1. Gap Analysis Areas of Interest – CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Appendix 1. Gap Analysis Areas of Interest

Area of Interest

Sample documentation

Cybersecurity Planning

Information security policies

 

Organization mission statement

 

Organization roles and responsibilities

 

IT and security organization chart

 

Most current risk assessment

 

Most recent cybersecurity assessments

Incident Response

Incident response plan, processes, and procedures

 

Procedures for incident monitoring and reporting

Risk Management

Cybersecurity risk management plan

 

Vulnerability management plan

Vendor Management

Polices regarding vendor selection, monitoring, cybersecurity responsibilities

 

Service level agreements (SLA)

Network Operations

System security engineering standards and policies

 

Configuration specifications for information systems

 

Secure application procurement/development processes and policies

 

Anti-virus procedures

 

Patch management

 

Network architecture diagrams, to include boundary protection mechanisms

Access Control

Access policies (e.g. passwords, etc.)

 

Access policies (e.g. request, approval, termination, account management)

Change Control

System inventory procedures and results

 

Change control procedures

 

Change approval documents and tracking mechanisms

Physical Security

Physical security policy

 

Badge and identification policies and procedures

 

Sensitive area access procedures and policies

 

Visitor access procedures and policies

Data Handling

Data classification policy and procedures

 

Encryption standards for data at rest and in transit

 

Computer disposal policy and procedures

 

Electronic record retention policy and procedures

Personnel Security

Hiring policy and procedures

 

Termination policy and procedures

 

Monitoring procedures and policy

Acceptable Use

End-user acceptable use policy

Privacy

Privacy impact assessments

 

Personally-identifiable information protection policy and procedures

Cybersecurity Training & Awareness

Cybersecurity training programme requirements

 

Cybersecurity training and awareness tracking

Self-Assessment

Self-assessment policy and procedures

 

Copies of executed self-assessments

Cybersecurity Metrics

List of identified cybersecurity metrics

 

Metrics collection and analysis policies and procedures

 

Sample metrics report

Mobile Computing

Policies and procedures for the use of laptops, PDAs, and other mobile systems

 

Telecommuting policy and cybersecurity procedures

 

Removable media policy and procedures

Wireless Computing

Wireless deployment policies and procedures

 

Wireless security policies and procedures