exercise 4:
What are the areas for which an ISSP may be used? The following are typical in thattheir use would require an ISSP in most organizations. Note that this list is designed tobe exemplary, not comprehensive:
* Use of e-mail, instant messaging (IM), and other electronic communications
applications
* Use of the Internet, the Web, and company networks by company
equipment
* Malware protection requirements (such as anti-malware software
implementation)
* Installation and use of nonorganizationally issued software or hardware onorganization assets, such as personal computing devices or Internet of things(IoT) appliances
* Processing and/or storage of organizational information on nonorganizationallyowned computers, such as cloud computing providers
- I Did Not Do Exercise 4 So You Can Choose Anything From Exercise 4 Exercise 4 What Are The Areas For Which An Issp Ma 1 (57.66 KiB) Viewed 9 times
- I Did Not Do Exercise 4 So You Can Choose Anything From Exercise 4 Exercise 4 What Are The Areas For Which An Issp Ma 2 (252.85 KiB) Viewed 9 times
< Chapter 9: Security... > Go to Chapter 9: Security Ma... 458 Introduction to Security Practices 468 Security Employment Practices > Information Security Performance Measurement 481 Benchmarking 490 Additional Reading > Table 9-1 Performance Measurements Template and Instructions (continued) Field Implementation evidence Frequency Responsible parties Data source Reporting format Data Use of implementation evidence to compute the measure, validate that the activity is performed, and identify probable causes of unsatisfactory results for a specific measure. 1. For manual data collection, identify questions and data elements that would provide data inputs necessary to calculate measure's formula, qualify measure for acceptance, and validate provided information. 2. For each question or query, list status security control number from NIST SP 800-53 that provides information, if applicable. 3. If measure is applicable to a specific FIPS 199 impact level, questions should state impact level. 4. For automated data collection, identify data elements that would be required for formula, qualify measure for acceptance, and validate information provided. Indication of how often the data is collected and analyzed, and how often the data is reported. State the frequency of data collection based on a rate of change in a particular security control that is being evaluated. State the frequency of data reporting based on external reporting requirements and internal customer preferences. Indication of the following key stakeholders: • Information owner: Identify organizational component, an individual who owns required pieces of information. • Information collector: Identify the organizational component and individual responsible for collecting the data. If possible, the information collector should be a different person from the information owner or even a representative of a different organizational unit, to avoid the possibility of conflict of interest and ensure separation of duties. Smaller organizations will need to determine whether it is feasible to separate these two responsibilities. • Information customer: Identify the organizational component and individual who will receive the data. Location of the data to be used in calculating the measure. Include databases, tracking tools, organizations, or specific roles within organizations that can provide required information. Indication of how the measure will be reported, such as pie charts, line charts, bar graphs, or other format. State the type of format or provide a sample.