Documentation Standards for Information Security Documents
Document Owner: Brian Dahlin, Chief Information Security Officer
Document Approver: Bernard Gulachek, Vice President and Chief Information Officer
Effective Date: August 31, 2012
Last Reviewed Date: October 2, 2015
This document establishes standards for Information Security documentation. These standards will maintain consistency in our Information Security programs. These standards apply the principles of ISO/IEC 27001:2005 section 4.3.2.
All Information Security documents developed for creating University-wide standards, procedures or best practices must follow these documentation standards. Information Security documents developed to establish Administrative Policy or Procedure must follow the University’s Establishing Administrative Policies.
Exceptions to this standard must be approved by University Information Security (firstname.lastname@example.org). Non-compliance with this standard must be reported to University Information Security (email@example.com).
Standard and Process
All Information Security documentation within the scope of this standard must contain:
Objective – the purpose of the document
Scope – identifies to whom and/or to what assets the standards and process apply.
Compliance – identifies the requirement to comply with the document and where to report non-compliance and to request exceptions.
Standard and Process – Standard defines the rules by which the individuals or assets within the scope must adhere; the process provides greater detail on the standard by describing how the individuals or assets comply with the standard.
Document Owner – the contact for document content questions and document revisions.
Document Approver – The Chief Information Officer has delegated document approval to the Chief Information Security Officer and the University Enterprise Architect.
Effective Date – date the document was implemented and enforced
Last Reviewed Date – date the document was last reviewed for changes, updates, or document retirement.
Documents created and approved using this standard are to be reviewed at regular intervals for changes, updates, or document retirement (Match language of Last Review Date: above). Current document owners must be updated or affirmed during the routine document maintenance. The document owner will determine how often the document requires routine maintenance, however the regular interval must not exceed 3 years from the prior last reviewed date. Documents must be review every 3 years or more often at the document owner’s discretion.
Documentation Development, Review, Approval, and Implementation
The diagram below depicts the document development, review, approval and implementation process.
- UMN Information Security
- Process Owner
- Service Owner
- Privacy Officers
- Chief Information Security Officer
- Vice President & Chief Information Officer
- Publish Standard
During the Development / Initial Review, the document developer must identify the appropriate Process Owners, Service Owners, and / or Stakeholders and to review the document. While the requirement of any individual or groups review does not exist, it is highly recommended that representatives of those most impacted by the document contents be involved in the review.
During the University Review, the document developer may identify the appropriate stakeholder and Privacy Officer to review the document. While the requirement of any specific individual or group review does not exist, it is highly recommended that representatives of those most impacted by the documents contents be involved in the review.
Process Owner, Service Owner, Stakeholders, and Privacy Officers review and input is required before Final Approval / Review.
In order for the Chief Information Security Officer and the Vice President and Chief Information Officer to approve the document, the document developer will provide:
- Final Draft of the document
- Sufficient evidence of review by the Process Owner, Service Director, Privacy Officers and / or Stakeholder approval
- The implementation plan that includes the communication and security awareness plan.
The multiple layers of review and approval will work to establish consistency in documentation, appropriate IT community review, and standards for the University that are reasonable to follow.