Schedule of Security Procedures (ISMS-SUP-001)
Quarterly Procedures
These procedures shall be conducted and documented every three months to ensure ongoing compliance and security posture management.
| Procedure (Code) | Primary Owner | Description |
|---|---|---|
| Information Security Committee Charter Procedure (SEC-PROC-001) | Committee Chair | Defines the operating rules and responsibilities of the Information Security Committee, which holds quarterly meetings. |
| Facility Access Management Procedure (SEC-PROC-006) | Facilities/Security Team | Describes the process for managing physical facility access, including conducting and documenting quarterly access reviews. |
| User Access Review Procedure (AC-PROC-003) | IT/Security Team | Defines the process for conducting periodic reviews of privileged user access rights (quarterly) and all other access rights (semi-annually) to ensure adherence to the principle of least privilege. |
| Privileged Infrastructure Access Review Procedure (ENG-PROC-006) | Security Team | Outlines the steps for conducting and documenting the required quarterly reviews of all user accounts with privileged access. |
Annual Procedures
These procedures shall be performed at least once per year to satisfy major compliance, assessment, and testing mandates.
| Procedure (Code) | Primary Owner | Description |
|---|---|---|
| Internal Audit Procedure (SEC-PROC-002) | Head of Internal Audit | Outlines the process for planning, conducting, and reporting on annual internal audits of the Information Security Management System. |
| Risk Assessment Procedure (SEC-PROC-004) | Security Officer | Establishes a systematic process for conducting risk assessments annually and on an ad-hoc basis when significant changes occur. |
| Incident Response Plan (IRP) ([RES-PROC-001]) | Security Team | Provides actionable steps for responding to incidents, including conducting annual training and simulation exercises. |
| Cryptographic Key Lifecycle Management Procedure (OP-PROC-001) | Cloud Operations Team | Provides technical steps for the secure lifecycle of cryptographic keys, including their annual rotation. |
| Application Security Testing Procedure (ENG-PROC-001) | Security Team | Details the process for conducting security testing, including annual penetration tests for applications handling sensitive data. |
Ad-Hoc / As-Needed / Event-Driven Procedures
These procedures are not performed on a fixed schedule but are triggered by specific events such as a new hire, a security incident, or a request for a new system.
| Procedure (Code) | Primary Owner | Description |
|---|---|---|
| Access Control Policy Exception Procedure (SEC-PROC-003) | Security Officer | Provides a formal process for requesting, reviewing, and documenting exceptions to the Access Control Policy password and authentication requirements. |
| Vendor Risk Assessment and Onboarding Procedure (SEC-PROC-005) | Security Team | Details the process for assessing a new vendor’s security posture before engagement. |
| Vulnerability Management Procedure (SEC-PROC-008) | Security Team | Describes the continuous workflow for identifying, prioritizing, remediating, and verifying system vulnerabilities. |
| Vulnerability Management Exception Procedure (SEC-PROC-009) | Security Officer | Outlines the process for formally requesting and documenting an exception to a vulnerability remediation Service Level Agreement (SLA). |
| Acceptable Use Policy Violation Investigation Procedure (AC-PROC-001) | Security Officer | Defines the process for investigating and responding to reported violations of the acceptable use policy. |
| Bring Your Own Device (BYOD) Onboarding Procedure (AC-PROC-002) | IT Department | Establishes the process for registering and securing a personally-owned device for access to company resources. |
| Access Control Management Procedure (AC-PROC-004) | IT Department | Defines the process for managing the lifecycle of user access, including provisioning, modification, and revocation. |
| Data Breach Risk Assessment Procedure ([RES-PROC-002]) | Privacy Officer | Guides the formal risk assessment required to determine if an incident qualifies as a notifiable breach. |
| Post-Incident Review Procedure ([RES-PROC-003]) | Incident Commander | Outlines the process for conducting a formal ‘lessons learned’ review after a significant incident is resolved. |
| Mobile Device Onboarding and Security Configuration Procedure (OP-PROC-002) | IT Security Team | Details the steps for enrolling a mobile device in the MDM system and ensuring it meets security requirements. |
| Lost or Stolen Mobile Device Response Procedure (OP-PROC-003) | IT Security Team | Provides the immediate steps to take when a mobile device used for company business is reported lost or stolen. |
| Secure Media Disposal and Sanitization Procedure (OP-PROC-004) | IT Team | Provides instructions for securely destroying or sanitizing media that is at the end of its lifecycle. |
| Legal Hold Procedure (OP-PROC-005) | Legal Team | Outlines the steps for issuing, tracking, and releasing a legal hold on information relevant to legal matters. |
| Workforce Screening and Background Check Procedure (OP-PROC-006) | Human Resources (HR) | Outlines the formal process for conducting required background checks on all candidates for employment. |
| Employee Onboarding and Offboarding Security Procedure (OP-PROC-007) | Human Resources (HR) | Provides a formal checklist to ensure all security tasks are completed during employee onboarding and termination. |
| Security Policy Sanction Procedure (OP-PROC-008) | Manager & HR | Describes the process for documenting security policy violations and applying appropriate disciplinary actions. |
| Third-Party Component Security Review Procedure (ENG-PROC-002) | Development Team Lead | Defines the steps for reviewing and approving the use of new third-party software components. |
| Standard Change Management Procedure (ENG-PROC-003) | Engineering Lead | Details the process for managing a standard, non-emergency change to a production application or configuration. |
| Emergency Change Management Procedure (ENG-PROC-004) | Engineering & Security Teams | Outlines the expedited process for authorizing and deploying an emergency change to resolve a critical issue. |
| System Hardening and Baselining Procedure (ENG-PROC-005) | Security Team | Describes the process for applying security baselines to new systems and verifying their ongoing compliance. |