- Information security governance
- Information security risk management
- Information security program
- Incident management
- Supporting tasks:
o Identify internal and external influences on the organization that impact the information security strategy.
o Establish and/or maintain an information security strategy in alignment with organizational goals and objectives.
o Establish and/or maintain an information security governance framework.
o Integrate information security governance into corporate governance.
o Establish and maintain information security policies to guide the development of standards, procedures and guidelines.
o Develop business cases to support investments in information security.
o Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
o Define, communicate and monitor information security responsibilities throughout the organization and lines of authority.
o Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the information security program.
o Evaluate and report information security metrics to key stakeholders.
o Establish and/or maintain the information security program in alignment with the information security strategy.
o Align the information security program with the operational objectives of other business functions.
o Establish and maintain information security processes and resources to execute the information security program.
o Establish, communicate and maintain organizational information security policies, standards, guidelines, procedures and other documentation.
o Establish, promote and maintain a program for information security awareness and training.
o Integrate information security requirements into organizational processes to maintain the organization’s security strategy.
o Integrate information security requirements into contracts and activities of external parties.
o Monitor external parties' adherence to established security requirements.
o Define and monitor management and operational metrics for the information security program.
o Establish and/or maintain a process for information asset identification and classification.
o Identify legal, regulatory, organizational and other applicable compliance requirements.
o Participate in and/or oversee the risk identification, risk assessment and risk treatment process.
o Participate in and/or oversee the vulnerability assessment and threat analysis process.
o Identify, recommend or implement appropriate risk treatment and response options to manage risk to acceptable levels based on organizational risk appetite.
o Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
o Facilitate the integration of information risk management into business and IT processes.
o Monitor for internal and external factors that may require reassessment of risk.
o Report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process.
o Establish and maintain an incident response plan, in alignment with the business continuity plan and disaster recovery plan.
o Establish and maintain an information security incident classification and categorization process.
o Develop and implement processes to ensure the timely identification of information security incidents.
o Establish and maintain processes to investigate and document information security incidents in accordance with legal and regulatory requirements.
o Establish and maintain incident handling process, including containment, notification, escalation, eradication and recovery.
o Organize, train, equip and assign responsibilities to incident response teams.
o Establish and maintain incident communication plans and processes for internal and external parties.
o Evaluate incident management plans through testing and review, including table-top exercises, checklist review and simulation testing at planned intervals.
o Conduct post-incident reviews to facilitate continuous improvement, including root-cause analysis, lessons learned, corrective actions and reassessment of risk.