Escolar Documentos
Profissional Documentos
Cultura Documentos
IT GOVERNANCE X X X
Page 1 of 15
INFORMATION SECURITY RISK Approval Stamp.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 2 of 15
INFORMATION SECURITY RISK Approval Stamp.
Approved By Chairman
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 3 of 15
INFORMATION SECURITY RISK Approval Stamp.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 4 of 15
INFORMATION SECURITY RISK Approval Stamp.
Table of Contents
2 SUMMARY .......................................................................................................................................................................................... 5
3 GENERAL APPLICABILITY ............................................................................................................................................................ 5
4 IT POLICY ELEMENTS .................................................................................................................................................................... 6
4.1 INFORMATION SECURITY RISK MANAGEMENT POLICY ................................................................................................................................................. 6
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 5 of 15
INFORMATION SECURITY RISK Approval Stamp.
1 SUMMARY
In todays world, the cyber threat landscape is evolving rapidly at a pace where entities are
challenged to keep up with the number and variety of threats. In the face of this growing
threat landscape, entities need to adopt practical measures to defend their critical information
and information infrastructure against their most critical vulnerabilities that could be
exploited by threats. To this end, a risk-based approach provides entities with a pragmatic
mean to identify their most critical vulnerabilities that could expose them to risks, and
develop corresponding appropriate treatments.
Adopting a risk-based approach ensures that security controls are instituted in accordance
with current risk assessments commensurate with the risk and magnitude of the impact that
could result if critical information assets are compromised.
The Information security risk management policy of ADWEA outlines the necessary elements
and controls needed for establishing a risk based approach to information security at the
entity level.
2 GENERAL APPLICABILITY
This policy is applicable to all ADWEA information assets, including (but not limited to) all
services, processes, and systems managed by Information Technology and Operation
Technology Departments, unless specific overriding scopes are identified under specific policy
elements / sub elements.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 6 of 15
INFORMATION SECURITY RISK Approval Stamp.
3 IT POLICY ELEMENTS
To ensure that a current and complete information risk profile exists for
technology, applications and infrastructure within the enterprise.
Ensure that the entitys risk appetite and tolerance are understood, articulated and
communicated internally.
To ensure that these risks are treated in accordance with the information security
requirements and objectives of the entity which are aligned with the NESA
requirements.
Information Security Risk Management covers all of ADWEAs Information resources and
supporting systems, whether managed or hosted internally or externally.
3.1.3 Background
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 7 of 15
INFORMATION SECURITY RISK Approval Stamp.
3.1.5.1 ADWEA will use the NESA IAS as its framework for managing its IT information
security risks by establishing the context, performing IT risk assessments,
implementing risk treatments and monitoring their implementation.
3.1.5.2 There will be a formal documented and approved process and procedure associated
with the Information Security risk assessment, treatment and monitoring for ADWEA.
3.1.5.3 The scope of the risk assessment, treatment and monitoring shall cover all the critical
services and their supporting functions based on the information asset classification
(refer to asset management policy).
3.1.5.4 Roles and responsibilities related to the overall Information Security risk
management for ADWEA shall be clearly defined and communicated.
3.1.5.5 Risk impact criteria, acceptance criteria and risk evaluation criteria shall be clearly
defined under risk management standards.
3.1.5.6 The Information Security risk management shall be integrated with the enterprise
risk management.
3.1.5.7 The Information Security risk management plan shall cover all the main elements as
outlined below.
3.1.5.7.1 Information Risk Identification- ADWEA shall apply the information security risk
assessment process to identify risks associated with the loss of confidentiality,
integrity and availability for its critical information assets by:
Defining clearly the scope of the risk assessment exercise.
Identifying critical business functions.
Identifying critical information systems supporting business critical functions
within the scope and boundary of the risk assessment.
Identifying vulnerabilities related to the information and information systems.
Identify existing information security controls
Identifying threats and threat sources
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 8 of 15
INFORMATION SECURITY RISK Approval Stamp.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 9 of 15
INFORMATION SECURITY RISK Approval Stamp.
3.1.5.7.4 Monitoring of Information security risk management ADWEA shall plan and
document the process for the review and update of the risk assessment and
treatment; this shall include planned reviews and updates as well as ad hoc updates
if significant changes occur.
ADWEAs monitoring and review processes shall encompass all aspects of the risk
management process and shall take account of changes in:
A. The entity itself
B. Technology used
C. Business objectives and processes
D. Risk criteria and the risk assessment process
E. Assets and consequences of losses of confidentiality, integrity or availability
F. Identified threats
G. Identified vulnerabilities
H. Effectiveness of the implemented controls
I. External events, such as changes to the legal or regulatory environment,
changed contractual obligations, and changes in social climate.
ADWEA shall monitor security incidents that might trigger the risk assessment
process.
Responsibilities for monitoring and review shall be clearly defined and documented.
3.1.5.7.5 Communication of Information security risks- ADWEA shall communicate and
consult risk information obtained during and after risk management activities with
all stakeholders involved.
It will establish and use a formal risk communication plan for communicating risk
information with key stakeholders including decision-makers within the entity
during all stages of the risk management process.
Typically, the senior most management has the overall responsibility for managing risks
in any organization as per current laws, regulations or contracts.
In the context of risks associated with IT within ADWEA , the Chairman has the overall
responsibility for managing the information based risk exposure of ADWEA.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 10 of 15
INFORMATION SECURITY RISK Approval Stamp.
The detail breakup of the roles and responsibilities associated with the Information
Security risk Management for ADWEA are listed below.
ISGC The role of the ISGC is to coordinate corporate security initiatives at the
(Information executive level and thus enable ADWEA to optimize spending, manage
Security their infrastructure and minimize security risk.
Governance
The ISGC is responsible for the following:
Committee)
Work with all strategic partners to develop, coordinate and follow
up a national information security plan and program based on
effective risk management to enhance the protection of information
and assets in coordination with the relevant authorities.
Ratify the findings of security-related assessments and serve as
the primary oversight function to ensure corrective actions are
addressed.
Ratify Information Security Plans, Risk Assessments and
Information Security Continuity Plans and verify performance against
defined objectives by reviewing IT Security Program KPI's.
Ensure security controls are in place to maintain and safeguard
the integrity of information resources by balancing risk assessment,
best practice information security techniques and national security
standards.
Provide guidance and leadership to maintain and improve the
confidentiality, integrity and availability of information.
Serve as a point of escalation for security-related issues and
concerns.
Ratify assignment of information ownership, classification of
principle information assets and information lifecycle.
Ratify the information security policy & supporting policies and
ensure their effectiveness.
Assessing any requests for policy exceptions from individual
business units.
Verify the effectiveness of information security awareness and
training activities.
Act as the primary management-oriented conduit for security
related matters to the board and other senior stakeholders.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 11 of 15
INFORMATION SECURITY RISK Approval Stamp.
CISO (Chief The CISO has the overall responsibility for the management of
Information information security.
Security Officer)
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 12 of 15
INFORMATION SECURITY RISK Approval Stamp.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 13 of 15
INFORMATION SECURITY RISK Approval Stamp.
4 REFERENCES
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 14 of 15
INFORMATION SECURITY RISK Approval Stamp.
5 APPENDICES
5.1 Definitions
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 15 of 15
INFORMATION SECURITY RISK Approval Stamp.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.