1 Policy Statement
To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure timely management of organizational risks. Employees are expected to cooperate fully with any Risk Assessment being conducted on systems for which they are held accountable. Employees are further expected to work with the Risk Assessment Team in the development of a remediation plan. The policy, and respective procedures, guidelines & forms shall be available to the CISO and members of senior management.
Entity – Any business unit, department, group, or third party, internal or external to XXX, responsible for maintaining assets.
Risk – Those factors that could affect confidentiality, availability, and integrity of XXX’s key information assets and systems. The Risk Assessment Team is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets on networks, while minimizing the impact of security procedures and policies upon business missions.
The purpose of this policy is to identify areas of risk on a timely manner and manage them to ensure continuity of business processes.The execution, development and implementation of remediation programs are the joint responsibility of the IT Infrastructure management team and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Risk Assessment Team in the development of a remediation plan.
4.1 IT Assets
This policy applies to the entire IT Infrastructure.
The Policy documentation shall consist of Risk Management Policy, Risk Assessment and Treatment Procedure, and related guidelines.
4.3 Document Control
The Risk Management Policy document and all other referenced documents shall be controlled. The version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.
Records being generated as part of the Risk Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
4.5 Distribution and Maintenance
The Risk Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Risk Management Policy document will be with the CISO and system administrators.
The Risk Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
The CISO / designated personnel is responsible for proper implementation of the policy.
Risk Management Plan shall be drawn by the management which shall identify the people within XXX who will perform risk assessment operations. For this purpose, the events (or series of events) which cause disruption to business processes shall be identified. The risk assessment shall consider probability and impact of such disruptions in terms of time, scale of damage and recovery period. The risk assessment shall identify, quantify and prioritize risks against criteria and objectives relevant to the organization, including critical resources, impacts of disruptions, allowable outage times and recovery priorities. Based on the results of the assessment, business continuity strategy shall be outlined for XXX to determine overall approach to business continuity.The execution, development and implementation of remediation programs are the joint responsibility of the IT Infrastructure management team and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Risk Assessment Team in the development of a remediation plan.
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.