Information Security Governance Practices
We introduce several common information security governance practices in the following sections and describe them in greater detail in other chapters (conveniently cross-referenced, of course!).
Organizations commonly outsource many IT functions (particularly call-center or contact-center support and application development) today. Information security policies and procedures must address outsourcing security and the use of vendors or consultants, when appropriate. Access control, document exchange and review, maintenance hooks, on-site assessment, process and policy review, and service level agreements (SLAs) are good examples of outsourcing security considerations.
Service-level agreements (SLAs)
Service-level agreements (SLAs) establish minimum performance standards for a system, application, network, or service. An organization establishes internal SLAs to provide its end-users with a realistic expectation of the performance of its information systems and services. For example, a help desk SLA might prioritize incidents as 1, 2, 3, and 4, and establish SLA response times of ten minutes, 1 hour, 4 hours, and 24 hours, respectively. In third-party relationships, SLAs provide contractual performance requirements that an outsourcing partner or vendor must meet. For example, an SLA with an Internet service provider might establish a maximum acceptable downtime which, if exceeded within a given period, results in invoice ...