I'm doing a peer review

Post #245,787 by jbrabeck 2/22/06 3:44:14 PM Reply	I'm doing a peer review Here's a sample. Feel free to make suggestions. The entire manual is like this! Application Information Security Assurance (ISA) This service identifies the sensitivity and criticality of an information resource and the corresponding security requirements in the Business Impact Assessment; designs information security protection mechanisms, controls, and processes that will satisfy the requirements; ensures the appropriate protection mechanisms, controls, and processes are implemented and tested; manages the residual risk; and culminates with a certification (the technical analysis that establishes the extent to which an application meets specified security requirements), accreditation (the management analysis that determines, from a business standpoint, whether implemented security controls satisfy specified security requirements to a level that provides an acceptable level of risk); and approval to deploy the information resource. I perform these ISAs all the time, and I still had a hard time trying to determine what was being said! A good friend will come and bail you out of jail ... but, a true friend will be sitting next to you saying, "Damn...that was fun!"
Post #245,795 by Another Scott 2/22/06 4:34:44 PM Reply	I think it's a lost cause. There's a mountain of paperwork on writing in clear language out there, e.g. [link\|http://www.dot.gov/ost/ogc/plain.htm\|DOT]. But people who write the rule book don't seem to care. As a rough translation, I'd offer: Application Information Security Assurance (ISA) This service's mission is to identif~~ies~~y the sensitivity and ~~criticality~~importance of an information resource and the corresponding security requirements in the Business Impact Assessment; design information security protection mechanisms, controls, and processes that will satisfy the requirements; ensure the appropriate protection mechanisms, controls, and processes are implemented and tested; manage the residual risk; and ~~culminates~~produce ~~with~~ a certification (the technical analysis that establishes the extent to which an application meets specified security requirements), accreditation (the management analysis that determines, from a business standpoint, whether implemented security controls satisfy specified security requirements to a level that provides an acceptable level of risk); and approval to deploy the information resource. But even that is a mish-mash. It's not clear whether ISA is a group of people that does something, or a software process or what. Is it a paper document or on-line? If it's on-line, I'd suggest hyperlinking definitions of the various jargon (BIA, etc.). If it's not on-line, I'd use footnotes to define certification, accreditation, etc. But I'm not an editor, so take my comments with a bunch of salt. :-) Good luck! I think you'll need it. Unfortunately. :-/ Cheers, Scott.
Post #245,804 by jbrabeck 2/22/06 4:59:48 PM Reply	It's a paper process To determine: Sensitivity (of data) and Criticality (importance to running of business) of the application. Determine security requirements that must be implemented. Upon implementation of the security requirement, the Security Officer will then issue a security certification. After the security certification, management will them accredit the system. And then the new/updated system can be deployed. A good friend will come and bail you out of jail ... but, a true friend will be sitting next to you saying, "Damn...that was fun!"
Post #245,834 by drewk 2/22/06 8:50:52 PM Reply	There, use that It says the same thing (I think) and it's in plain English. === Purveyor of Doc Hope's [link\|http://DocHope.com\|fresh-baked dog biscuits and pet treats]. [link\|http://DocHope.com\|http://DocHope.com]
Post #245,806 by pwhysall 2/22/06 5:02:54 PM Reply	Re: I'm doing a peer review [link\|http://www.plainenglish.co.uk/guides.html\|http://www.plainengl...co.uk/guides.html] Try that. It's Actual English, of course, but the principles still hold. Peter [link\|http://www.no2id.net/\|Don't Let The Terrorists Win] [link\|http://www.kuro5hin.org\|There is no K5 Cabal] [link\|http://guildenstern.dyndns.org\|Home] Use P2P for legitimate purposes!
Post #245,809 by jbrabeck 2/22/06 5:07:43 PM 2/22/06 5:08:05 PM Reply	'twas posted as an example of what I'm up against. This is the proposed change! The initial is not much better. I'm rewriting this one section only. Doubt if it'll even get past my boss (she's leary of upsetting the "powers that be" on this. The entire manual should be rewritten. A good friend will come and bail you out of jail ... but, a true friend will be sitting next to you saying, "Damn...that was fun!" Edited by jbrabeck Feb. 22, 2006, 05:08:05 PM EST Expand All History
Post #245,841 by Arkadiy 2/22/06 9:18:51 PM Reply	Culminating in three things Sedrial orgasm? ------ 179. I will not outsource core functions. -- [link\|http://omega.med.yale.edu/~pcy5/misc/overlord2.htm\|.]

Welcome to IWETHEY!