 Triggers
- corporate governance guidelines
- Business Security Policy
- corporate risk management processes and guidelines
- business needs
- services
- requirementsD
- Business and IT plans and strategies
- Designs and strategies
- Security breaches/warnings/events/alerts
- Periodic activitiesD
- Change of risk or impact of a business process, VBF, service or component
- Requests from other areas
| Controls
- Enforcement of inclusion of security concerns in other ITSM process documentationR
- Corporate governance and business security policies and guidelines
|
|
Inputs
- Business informationD
- Security plans, risk analysis and responses
- IT informationD
- Service informationD:
- Risk Analysis processes and reportsD
- Details of all security events and breachesD
- Change informationD
- CMSD
- Details of partner and supplier accessD
|  Processes
- Security Policy production, review, revision, communication, implementation and enforcement
- Security assessment and classification of information assets and documentation
- Implementation, review, revision and improvement of a set of security controls and risk assessment and responses
- Monitoring and management of breaches and major security incidents
- Analysis, reporting and reduction of the volumes and impact of security breaches and incidents
- Schedule and completion of security reviews, audits and penetration tests.
| Outputs
- An overall Information Security Management Policy, together with a set of specific security policies
- SMIS
- Revised security risk assessment processes and reports
- security controlsD
- Security audits and audit reports
- Security test schedules and plansD
- Security classifications
- Classified information assets
- Reviews and reports of security breaches and major incidents
- Policies, processes and proceduresD
|
KPIs