Updating of security procedures policy
It provides a set of minimum requirements for security hygiene and several security implementation frameworks that can be used in concert with the other articles in this content area.The Plan-Do-Check-Act approach described here can be used to deploy and operate the categories of practices described in the other articles in this content area.
Effective methods for improvement and management of change typically use some variation of this approach.
ISO/IEC 27001 [1I SO 05b]: This approach can be used during deployment and operations to install a single security practice or control, a new secure software testing procedure, a new security technology, a patch or any other software change, or to securely configure a new server.
The approach is general purpose and can be applied in a spiral, iterative fashion for successive levels of improvement and incrementally increasing scope. Edwards Deming states “It is not enough to do your best; you must know what to do and then do your best.” In large part, deployment and operations is about managing change, whether intentional or unintentional (including change caused by a security breach).
High severity incidents require an immediate response and focused, dedicated attention by the CISO and other appropriate University officials and IT security staff until remediated.
These incidents also have extensive notification and reporting requirements, as outlined in the Incident Response Summary Table below. Medium severity incidents require a quick response by appropriate personnel (usually from the affected unit) who have primary responsibility for handling the incident.