Management: Documentation: How should security-related issues be documented?
Options:Option 1: Use no or minimal documentation of the protection process.
Option 2: Create written documents reflecting all official management decisions and retain them.
Option 3: Create a document control system for protection-related information.
Option 4: Integrate protection-related documentation into the enterprise business records and document control system.
Based on the maturity level of the enterprise, use the appropriate document control processes.
Basis:Use no or minimal documentation of the protection process.
Enterprises who have minimal protection programs and with immature programs tend to have inadequate documentation to operate systematically.
Create written documents reflecting all official management decisions and retain them.
Written documents of the protection program are a fundamental starting point to the creation of a systematic approach that allows actions to be tracked to decisions and decisions to be made and reviewed systematically.
Create a document control system for protection-related information.
Document control systems are generally required for protection programs of substantial sizes, if only to assure that changes are properly managed and historic documents can be located to deal with legacy systems and issues. Legal and contractual issues often become problematic when inadequate documentation exists, and audits, reviews, and other similar things tend to be unable to be completed, resulting in lost business and reduced business efficiency. Records retention and disposition is also problematic without some sort of a systematic approach to dealing with documents.
Integrate protection-related documentation into the enterprise business records and document control system.
Mature programs and enterprises tend to have systematic approaches to document control to allow them to meet contractual, regulatory, statutory, and other related demands, including legal holds and disposition of records no longer necessary for business operations. Where feasible document control systems should be integrated with and used to control protection-related documentation just as any other business records.