PROCESSES & PROCEDURES
Security Process Reference Model
As part of securitythisway.com we have compiled an integrated, structured set of security processes into an information security process model. The process model has three levels as shown below. The level of detail in each of the levels is consistent with the levels that are traditionally found in layered business process models and should therefore easily fit any models that may already exist in an organisation (regardless of the number of layers it may have).
An additional level can be added for activities that require even more detail. For example; “Create and maintain awareness materials” and “Use, communicate or distribute awareness materials” are currently two activities that are part of “Define and manage security policy”, a Level 2 process under “Information Security Management”. Both activities may be further elaborated in an additional process flow showing how exactly awareness materials are created, approved, etc. and how an awareness campaign is run.
Below you will find the current list of processes. As we continue to work on this process model, this list will be further updated and amended. Each process is (or will be) supported by a flow chart and a process description detailing out the activities and roles involved. Click on each meta process title to expand the section and see the list of individual processes underneath it.
1. Information Security Management
1.1 Define and manage security policy
1.1.8 Create and maintain awareness materials
1.1.9 Use, communicate or distribute awareness materials
1.2 Classify information
1.3 Classify systems
1.4 Handle information securely
1.5 Implement security in systems
1.6 Embed security measures in IT processes
1.7 Manage exception requests
1.8 Monitor, assess and test security measures
1.9 Remediate gaps and non-compliance
1.10 Manage information security risk
2. Cyber Security Management
2.1 Identify and manage threats
2.2 Identify and manage vulnerabilities
2.3 Design and manage security architecture
2.4 Manage security events
2.4.1 Onboard to SOC and maintain and update rules
2.5 Manage security incidents
2.6 Perform IT forensics
3. Identity & Access Management
3.1 Manage identities
3.2 Maintain IAM rules and principles
3.3 Manage access requests
3.4 Recertify access rights
3.5 Monitor access
3.6 Manage passwords and other credentials
Exploring the meta processes
Below images present the current versions of the three meta processes (Level 1). Clicking on the picture will enlarge it. Contact us if you want to obtain the Level 2 processes.
Below you will find your way to the current list of privacy processes. As we continue to work on this process model, this list will be further updated and amended. Each process is supported by a flow chart and a process description detailing out the activities and roles involved.
- Privacy Training and Awareness Management
- Breach Notification
- Privacy Impact Assessment
- Data Subject Request Management (related to right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object processing)