PROCESSES & PROCEDURES

About the process descriptions of securitythisway.com

Process and procedure include different forms of process documentation and description. Indeed processes can be documented in many different ways and with various levels of details.

There are many benefits in documenting your processes. There are also some mistakes that many organisations make resulting in poor or discontinued process documentation. In our blog you can read more about the importance of process documentation as well as overcoming those common pitfalls.

Most commonly, processes are documented in flow charts with additional process descriptions where needed. The processes you find on securitythisway.com use a business process model (BPM) approach with flowcharts at different levels of detail that are supported by process descriptions.

Click on the different tabs above to see the current list of security and privacy processes. As we continue to work on this process model, this list will be further updated and amended. Each process is (or will be) supported by a flow chart and a process description detailing out the activities and roles involved. In the intermediate period while the portal is under development, you can contact us in order to obtain one or more of the materials listed.

Don’t see what you are looking for?

Contact us if what you are looking for in terms of security and privacy management content is missing. It is very likely we have already some content available but simply did not have the time yet to package it. As we continue our development, the below list will be constantly updated. So, be sure to revisit to check for updates.

What about Procedures and Work Instructions?

In a more formalised format, processes may also be documented in a Procedure or Standard Operating Procedure (SOP). However, Procedures are just another format of process documentation. The content is mostly the same. Note that there exists a misconception that Procedures or SOPs are mandatory to meet legal or regulatory demands (e.g. SOX, GDPR, GxP, etc.). Indeed laws and regulations may require you to formally document your processes. However, they are indifferent to the format. Whether a process is documented by means of a flow chart and a process description or a Standard Operating Procedure does not matter that much for compliance purposes.

Work Instructions are also often used to document processes. Typically, Work Instructions represent a more detailed level description of an activity involving step-by-step explanations. Work Instructions often relate to a particular scenario or tool – e.g. how to handle a particular security incident or how to register an incident in a particular incident management tool. The same level of detailed content can also exist as part of the flow chart based process model and can also be found under other formats such as manuals, wiki-pages or trainings.

In the end, the format and naming doesn’t matter that much, it is the content that matters as well as how you structure that content to provide an integrated and organised view of all process related content. The flow charts and process descriptions found here can be easily transformed into the format or tool of your choice.

SECURITY PROCESSES

Security Process Reference Model

As part of securitythisway.com we have compiled an integrated, structured set of security processes into an information security process model. The process model has three levels as shown below. The level of detail in each of the levels is consistent with the levels that are traditionally found in layered business process models and should therefore easily fit any models that may already exist in an organisation (regardless of the number of layers it may have).

Level 0 Process Map

Breakdown of Information Security into its major functional areas and components:

  • Information Security Management
  • Cyber Security Management
  • Identity & Access Management
Level 1 Meta processes

High level process flow showing the main process components and interactions of each of the areas or domains identified in the process map

The three information security meta processes are shown below.

Level 2 Individual processes

Decomposition of level 1 process components into level 2 process flows. See below for a list of processes we are currently working on.

An additional level can be added for activities that require even more detail. For example; “Create and maintain awareness materials” and “Use, communicate or distribute awareness materials” are currently two activities that are part of “Define and manage security policy”, a Level 2 process under “Information Security Management”. Both activities may be further elaborated in an additional process flow showing how exactly awareness materials are created, approved, etc. and how an awareness campaign is run.

Process list

Below you will find the current list of processes. As we continue to work on this process model, this list will be further updated and amended. Each process is (or will be) supported by a flow chart and a process description detailing out the activities and roles involved. Click on each meta process title to expand the section and see the list of individual processes underneath it.

1.1 Define and manage security policy

1.1.8 Create and maintain awareness materials

1.1.9 Use, communicate or distribute awareness materials

1.2 Classify information

1.3 Classify systems

1.4 Handle information securely

1.5 Implement security in systems

1.6 Embed security measures in IT processes

1.7 Manage exception requests

1.8 Monitor, assess and test security measures

1.9 Remediate gaps and non-compliance

1.10 Manage information security risk

2.1 Identify and manage threats

2.2 Identify and manage vulnerabilities

2.3 Design and manage security architecture

2.4 Manage security events

2.4.1 Onboard to SOC and maintain and update rules

2.5 Manage security incidents

2.6 Perform IT forensics

3.1 Manage identities

3.2 Maintain IAM rules and principles

3.3 Manage access requests

3.4 Recertify access rights

3.5 Monitor access

3.6 Manage passwords and other credentials

Exploring the meta processes

Below images present the current versions of the three meta processes (Level 1). Clicking on the picture will enlarge it. Contact us if you want to obtain the Level 2 processes.

PRIVACY PROCESSES

Below you will find your way to the current list of privacy processes. As we continue to work on this process model, this list will be further updated and amended. Each process is supported by a flow chart and a process description detailing out the activities and roles involved.

  • Privacy Training and Awareness Management
  • Breach Notification
  • Privacy Impact Assessment
  • Privacy Policy Management
  • Data Subject Request Management (related to right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object processing)