Beruflich Dokumente
Kultur Dokumente
Documento No
XX-XXX-XX-XXX
Estado de revisión
00
Fecha efectiva
Aprobado por
Firma
Fecha
2. LIST OF ABBREVIATIONS
Abbreviation Full term
AG Auditor General
BSM Business Service Manager
BYOD Bring your Own Device
CAM Competency Area Manager
CEO Chief Executive Officer
CIO Chief Information Officer
CISO Chief Information Security Officer
COBIT (ISACA’s) Control Objectives for Information and Related
Technologies
CPO Chief Privacy Officer
EA Enterprise Architecture
ECT Electronic Communications and Transactions (ECT) Act
EISA Enterprise Information Security Architecture
ICT Information and Communications Technology
IPPSC Information Privacy Project Steering Committee
IS Information Security
ISACA Information Systems Audit and Control Association
ISC Information Security Champion
ISSC Information Security Steering Committee
ISO International Organisation of Standardisation
ISOM Information Security Operating Model
ISMS Information Security Management System
ISWG Information Security Working Group
IT Information Technology
JPC Joint Planning Committee
NCPF National Cybersecurity Policy Framework
NHA National Health Act
NKPA National Key Points Act
OU Operating Unit/Centre
POPI Protection of Personal Information (Act)
RICA Regulation of Interception of Communications and Provision of
Communication-Related Information Act
SITA State Information Technology Agency
SLA Service Level Agreement
SSA State Security Agency
3. INTRODUCTION
Cyber-attacks and cybercrime are on the rise. Often these result in information security
and privacy breaches that draw unwanted attention, loss of reputation, customer
confidence, and sometimes large recovery costs to organisations. At the same time,
organisations are embracing new technologies that drive growth and productivity. These
include Enterprise Mobility, BYOD, cloud-based services, Internet of Things, just to name
a few. These new technologies, and ways of working, have made it increasingly more
challenging to control and secure any organisation.
Over the past few years, Information and Cyber Security threats to any organisation have
increased ten-fold, with thousands of new threats, malware and attacks-methods being
discovered every day. Symantec reports in its quarterly Internet Security Threat Report
that in 2015 alone, over half a billion personal records were lost and that 431 million new
malware variants were discovered.
Within any organisation, there needs to be a strong culture of information security founded
on positive influences at the various organisational levels. In general, over the past few
years, business expectations of information security teams have increased as threats to
the organisation have advanced and amplified.
Further to this, the focus of information security must change from being an operational IT
problem, to a strategic business objective addressing a business problem and need,
striving to achieve effective and sustainable protection of the organisation’s information
resources.
Within the context of the COMPANY X, information, whether in electronic or paper form, is
a critical business asset, and the ability of the COMPANY X to operate effectively, achieve
its business objectives and comply with several legislative and regulatory imperatives,
depends on its ability to ensure that information is adequately managed and protected. In
particular, our intellectual property needs to be closely protected, as our adversaries
(including nation states) and competitors could greatly and unduly benefit from gaining
access to this information. This loss of information could also inadvertently pose a threat to
national security.
Taking all of this into consideration, there is a great need for the COMPANY X to establish
a strong, effective Information Security Governance capability to create and embed a
culture and practice of information security into its operations and through its employees.
4. OVERVIEW
Information security benefits are achieved only if the information security governance
structure is effectively and adequately integrated into the various Operating Units/Centres
(OUs) and support functions throughout the COMPANY X. Information security needs to
be strategically positioned within the COMPANY X in order to support key strategic
objectives, while still protecting the COMPANY X’s information resources.
There must be a shift in the information security function from an operational level to a
strategic level. This is to better align with organisational objectives, without losing sight of
and supporting ICT security operations. This strategic shift is supported by defining
measurable information security controls and operational processes, with appropriate
metrics and reporting mechanisms.
This shift in focus will result in the establishment of the following key functional areas
within the COMPANY X’s Information Security Office, as shown in
Figure 1.
2) Establish and Maintain the ISMS – To establish and maintain an ISMS that
provides a standard, formal and continuous approach to information security
management. This will be achieved by defining an information security policy
framework to provide management direction and support for information
security. ISMS will also support the enablement of secure technology and
business processes that are aligned with business and information security
requirements.
5) Monitor and Review ISMS - Maintain and regularly communicate the need for,
and benefits of, continuous information security capability and controls
improvement.
Please refer to the Information Security Strategy for more details on the Information
Security Management Process.