6.4.1 For r2 assessments, the Organization Information webform in MyCSF must be completed by the Assessed Entity. For i1 or e1 assessments, the Organization Information page in MyCSF can be completed by either the Assessed Entity or External Assessor.
The following information is entered on the Organization Information webform:
Organization/Company Background
6.4.2 The Company Background section should be a one to two paragraph overview of the Assessed Entity which will appear in the final assessment report. Content may include the assessed organization’s mission statement, values, or primary business lines. This information may be similar to the “About us” section of the Assessed Entity’s website.
6.4.3 The organization/company background may NOT:
- Include information related to number of employees, geographic areas served, compliance requirements, or systems in scope. This information is presented elsewhere in the report.
- Use industry specific terms or acronyms that are not defined.
- Discuss scope of the assessment.
- Include marketing language such as “We are the best service provider…”.
Overview of the Security Organization
6.4.4 The Overview of the Security Organization section should include information about the structure and operation of the information security program at the Assessed Entity and will appear in the final assessment report. It is recommended that this is limited to no more than three paragraphs. Topics may include:
- Organization’s information security framework
- Description of the information security organization
- Scope and responsibilities of different information security teams within the organization
- Management and monitoring of the information security program
- Objectives, approach, scope, and goals of the information security program
- Risk assessment process and risk management program
6.4.5 The overview of the security organization may NOT:
- Mention specific tools
- Include information about the scope of the assessment
- Include confidential information
Contact Information
6.4.6 The Contact Information should include the name, job title, email, and phone number of the primary point of contact from the Assessed Entity.
Primary Mailing Address
The Primary Mailing Address will appear in the final assessment reports.