Policies Affecting Upper Management
Must Take Specific action
#IT Steering Committee Policy - Upper management must designate a team to create a technological security plan for the organization and oversee that process. They must be the organizational security plan is properly communicated.
#Insurance Purchase Policy - Chief Information Security Officer is responsible for ensuring that risk assessment occurs on an enterprise level, for documenting procedures for risk analysis and disaster recovery. The Chief Information Security Officer and CEO must review risk assessment processes and modify them as appropriate at least annually to be sure insurance concerns are adequately addressed in the light of current technology and risks. The Chief Information Security Officer and CEO must work together to be sure the terms of insurance contracts are being followed.
#Segregation of Duties Policy - Upper Management must determine the best segregation of duties processes for their organization depending upon where the risks exist. A combination of management, auditors, and/or information officers must ensure that changes to data are performed by following the correct processes and are properly authorized. A combination of management, auditors, and administrators must ensure that unauthorized software is not installed or that software is not modified without proper authorization.
Auditing Policy - The audit charter must be endorsed by executive management including the stakeholders in projects. The audit charter shall provide for an audit committee which shall oversee the review and auditing of financial information, oversee the review and auditing of systems of internal controls and management, hiring and overseeing the work of independant accountants and auditors, and oversee the organization's financial and accounting process.
#Technology and System Management Policy - Management must act on the report results of capacity use and forcast in order to maintain required levels of capacity of IT resources.
#Technology Planning Policy - Upper management must establish roles and responsibilities for developing and setting short and long range organizational technology plans. Upper management must establish procedures, performance measures, and methods to implement and maintain short and long range organizational technology plans. Upper management should define business rules and definitions of data and terms to help clarify the information architecture. Senior management members should comprise an information technology steering committes.
#Acquisition and Maintenance Policy - A framework for acquisition and maintenance must be created by management which complies with current information technology procedures and standards.
#Cost Management Policy** - A process to measure and allocate costs of information technology to the business must be created and the method must be communicated to and understood by the business. A process for creating an information technology budget must be created. The budget must consider recovery of costs from the business units that use the services or equipment.
#Communication Policy - All organizational policies must be communicated in written form and through training to all users and organizational members (including contractors) that they apply to.
#IT Organizational Policy - The information technology function must be lead by an executive such as a CIO which reports to the head of the organization. The leader of the information technology function must be part of the executive steering group. The information technology function must have a formal operating budget which is created, reviewed, and approved by upper management at least annually. The budget must include money for operations and maintenance and development of new projects and/or software. The structure of the IT department should be reviewed annually to be sure it properly supports the business function as the organization changes.
#IT Budget Policy - The information technology function must have a formal operating budget which is created, reviewed, and approved by upper management at least annually. The budget must include money for operations and maintenance and development of new projects and/or software. A budget process must be created for creating, reviewing, and approving an information technology budget. The people that have authority to approve the budget and the people accountable to create the budget must be identified by the process. The budget process must define who will monitor the budget.
#IT Human Resource Policy - Areas of authority and responsibility must be defined and aligned with the organizational structure.
#External Requirements Policy* - Procedures must be created and maintained which will identify external regulatory, legal or contractual requirements. Procedures must be created and utilized to be sure that noncompliance areas are identified and corrected in a timely manner.
Customer Support Policy - High impact incidents must be defined. Management must be informed when a high impact incident occurs so involved parties can communicate and create the best action plan. The escalation process should be reviewed annually to determine where it can be improved. The help desk system must be annually reviewed by management to determine whether business requirements are being met and search for any ways to increase its effectiveness.
Emergency Access Policy - The definition of an emergency or critical incident requiring emergency access must be defined and affected personnel must be made aware of it. The business owner should help define an emergency. Temporary access authorization procedures must be defined, documented and approved by management. Definition of critical and priority systems must be available as defined by the business owners and IT management.
#Service Level Policy - Senior IT and business management must create a Service Level Agreement (SLA) framework. Business management must include all major business functions.
Service Monitoring Policy - An information technology service performance management system must be approved by upper management. A process for receiving performance and satisfaction reports, analysis of the reports, reporting on the results, and taking appropriate action must be created by information technology management.
#Internal Controls Policy - Management must support internal controls and be ready to remedy internal control deficiencies. Internal control responsibilities must be formally assigned and communicated. Management must monitor internal controls and their effectiveness. Any serious internal control deviations must be reported to upper management. Levels of management that must be involved when reporting and resolving internal control shortcomings must be established. The risks of internal control breakdowns must be considered. Responsibility and roles for monitoring internal controls and reporting results must be assigned and defined.
Service Reliability and Continuity Policy - Upper information technology management is responsible for the development of an information technology continuity plan. The upper management must ensure the business interests are represented when the information technology continuity plan is being developed. The upper information technology management must assign roles and responsibilities for the development of the information technology continuity plan.
Service Quality Policy - Information Technology services that are linked to the business processes must be prioritized based on their criticality to the business processes and the criticality of the business processes they support. Accountability for ensuring that each supporting process functions correctly must be assigned and agreed upon. Information technology process performance must be evaluated regularly (at least annually) to determine how to make improvements to both the processes and metrics.
Quality Policy - Upper management must create the quality assurance plan and methodology using input from all stakeholders and affected parts of the organization. Upper management is responsible for establishing and maintaining this quality policy and quality standards.
Must be Aware
Browser Configuration Policy - Upper management must be aware of this policy and understand the substantial security threat to the organization that misconfigured browsers can pose.
Change Management Policy - Upper management must understand this policy, communicate it, and support the associated change processes.
Third party IT Service Policy* - Upper management must be aware of this policy and support this by enforcing the requirement for third parties ti agree to abide by organizational policies.
Software Standards Policy* - Upper management must understand the System Development Life Cycle (SDLC) methodology and understand that quality standards must be set for software. They must support these requirements internally and externally.
Business Continuity Policy* - Senior Management and Senior IT management must support the Business Continuity Policy and associated policies and plans. They must provide the strategy, philosophy, resources, and enforcement mechanisms to ensure that the plan is successful. They must be sure the plans will meet the organizational business requirements and business continuity needs.
Development Life Cycle Policy* - Upper management must understand how project stages work.
Configuration Management Policy - Upper management must understand how project stages work and how configuration management is implemented.
* - Business management
** - Accounting
Affects Job but Awareness not Required