Organization
The Standard has historically been organized into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control.
The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated.
Aspect | Focus | Target audience | Issues probed | Scope and coverage |
---|---|---|---|---|
Security Management (enterprise-wide) | Security management at enterprise level. | The target audience of the SM aspect will typically include:
|
The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources. | Security management arrangements within:
|
Critical Business Applications | A business application that is critical to the success of the enterprise. | The target audience of the CB aspect will typically include:
|
The security requirements of the application and the arrangements made for identifying risks and keeping them within acceptable levels. | Critical business applications of any:
|
Computer Installations | A computer installation that supports one or more business applications. | The target audience of the CI aspect will typically include:
|
How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements. | Computer installations:
|
Networks | A network that supports one or more business applications | The target audience of the NW aspect will typically include:
|
How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements. | Any type of communications network, including:
|
Systems Development | A systems development unit or department, or a particular systems development project. | The target audience of the SD aspect will typically include
|
How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements. | Development activity of all types, including:
|
End User Environment | An environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes. | The target audience of the UE aspect will typically include:
|
The arrangements for user education and awareness; use of corporate business applications and critical workstation applications; and the protection of information associated with mobile computing. | End-user environments:
|
The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section.
The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section.
The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.
Read more about this topic: Standard Of Good Practice
Famous quotes containing the word organization:
“The Red Cross in its nature, it aims and purposes, and consequently, its methods, is unlike any other organization in the country. It is an organization of physical action, of instantaneous action, at the spur of the moment; it cannot await the ordinary deliberation of organized bodies if it would be of use to suffering humanity, ... [ellipsis in original] it has by its nature a field of its own.”
—Clara Barton (18211912)
“I will never accept that I got a free ride. It wasnt free at all. My ancestors were brought here against their will. They were made to work and help build the country. I worked in the cotton fields from the age of seven. I worked in the laundry for twenty- three years. I worked for the national organization for nine years. I just retired from city government after twelve-and-a- half years.”
—Johnnie Tillmon (b. 1926)
“Your organization is not a praying institution. Its a fighting institution. Its an educational institution right along industrial lines. Pray for the dead and fight like hell for the living!”
—Mother Jones (18301930)