Information Technology Reference
In-Depth Information
Appendix e: Security
Management program
template outline
The SMP outline in this appendix is based on the SMP framework; both are based
on NIST SP 800-53. All tools, templates, and guidelines in support of the orga-
nization's SMP are based on exactly the same framework to provide a common
form and flow to all SMP-related documents. A common form and flow promotes
comprehensiveness and consistency for all IA efforts.
Comprehensiveness
is relative
to the SMP framework because this framework provides categories and elements
to
capture all IA relevant to the organization
. Consistency comes from addressing
all security elements. Addressing a security element is not necessarily the provision
of a safeguard. A sufficient manner to address a security element may be to pro-
vide a rational explanation as to why the organization chooses not to provide that
safeguard; a statement to the affect of “We choose to accept the risk this safeguard
would mitigate for the following reasons: expense (purchase and operations), com-
plexity for user base, etc.”
The main topics in the outline are in header format (bold and larger font). The
subtopics or the elements are in normal format. Potential document titles using the
SMP framework and SMP outline include:
n
n
n
n
n
n
n
n
SMP As-Is Baseline (discovery templates, reporting templates)
SMP As-Is Snapshot; ongoing review, tracking, and trending
SMP To-Be (Target Security Posture for ABC Company)
SMP Gap Analysis
SMP Remediation Analysis
SMP Project Planning
SMP Operations Plan
SMP Performance Reporting
453
