You are the CISO of a well-known semiconductor manufacturer in Taiwan that implements RosettaNet, an XML-based protocol for Partner Interface Processes (PIPs), to streamline global supply chain operations. You are developing the third party connection policy that governs direct connections from parties external to your company. Which of the following is the least concern?
A. Procedures for the periodical auditing of connections
B. Trust models for the grant of authorization for connections
C. Exclusion of the current remote access policy from the policy scope
D. Requirements for demonstration of compelling business needs for the connection
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Procedures for the periodical auditing of connections.
As a CISO, member of senior management, what should you consider when developing a policy? Scope, requirements, authority, roles and responsibility, and etc are fundamental elements in a policy document.
- Procedures are step-by-step instructions at the operational level. It’s too early or even inappropriate for a CISO to consider how work is done when developing policies.
- Moreover, it’s common for the audit department, an independent unit or entity, to be in charge of auditing. Depending on the governance structure and security function, it may not be the responsibility of a CISO to take care of the auditing procedures.
The scope of policy may cover the whole organization, some organizational units, or specific groups, roles, issues, or even systems. The scope should be addressed at early stage of policy development.
The remote access policy is related to connections as well. Will its scope overlap with the one of the third party connection policy? No matter you exclude or include it in the policy you are developing, it’s a concern of scoping anyway.
1. Business Needs
A policy is the intention of top management. In other words, the management imposes requirements through policies to govern and direct an organization. All activities in an organization should be aligned with the business to create value and fulfill the strategy, vision, and mission.
It’s for sure the management requires that third-party connections cannot be approved without a good reason that supports the business.
2. Trust Models
Trust models are security requirements. The policy may require a third-party to be 27001 certified so that the connection is approved.
NIST SP 800-39 introduces five generic trust models, which is excerpted in my book, The Effective CISSP: Security and Risk Management, as follows:
- Governance Instruments
- RosettaNet (EDI Basics)
- TSMC, Motorola and ASE are First to Launch RosettaNet Supply Chain Software
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
您是台灣一家知名半導體製造商的CISO，您的公司實現了RosettaNet — 一個以XML為基礎，用來整合業務夥伴接介流程（PIP）的協議，以簡化全球供應鏈運作。 您正在開發第三方連接政策，以治理公司外部單位的直接連線。 下列哪一項是最不用擔心的？