Get documents about "Common Non-Disclosure Agreement
Description
Common Non-Disclosure Agreement document sample
Document Sample
Date 2007.06.22
Instructions
This spreadsheet is an aggregation and sanitization of all the spreadsheets that I have
made over the past year in one version or another. I figured that they could find some object
reuse by other people.
This spreadsheet is designed to be the core of a CISO's "Book of Death" that allows them to
track and manage the IT systems under their purview in an ISM sense. The colloquial
phrase "Book of Death" comes from the book that most good leaders in the US Army carry
on them about all their soldiers.
Feel free to add or detract as you see fit for your own environment or purposes. I would
appreciate an email if you are using this or have recommendations to make it better.
Have Fun
Mike Smith
http://www.guerilla-ciso.com/
rybolov@ryzhe.ath.cx
codeyeti@yahoo.com
michael.j.smith@unisys.com
Color Bars for You to Use:
High
Moderate
Low
The purpose of this tab is to track the status of individual components of your policy framework.
The original concept was a security-specific policy but ITIL-esque components were added later.
Feel free to add or detract from the framework as necessary.
Number Name Status Origin
1.0.0 Information Protection In Review Implied
1.0.1 Policy Enforcement Draft Corp Policy
1.0.2 Information Sensititivity Approved NISPOM
Number Name Policy Owner Status
1.0.0 Policy Governance In Review
1.1.0 Information Protection Joe ISM Draft
1.2.0 Policy Enforcement Approved
1.3.0 Information Sensitivity and Categorization
2.0.0 Risk Management and Assessment
2.1.0 Risk Planning
2.2.0 Risk Assessment
2.3.0 Certification, Accreditation, and Security Assessments
3.0.0 Physical Security and Environmental Protection
3.1.0 Badge and Access Control
3.2.0 Data Center Safety
3.3.0 Physical Incident Response
3.4.0 Physical Maintenance
3.5.0 Media Protection
4.0.0 Service Infrastructure
4.1.0 Dedicated Infrastructure
4.2.0 Shared Infrastructure
4.3.0 Data Center Services
5.0.0 Configuration and Change Management
5.1.0 Change Management & Control
5.2.0 Configuration Management & Control
5.3.0 System and Services Acquisition
5.4.0 Asset Inventory and Control
5.5.0 System Naming Conventions
6.0.0 Disaster Recover and Business Continuity
6.1.0 IT Contingency Planning
6.2.0 Service Continuity Management
6.3.0 Requirements
6.4.0 Develop BCP/DR
6.5.0 Implement BCP/DR
6.6.0 Maintain BCP/DR
6.7.0 BCP/DR Training
7.0.0 Personnel Security
7.1.0 Position Categorization
7.2.0 Acceptable Use Policy
7.3.0 Security Awareness and Training
7.4.0 Non-Clearable Personnel
7.5.0 Employee Termination
7.6.0 Employee On-Boarding
8.0.0 IT Systems Security
8.1.0 IT Maintenance
8.2.0 IT Access Control
8.3.0 IT Audit and Accountability
8.4.0 Identification and Authentication
8.5.0 IT Interconnections
8.6.0 Wireless Communications
8.7.0 System and Communications Protection
8.8.0 System and Information Integrity
8.9.0 Warning Banners
9.0.0 Project Management
9.1.0 Communication
9.2.0 Strategic Planning
10.0.0 Incident Management
10.1.0 IT Security Incident Response
10.2.0 IT Operational Incident Resolution
10.3.0 Desktop Support
10.4.0 Server Support
10.5.0 Network Support
10.6.0 Database Support
10.7.0 Messaging Support
11.0.0 Problem Management
11.1.0 Fault Monitoring
11.2.0 Fault Recovery
11.3.0 Problem Analysis
11.4.0 Root Cause Analysis
12.0.0 Release Management
12.1.0 Technology Refresh
12.2.0 Desktop Services
12.3.0 Server Services
12.4.0 Network Services
12.5.0 Database Services
12.6.0 Messaging Services
13.0.0 Service Desk
13.1.0 Help Desk
13.2.0 Consumable Provisioning
14.0.0 Service-Level Management
14.1.0 SLA Development
14.2.0 SLA Monitoring
14.3.0 Standards Development
14.4.0 Standards Monitoring
15.0.0 Capacity Management
15.1.0 Capacity Planning
15.2.0 Business Requirements Analysis
15.3.0 Performance Monitoring
15.4.0 Capacity Monitoring
16.0.0 Availability Management
16.1.0 Performance Tuning
16.2.0 Outage Analysis
16.3.0 Fault Tree Analysis
17.0.0 Financial Management
17.1.0 Cost Accounting
17.2.0 Contract Management
17.3.0 RFP Management
17.4.0 Budgeting
18.0.0 Quality Management
18.1.0 Quality Management Plan
Addenda
A Rules of Behavior
B Non-Disclosure Agreement
C Glossary
Notes
Sets Authority for Policy
Document Link References & Guidance Notes
http://intranet/path/filename Implied
FIPS-199
NIST SP 800-60
PCI DSS
The purpose of this tab is to track the subcomponents of your network as you break them down into "bite-sized pieces".
System ID Short Name Full Name System Owner
1 FooNet Foo Corporate LAN/WAN Mike Smith
ou break them down into "bite-sized pieces".
Criticality Criticality
ISSO (Owner) (Enterprise) Boundaries Established
Joe Smith Moderate Moderate Yes
Last Risk Assessment Connects With
10/4/2006 System 2, System 3
Comments
Will be decommissioned 01/01/2009
The purpose of this tab is to track audit findings and responses until a mitigation plan is agreed upon.
ID Environment or System Finding Consequences
Not able to meet restore and
1 FooNet Backup system not fully tested COOP objectives
System Risk Enterprise Risk System Owner's Response
We have a project plan, budget and a project manager
High Moderate designated to lead this effort.
Auditor's Response Mitigation Plan
Concur with system owner. Develop BCP
At publication of first version of BCP, will Develop backup and restore plan
revise system risk to moderate. Deploy hot site
Comments
Some tape backup working as of 01/01/2007
The purpose of this tab is to track unmitigated risks as a long-term tracking sheet.
ID Environment or System Risk Description Consequences
Not able to meet restore and
1 FooNet Backup system not fully tested COOP objectives
System Risk Enterprise Risk Mitigation Plan
Develop BCP
Develop backup and restore plan
High Moderate Deploy hot site
Resources Required Mitigation Actions and Milestones
Need to hire additional Backup Admin 01/01/2007 First bare-metal restore test
Comments
Some tape backup working as of 01/01/2007
The purpose of this tab is to track incidents for closure and then statistics.
Serial Date of Notification Organization Description Investigator Category
200700101-01 1/1/2007 NOC Missing Laptop Smith Asset Management
Date of Closure Outcome Recommended Actions
Bag Inspections
Equipment Sign-Out
1/14/2007 Handed over to Local Police Property Passes
The purpose of this tab is to track waivers that are granted as an exception to policy, procedures, or security architectural mode
Waiver ID Requester Description
Firewall rules to allow WSUS servers
in trusted internal zone to Internet to
Waiver 07-01-01-01 Smith allow updates
icy, procedures, or security architectural model.
Risk Rating
(system component Risk Rating
only) (enterprise) Approver Date Approved
Low Low Smith 1/1/2007
Mitigation Action Milestone Due Date
Deployment of a WSUS server for
Grackle and the Internet access for it to pull
the new patches from Microsoft 90 Days
The purpose of this tab is to record the various pieces of our subcomponents so that we know exactly which assets belong to a
Hostname IP Function System Administrator
rainbow 10.1.1.1 Router
salmon 10.1.1.2 Switch
brownie 10.1.1.3 Switch
ow exactly which assets belong to a particular system.
The purpose of this tab is to build a requirements traceability matrix and implementation details.
Control Identifier Reference
1.1.1 NIST SP 800-53 Control RA-1
bility matrix and implementation details.
Requiremente Description Common or Hybrid Controls External Dependencies
Risk Assessment Policy and Procedures Common enterprise-wide control Corporate Budget Process
Implementation Details
Have Policy, needs procedure work
Related docs
