Policies We Can Help Write/Review

  1. Information Security Policy - The Information Security Policy (ISP) is a statement of high–level information security policies and is therefore an essential part of information security documentation.
  • The ISP should address the following policies:
  • Acceptable use of ICT equipment and services
  • Use of mobile devices and Bring You Own Device requirement if permitted
  • Secure and responsible use of email
  • The overall security governance for the business
  •  Internet access requirements and responsibilities
  • Password requirements including management
  • Remote working security at home and outside the office
  • Secure and responsible use of Telephone Systems
  1. Security Risk Management Plan - The Security Risk Management Plan (SRMP) is a best practice approach to identifying and reducing potential security risks. Depending on the documentation framework chosen, multiple systems could refer to, or build upon, a single SRMP
  2. System Security Plan - An SSP describes the implementation and operation of security controls for a system. It is developed by selecting relevant security controls from this manual based on its classification, functionality and the technologies it is implementing with additional security controls included based on security risks identified during a risk assessment. Depending on the documentation framework chosen, some details common to multiple systems could be consolidated in a higher level SSP.
  3. Standard Operating Procedures - Standard Operating Procedures (SOPs) provide a step–by–step guide to undertaking security related tasks. They provide assurance that tasks can be undertaken in a repeatable manner, even by users without strong knowledge of the system. Depending on the documentation framework chosen, some procedures common to multiple systems could be consolidated into a higher level SOP.
  4. Incident Response Plan - Having an Incident Response Plan (IRP) ensures that when a cyber security incident occurs, a plan is in place to respond appropriately to the situation. In most situations, the aim of the response will be to preserve any evidence relating to the cyber security incident and to prevent the incident escalating.
  5. System Architecture Documentation and Plans - These describe the architecture of the system.
  • It describes:
  •   A general description of the system
  •   The logical architecture of software, the layers and top-level components
  •   The physical architecture of the hardware on which runs the software
  •   The justification of technical choices made
  •   The traceability between the architecture and the system requirements.
  1. Emergency Procedures  is a written document which includes the action to be taken by all staff in the event of fire (or other emergency) and the arrangements for calling the appropriate emergency support agencies.
  2. Business Continuity (BC) Plans.  BC typically focuses on the organization as a whole, whereas Disaster Recovery (DR) zeroes in on the technology infrastructure. DR is a piece of business continuity planning and concentrates on accessing data easily following a disaster. BC includes this element, but also takes into account risk management and other planning an organisation needs to stay afloat during an event.
  3. Vulnerability Management Strategy.  Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", particularly in software. Vulnerability management is integral to computer security and network security.  It may contain the Software Patching Policy/Guidelines, or that may be contained in a separate document.
  4. Change Management Policy.   A change control process shall be in place to control changes to all critical agency information resources (such as hardware, software, system documentation and operating procedures). This documented process shall include management responsibilities and procedures.
  5. Accreditation Framework This document outlines the processes and procedures that agency systems will follow in order to achieve accreditation.
  6. Software Development Standards.  The lifecycle for software, including processes and activities applied during the acquisition (or development) and configuration of the services of the system.
  7. Key Management Plan.  Key management is the name of management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.
  8. Media Policy - Handling, usage, sanitisation, destruction and disposal of ICT media
  9. Access Control Policy.  Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. Access control policies are high-level requirements that specify how access is managed and who may access information under what circumstances.
  10. Incident Register.  It records details of any incident, security breach, or any other type of unforeseen event. Proper reporting helps correct the current incident and prevent future incidents like it.
  11. Data Spill Management Guide.  Agencies should use the following five step process:
    1. Identify. Recognise that a data spill has taken place and commence this process.
    2. Contain. Determine the breadth of the data spill to prevent further dissemination of sensitive data.
    3. Assess. Decide on the most appropriate method to sanitise the data spill for your situation and desired level of residual risk.
    4. Remediate. Remediate the data spill based on your assessment.
    5. Prevent. Implement prevention measures to stop similar incidents from occurring in the future. 


Contact us

Telephone: +61 (0) 475 815 455

E-mail: ian@ozicybernomad.com

Address: Somewhere in Australia

This field is mandatory

This field is mandatory

The e-mail address is invalid

I hereby agree that this data will be stored and processed for the purpose of establishing contact. I am aware that I can revoke my consent at any time.*

This field is mandatory

* Indicates required fields
There was an error submitting your message. Please try again.
Thank you! We will get back to you as soon as possible.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details and accept the service to view the translations.