- Home
- |
- About
- |
- Services
- |
- Security Operations Centre
- |
- Integrated Approach
- |
- Careers
- |
- News
- |
- Contact
The objective is to identify where the topic of information security sits within the structure of how the company makes decisions, sets priorities, monitors performance, and communicates to clients / staff / stakeholders. A key area of focus will also be to determine to what extent the client uses performance reporting and analysis to provide decision-makers with the information required to assess the state of information security and make the required decisions.
Critical information to be gathered will include strategic documents relating to corporate planning and priorities, TORs for governance committees, organizational priority documents, management accountability frameworks, decision-making guidelines, corporate messaging regarding priorities, corporate messaging regarding information security, and messaging regarding tactical information security measures. In addition, the client will be asked to provide information to the assessment team regarding the existence of an enterprise or corporate risk profile.
The corporate culture component will aim to identify how the organization, its management teams, and employees view information security and how Security is promoted in daily practices, key functions and behaviors to effectively secure information. The first objective of this section will be to help determine if information security is woven appropriately into the culture of the organization, if the culture of the organization allows information security to be taken seriously, and if a true 'top-down' commitment is in existence. The second objective is to determine if the required level of awareness exists with staff and management regarding the topic of information security. This includes assessing the organization's overall understanding of the general topic, how it impacts the company, the consequences if a data breach occurs, their own responsibilities, existing laws/regulations / internal policies, who is responsible for what within the organization, and the appropriate measures to be taken.
It is important to the data gathering process that the appropriate management and other accountable representatives attend the data gathering meetings to ensure the required information to support an effective analysis is available. It is recognized that certain client representatives may have multiple responsibilities and terminology may vary, therefore, it is critical to make prior preparations with the Project Lead during the Introduction Meeting to ensure representatives with the following accountably attend this meeting:
Kenaston P.O. Box 70010
Winnipeg, Manitoba, Canada, R3P 0X6
x 204-202-5050 A info@castellaninformationsecurity.com