Code Of Practice For Information Security Management System

1090 WordsMay 6, 20155 Pages
The ISO 27002 Information Technology Security Techniques, Code of Practice for Information Security Management and NIST 800-53 standards were used to make revisions to the SLA. In particular, the ISO 27002 standards are industry recognized standards for development of an information security management system. The NIST 800-53 are U.S. government security standards for federal information systems; granted, they are also used for non-governmental systems. In sum, the difference between the two frameworks is the ISO standards are internationally recognized, whereas the U.S. government developed the NIST standards. Lastly, the SLA review used a combination of the two since FAM is a multinational company. Upon reviewing the SLA, several…show more content…
FAM must address regulatory compliance standards to protect information, especially while using third-party vendors to outsource services. Moreover, the service level agreement should ensure DTK and MTK follow the same policies and regulations while acting as FAM representatives. Policy management involves enforcing FAM policies and standards. Essentially, data protection laws govern data processing activities, and FAM policies are the measurements used against data protection laws to meet compliance. Of course, laws vary depending on the customer’s location. Data Protection Policies Since DTK/MTK are representatives of FAM, they will observe FAM security policies to protect the confidentiality, integrity, and availability of customer information. Thus, FAM must communicate all relative data protection policies for processing data. Even more, the FAM Data Protection Officer (DPO) will provide direction to DTK/MTK personnel on their responsibilities with corporate data, as well as procedures to follow while working with FAM data (ISO). Furthermore, DTK/MTK will reveal the means and controls employed by the external party when storing, processing, communicating, sharing and exchanging information. Finally, FAM reserves the right to monitor, and revoke, any activity related to the organization’s assets. Incident Reporting Policy FAM will define standards for reporting,
Open Document