Fri Apr 8 06:51:39 PDT 2016
Management: Procedures: What procedures are implemented and how?
Options:
Procedures cover [all / most / some] of the activities by
which [policies are implemented / protection activities are carried
out / user activities are carried out], are defined and
implemented in [writing / a workflow system / checklists / ad-hoc
methods / a fully automated system], and are [carried out only
by authorized parties / documented as carried out / tracked / audited
/ measured / optimized (specify against what criteria) / adapted over time]
Decision:
Apply based on maturity and consequence level at a minimum
Consequence | Maturity | Approach |
---|
High | Managed+ |
Procedures cover [all] of the activities by
which [policies are implemented, protection activities are carried
out, and user activities are carried out], are defined and
implemented in [writing with a workflow system or a fully automated system], and are [carried out only
by authorized parties, documented as carried out, tracked, audited,
measured, optimized (specify against what criteria), and adapted over time].
|
High | Defined- | DO NOT OPERATE IN THIS SITUATION |
Medium | Managed+ |
Procedures cover [most] of the activities by
which [policies are implemented, protection activities are carried
out, and user activities are carried out], are defined and
implemented in [writing using a workflow system or a fully automated system], and are [carried out only
by authorized parties, documented as carried out, tracked, audited, measured, and adapted over time].
|
Medium | Defined |
Procedures cover [most] of the activities by
which [policies are implemented, protection activities are carried
out, and user activities are carried out], are defined and
implemented in [writing using a workflow system or checklists], and are [carried out only
by authorized parties, documented as carried out, tracked, and audited].
|
Medium | Repeatable- | DO NOT OPERATE IN THIS SITUATION |
Low | Defined+ |
Procedures cover [most] of the activities by
which [policies are implemented, protection activities are carried
out, and user activities are carried out], are defined and
implemented in [writing, using a workflow system or checklists], and are [carried out only
by authorized parties, documented as carried out, tracked, and audited].
|
Low | Repeatable- |
Procedures cover [some] of the activities by
which [policies are implemented], are defined and
implemented in [writing, checklists, or ad-hoc
methods], and are [carried out only
by authorized parties and documented as carried out].
|
What procedures are carried out and how
The generic sentence is: Procedures cover [all / most / some] of the activities by
which [policies are implemented / protection activities are carried
out / user activities are carried out], are defined and
implemented in [writing / a workflow system / checklists / ad-hoc
methods / a fully automated system], and are [carried out only
by authorized parties / documented as carried out / tracked / audited
/ measured / optimized (specify against what criteria) / adapted over
time].
Basis:
Procedures are the sequences of steps and
conditionals associated with enacting the mandates of policies and
related activities. While ideally there are procedures for everything,
the cost of specifying them may exceed the value they bring, especially
for immature low consequence situations. As maturity and consequences
increase, more and more of the activities by which policies are
implemented, protection activities are carried out, and user
activities are carried out are defined, automated, documented,
tracked, audited, measured, optimized, and adapted over time.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|