework question - tutors are online