Standard Information Gathering (SIG)
August 18, 2019Browse thousands of our document samples
https://bestitdocuments.com/Samples
There are four phases respectively to (SIG):
- Planning,
- Assessment,
- Treatment,
- And Accreditation.
Each of these phases has specific work packages that are generic to all organizations regardless of their size, their specific key result areas, and their geographical siting.
Through the sequencing of their respective work packages, these phases focus on delivering specific results, be it a deliverable or a desired state of affairs.
The outputs of these phases are then followed by operational activities designed to integrate the deliverable or to maintain the achieved state, feasibly and effectively.
Information Gathering
Security initiatives normally do not have the same set of triggering events within organizations. In some instances a change in management could result in a focus on security as a critical requirement. In other instances it could be triggered by the realization of losses caused by systems outage.
In other instances it could be the result of a proactive approach by managers concerned about the outcome of their investment. Whatever be the triggering event, the fact remains that information has to be gathered to substantiate the underlying concern.
If an auditor is concerned about the retention period of system activity logs, he cannot make a business case unless he is able to substantiate the need for backing up activity logs with the specific non repudiation based legal or compliance requirements that he is basing his requirements upon.
If there is a business dependency on a particular information service such as email, it is incumbent upon the process owner of the concerned business function to identify the potential losses that could accrue from an hour, a day, or a week of systems outage caused by a virus or other such likely threats.
Otherwise it would be impossible for those responsible for authorizing the requisite investments to make an informed decision in this regard.
Information gathering therefore seeks to assemble a complete picture of the information technology infrastructure to serve as the basis for the next phase, namely risk assessment.
Browse our document samples