The document outlines requirements for a comprehensive security report that must address authentication, auditing, encryption, attack detection including social engineering, an incident response plan, and physical security. It specifies the report must include an opening purpose statement followed by a scope definition, responsibilities definition, and stakeholder identification. Each security domain must have its own section and any frameworks, methodologies, or vendor dependencies should be clearly stated.
Final deliverable should be a comprehensive report that addresses se
1. Final deliverable should be a comprehensive report that
addresses several security domains.
Authentication (both administrative and end user)
Auditing and accounting for user actions
Encryption for data at rest and in flight
Mechanisms to detect attacks (outsider vs insider) This includes
provisions for social engineering/phishing.
An incident response plan (identify stakeholders, responses to
different levels of events, testing)
Physical security at HQ and physical security requirements for
vendors.
The format is to open with a purpose statement. Then include a
scope statement outlining the boundaries followed by a
statement to define who is responsible for the document and the
systems and a definition of stakeholders. And a response for
each subject area. Any frameworks or methodologies used
should be clearly stated as well. Any dependencies or controls
that are inherited from the vendors should also be clearly stated.