ISO 38500 1 big thing: Certify your staff is incorporating audit findings and recommendations into Information Security.

662 words, 2.5 minutes read. By Gerard Blokdyk

ISO 38500 1 big thing: Certify your staff is incorporating audit findings and recommendations into Information Security.

The big picture: Partner with other members of your GRC Team to develop positive relationships and serve as a highly professional representative to both internal and external (internal) customers.

Why it matters: Make headway so that your strategy contributes to the facilitation of technology on boarding and off boarding through the Information Security Programs Risk Review process.

The backdrop: Establish that your operation partners with business leaders/champions and solution delivery teams to identify key performance indicators, business requirements and measures to support and deliver the Enterprise Business Intelligence Strategy.

What to watch: Make sure the ISSM is responsible for applying Information System (IS) security principles, practices, and procedures under the Risk Management Framework (RMF) to maintain compliance with applicable security regulations, such as NIST, CNSSI, and NISPOM, governing the development and management of classified information systems.

On the flip side: Ensure you can influence your engineering architecture to help lead you into the next phase of growth for your Connected Devices IoT platform.

What we’re hearing: “Administer and measure company-wide Information Security governance processes; Assess, evaluate, and identify gaps; Make recommendations to management regarding the adequacy of the security controls and ensure deployment of solutions.“, Technical Business Analyst

Meanwhile: Assure your operation ensures that associated information and data management performs effectively and efficiently, conceptually, logically and physically for the down stream applications.

How it works: Act as a liaison between the business process owners, system end users and information technology resources on all things related to IT governance, risk/controls and compliance, turning business requirements into functional requirements.

State of play: Ensure your organization is acting as a primary stakeholder in the underlying information technology (IT) operational processes and functions that support the service, provide direction and monitor all significant activities so the service is delivered successfully.

Yes, but: Confirm that your personnel is responsible for leading Cybersecurity and IT governance, risk, and compliance efforts, including the establishment and maintenance of IT operating model and facilitating the development of technology policies and standards.

Be smart: Safeguard that your group serves as an internal consultant advising leadership on all information security questions, concerns and suggestions for current and future state.

Go deeper: Make sure the CISO leads the overall management and strategic oversight of enterprise information security including risk and compliance policies, procedures and practices, data loss prevention, governance, investigations, and forensics.

The bottom line: Liaison so that your strategy participates in the change management and service ticket management processes including receiving, resolution monitoring, and ensuring (internal) customer satisfaction.

What’s next: Verify that your staff is tuning regularly performing tuning and filtering SIEM alerts and monitoring components to ensure only relevant security data is gathered.

ICYMI: Implement an ongoing risk assessment program targeting information security and privacy matters; recommend methods for vulnerability detection and remediation and perform and/or oversee vulnerability testing.

Get started: store.theartofservice.com/ISO-38500-critical-capabilities/

Trusted by: FirstEnergy Corp, AE Stategies, LendingPoint, LLC, kraken, IBM, Micron Technology, IDC, CapB InfoteK, Mastery Logistics Systems, Inc., Accenture, McKesson, LumApps, Honeywell, Avery Dennison, Audible, Fidelity Investments, Olathe Public Schools, Amex, Emory University, Kajeet, Inc., Aruba Networks, Volkswagen Group of America, MasterBrand Cabinets Inc., Platform Science, Autonomic, Medtronic, NextEra Energy, Tesla, Novetta, Sirqul, Inc, Kwik Trip Inc, Particle, Rivian Automotive, Watts Water Technologies, Signify, Martin Engineering, TalentWerx, Terumo Medical Corporation, PepsiCo, Microsoft, Delta Faucet Company, Amazon.com Services LLC, Siemens, SunPower, Johnson Controls, Cummins Inc., BrightInsight, Losant, Pall, Allegion, Spireon, Lumin, Insight Enterprises, Inc., Alarm.com, Vodafone, Rad Power Bikes, Axon, ENEL, Schneider Electric, Precision Fermentation, Deeplocal Inc., Harbor Industries, Inc., Samsara, Ayla Networks, Prime Vision, Walmart, Xerox