Performance Resources

Capability Statements

Service	Category	Explanation
Governance Strategy Security Planning Privacy Business Continuity Security Training Performance Metric Creation	Consulting	Board and Senior Management level activities to establish good corporate governance handling technology; creation of information security framework Alignment with business strategy, strategic objectives, strategic imperatives, strategy tree etc. Strategic, Tactical and Operational planning including direction setting, budgeting, phase development and program-project creation Legal & regulatory requirement assessment, compliance requirement and compliance roadmap development Contingency planning; Business continuity, Disaster recovery Business resumption design and planning, including the development of MTO, MAO, RPO, RTO, etc. Training is available at Board & management level as well as generic and technology specific training Establishing performance targets and metrics types (Balanced Scorecard, etc.); metrics development and implementation
Temporary CISO, CRO, CCO Security Programme Management Information Security Lifecycle Management Risk Management Incident Management Compliance Management Technology Implementation	Management	Management of C level (senior, executive) management activities e.g. (e.g. identifying drivers such as technology, business environment, risk tolerance, geographic location) and their impact on information security Overseeing enterpise level information security programme creation and execution Integrating information security programme requirements into organisational life cycle activities such as the change management process; service provider management. Overseeing the risk assessment and risk mitigation cycles, baselining; evaluating and managing effectiveness Overseeing incident prevention, incident handling and recovery, post incident, forensic and law enforcement activities; Identifying current and potential legal and regulatory issues affecting information security, assessing their impact on the enterprise and ensuring compliance with requirements Full technology life cycle establishment and management including the development of business case, RFI, RFT etc.
Security Posture Analysis Security Audit	Assessment	Security perspective (focus, scope, approach, ownership, funding) assessment; baseline creation, role and organisation creation, architecture appropriateness, etc. Information security control applicability, currency and implementation effectiveness, applied practices, security posture maturity, regulatory compliance; vulnerability assessmen
Security Architecture Technical Architecture Business Process (Re)Design	Design	Conceptual architecture, including information security framework (governance, policy-standard hierarchy, administrative processes and procedures), internal and external reporting and communication channels, separation of internal-external service provision and measurement (SLAs) Detailed information security solutions for specific areas (i.e. infrastructure, identity management, privacy, application integrity etc.) either for a point solution or for overall business solutions (i.e. ERP, CRM, TPS etc.) Assessment and analysis of existing business processes; quality checking; process mapping (multi-level); process innovation and transformation; process objective creation and design
Security Policy Security Standards Security Awareness	Document Development	Development of information security policy framework and policy document, that is compliant with ISO/IEC 17799:2005, AS/NZS 7799.2:2003 and ISO/IEC 27001:2005 standards. Standard development based on the 11 ISO/IEC 17799:2005 domains and purpose specific standards (i.e. antivirus, password management, etc.) Development of awareness material (posters, training documents, intranet, etc.) and security awareness campaigns and training courses

Service

Category

Explanation

Governance

Strategy

Security Planning

Privacy

Business Continuity

Security Training

Performance Metric Creation

Consulting

Board and Senior Management level activities to establish good corporate governance handling technology; creation of information security framework

Alignment with business strategy, strategic objectives, strategic imperatives, strategy tree etc.

Strategic, Tactical and Operational planning including direction setting, budgeting, phase development and program-project creation

Legal & regulatory requirement assessment, compliance requirement and compliance roadmap development

Contingency planning; Business continuity, Disaster recovery Business resumption design and planning, including the development of MTO, MAO, RPO, RTO, etc.

Training is available at Board & management level as well as generic and technology specific training

Establishing performance targets and metrics types (Balanced Scorecard, etc.); metrics development and implementation

Temporary CISO, CRO, CCO

Security Programme Management

Information Security Lifecycle Management

Risk Management

Incident Management

Compliance Management

Technology Implementation

Management

Management of C level (senior, executive) management activities e.g. (e.g. identifying drivers such as technology, business environment, risk tolerance, geographic location) and their impact on information security

Overseeing enterpise level information security programme creation and execution

Integrating information security programme requirements into organisational life cycle activities such as the change management process; service provider management.

Overseeing the risk assessment and risk mitigation cycles, baselining; evaluating and managing effectiveness

Overseeing incident prevention, incident handling and recovery, post incident, forensic and law enforcement activities;

Identifying current and potential legal and regulatory issues affecting information security, assessing their impact on the enterprise and ensuring compliance with requirements

Full technology life cycle establishment and management including the development of business case, RFI, RFT etc.

Security Posture Analysis

Security Audit

Assessment

Security perspective (focus, scope, approach, ownership, funding) assessment; baseline creation, role and organisation creation, architecture appropriateness, etc.

Information security control applicability, currency and implementation effectiveness, applied practices, security posture maturity, regulatory compliance; vulnerability assessmen

Security Architecture

Technical Architecture

Business Process (Re)Design

Design

Conceptual architecture, including information security framework (governance, policy-standard hierarchy, administrative processes and procedures), internal and external reporting and communication channels, separation of internal-external service provision and measurement (SLAs)

Detailed information security solutions for specific areas (i.e. infrastructure, identity management, privacy, application integrity etc.) either for a point solution or for overall business solutions (i.e. ERP, CRM, TPS etc.)

Assessment and analysis of existing business processes; quality checking; process mapping (multi-level); process innovation and transformation; process objective creation and design

Security Policy

Security Standards

Security Awareness

Document Development

Development of information security policy framework and policy document, that is compliant with

ISO/IEC 17799:2005,
AS/NZS 7799.2:2003 and
ISO/IEC 27001:2005

standards.

Standard development based on the 11 ISO/IEC 17799:2005 domains and purpose specific standards (i.e. antivirus, password management, etc.)

Development of awareness material (posters, training documents, intranet, etc.) and security awareness campaigns and training courses