Information Technology Reference
In-Depth Information
−
This example of an SMP uses the NIST standard, another SMP may find
basis in ISO 27002, and another SMP may find basis in COBIT practices
(Control Objectives for Information and Related Technology).
The SMP framework provides the ability to generate tools and templates all
with the same outline.
One such tool is an SMP interpretation guide that records the organizational-
specific definitions of each security category and element.
The same SMP framework as in Table D.2 may have additional columns, like:
Baseline findings
Assessment findings for DD Month CCYY (e.g., Assessment Findings
13 May 2009)
Gap analysis
Remediation analysis
Fiscal year (FY) CCYY plans; note that CC = century, YY = year (e.g.,
2009)
FY CCYY accomplishments
n
n
n
−
−
−
−
−
−
Not all columns need to be in the same table or even in the same document.
Indeed, create as many documents as necessary, only use exactly the same frame-
work, outline, and table structure in every document. Even if the element is not
applicable, label the element N/A and express a rationale as to why the element is
N/A. This will provide a record of thought process behind why certain elements
are not in the security management plan. Business drivers may change and a new
manager without organizational history may want to know why X is not in the
SMP—you will have an answer. Business drivers may change and upon annual
review of the SMP, you notice the old rationale no longer holds true—you will
have a reference.
Another important reason to use exactly the same framework in every docu-
ment is so personnel may easily compare plans, accomplishments, findings, gaps,
remediation, and progress reporting. Even though all these details may be in dif-
ferent documents, they will have the same form and flow by virtue of using the
same framework and table structure. Another important reason to use exactly the
same framework is if you decide to insert a quantification scheme (IA metrics) in
the SMP. You may copy the framework from a word processing document to a
spreadsheet document and devise a clever quantification scheme with respect to
SMP planning, SMP accomplishments (implementations), compliance assessments
(baseline and subsequent snapshots), etc. Maintaining the same framework in an
IA metrics tool provides the ability to easily copy the results back to a word process-
ing file to generate management reports.
The Web site www.ia2.info contains many useful downloads and supplemental
information regarding IA
2
. Have the topic at hand when accessing this site to ind
and enter any password requirements for access.
