Fri Apr 8 06:49:41 PDT 2016

Management: Procedures: What procedures are implemented and how?


Options:

Procedures cover [all / most / some] of the activities by which [policies are implemented / protection activities are carried out / user activities are carried out], are defined and implemented in [writing / a workflow system / checklists / ad-hoc methods / a fully automated system], and are [carried out only by authorized parties / documented as carried out / tracked / audited / measured / optimized (specify against what criteria) / adapted over time]


Decision:

Apply based on maturity and consequence level at a minimum

Consequence Maturity Approach
High Managed+ Procedures cover [all] of the activities by which [policies are implemented, protection activities are carried out, and user activities are carried out], are defined and implemented in [writing with a workflow system or a fully automated system], and are [carried out only by authorized parties, documented as carried out, tracked, audited, measured, optimized (specify against what criteria), and adapted over time].
High Defined- DO NOT OPERATE IN THIS SITUATION
Medium Managed+ Procedures cover [most] of the activities by which [policies are implemented, protection activities are carried out, and user activities are carried out], are defined and implemented in [writing using a workflow system or a fully automated system], and are [carried out only by authorized parties, documented as carried out, tracked, audited, measured, and adapted over time].
Medium Defined Procedures cover [most] of the activities by which [policies are implemented, protection activities are carried out, and user activities are carried out], are defined and implemented in [writing using a workflow system or checklists], and are [carried out only by authorized parties, documented as carried out, tracked, and audited].
Medium Repeatable- DO NOT OPERATE IN THIS SITUATION
Low Defined+ Procedures cover [most] of the activities by which [policies are implemented, protection activities are carried out, and user activities are carried out], are defined and implemented in [writing, using a workflow system or checklists], and are [carried out only by authorized parties, documented as carried out, tracked, and audited].
Low Repeatable- Procedures cover [some] of the activities by which [policies are implemented], are defined and implemented in [writing, checklists, or ad-hoc methods], and are [carried out only by authorized parties and documented as carried out].
What procedures are carried out and how

The generic sentence is: Procedures cover [all / most / some] of the activities by which [policies are implemented / protection activities are carried out / user activities are carried out], are defined and implemented in [writing / a workflow system / checklists / ad-hoc methods / a fully automated system], and are [carried out only by authorized parties / documented as carried out / tracked / audited / measured / optimized (specify against what criteria) / adapted over time].


Basis:

Procedures are the sequences of steps and conditionals associated with enacting the mandates of policies and related activities. While ideally there are procedures for everything, the cost of specifying them may exceed the value they bring, especially for immature low consequence situations. As maturity and consequences increase, more and more of the activities by which policies are implemented, protection activities are carried out, and user activities are carried out are defined, automated, documented, tracked, audited, measured, optimized, and adapted over time.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved