Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 141

Reporting

Оглавление

Conducting SCAs and other monitoring and measurement activities is useless without a well-managed reporting function. Auditors and assessors generally create formal reports that detail their findings for each control that is assessed. In addition, your security team should have a process to document and report any important discoveries or metrics to senior leadership, regulators, and other stakeholders.

Some laws, regulations, and industry requirements come with specific reporting guidelines; as an information security leader, you must be familiar with any such requirements that are relevant to your organization. In general, a well-managed risk-based security program includes some level of reporting for the following:

 Internal audits (e.g., self-assessments)

 External audits (i.e., regulator or any other third-party audits)

 Significant changes to the organization's risk posture

 Significant changes to security or privacy controls

 Suspected or confirmed security breaches (or other incidents)

The Official (ISC)2 CISSP CBK Reference

Подняться наверх