130 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Legislation Awareness ...............................................................................142
A View of the HIPAA Final Security Rule ................................................142
A View of Sarbanes-Oxley ........................................................................144
Litigation Management ................................................................................145
Enterprise Security Standard .............................................................................145
Enterprise Security Framework .....................................................................148
Enterprise Use of ESF ..............................................................................148
A View of NIST SP 800-53 as an ESS and ESF ............................................150
ESF as a Common Alignment Structure ...................................................152
People ...............................................................................................................152
People and Compliance ................................................................................154
Enterprise Role of Policies, Standards, Procedures, and Practice ....................154
Security Policies ............................................................................................154
Policy Structure and Content ...................................................................155
Security Policy General Practices ..............................................................156
Access Policy ............................................................................................157
Wireless Policy .........................................................................................161
Portable Media Policy ...............................................................................162
Software Management Policy ...................................................................164
Media Disposal Policy ..............................................................................165
Contracts and Business Agreement Policy ................................................165
Incident Response Policy ..........................................................................169
Digital Policy Management ...........................................................................170
Security Standards ........................................................................................171
Security Management Standards...............................................................173
Security Procedures .......................................................................................173
Security Guidelines .......................................................................................174
Security Practice ...........................................................................................174
Compliance Document Dissemination .........................................................174
Metrics .........................................................................................................175
Existence Metrics .....................................................................................175
Eectiveness Metrics ................................................................................176
Eciency Metrics .....................................................................................176
Process ..............................................................................................................176
Conguration Management ..........................................................................177
Library Management ................................................................................177
Patch Management...................................................................................178
Patch Management, Risk Posture, and Security Posture ............................179
Change Control .......................................................................................180
Records Management ...................................................................................183
Records ....................................................................................................183
Records Management Process ...................................................................184
Physical and Virtual Records ....................................................................189