Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 141

Conducting SCAs and other monitoring and measurement activities is useless without a well-managed reporting function. Auditors and assessors generally create formal reports that detail their findings for each control that is assessed. In addition, your security team should have a process to document and report any important discoveries or metrics to senior leadership, regulators, and other stakeholders.

Some laws, regulations, and industry requirements come with specific reporting guidelines; as an information security leader, you must be familiar with any such requirements that are relevant to your organization. In general, a well-managed risk-based security program includes some level of reporting for the following:

 Internal audits (e.g., self-assessments)

 External audits (i.e., regulator or any other third-party audits)

 Significant changes to the organization's risk posture

 Significant changes to security or privacy controls

 Suspected or confirmed security breaches (or other incidents)