Page 157 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 157

governing body should participate in full and open document
               exchange and review. An organization needs to know the full details of

               all requirements it must comply with. The organization should submit
               security policy and self-assessment reports back to the governing
               body. This open document exchange ensures that all parties involved
               are in agreement about all the issues of concern. It reduces the
               chances of unknown requirements or unrealistic expectations.
               Document exchange does not end with the transmission of paperwork
               or electronic files. Instead, it leads into the process of documentation

               review.

               Documentation review is the process of reading the exchanged
               materials and verifying them against standards and expectations. The
               documentation review is typically performed before any on-site
               inspection takes place. If the exchanged documentation is sufficient
               and meets expectations (or at least requirements), then an on-site
               review will be able to focus on compliance with the stated

               documentation. However, if the documentation is incomplete,
               inaccurate, or otherwise insufficient, the on-site review is postponed
               until the documentation can be updated and corrected. This step is
               important because if the documentation is not in compliance, chances
               are the location will not be in compliance either.

               In many situations, especially related to government or military

               agencies or contractors, failing to provide sufficient documentation to
               meet requirements of third-party governance can result in a loss of or
               a voiding of authorization to operate (ATO). Complete and sufficient
               documentation can often maintain existing ATO or provide a
               temporary ATO (TATO). However, once an ATO is lost or revoked, a
               complete documentation review and on-site review showing full

               compliance is usually necessary to reestablish the ATO.

               A portion of the documentation review is the logical and practical
               investigation of the business processes and organizational policies.
               This review ensures that the stated and implemented business tasks,
               systems, and methodologies are practical, efficient, and cost effective
               and most of all (at least in relation to security governance) that they
               support the goal of security through the reduction of vulnerabilities

               and the avoidance, reduction, or mitigation of risk. Risk management,
   152   153   154   155   156   157   158   159   160   161   162