Problem

Strong and relevant policies are the foundation for any organization. Detailed and practical instructions have to be put in place, but they also have to change as the organization changes. A corporation without practical and relevant policies is open for problems from people, process and technology areas. They are the cornerstone of a dynamic security group and support users in the business risks they face. Without effective operational security policies, procedures and practices, maintaining appropriate security is often elusive. Policies are unique to your organization and can be tailored against such industry best practices such as ISO and CoBIT standards.

Solution

A complete set of security policies can be developed including the infrastructure, third-party, asset classification, accountability, personnel security, physical and environmental security, communications security, operations security, user education and awareness, access control, system development life cycle, business continuity, disaster recovery and regulatory compliance. We can develop policies tailored to your business and teach your staff how to maintain them appropriately. A Gap Analysis of current policies is conducted, your operating environment is analyzed and policies are then developed. We will require access to all relevant information security policies, standards, guidelines, and procedures. Policies and procedures to be analyzed and evaluated may include:

Disaster Recovery/Business Continuity Plan

Account Administration (administrative & user)

Security and Control over Network Servers (Web, databases etc)

Configuration and Control Over Routers and Gateways

Firewall Administration Procedures

Monitoring and Review Procedures

Remote Access Policies

Intrusion Detection

Forensics

Database security procedures

Privacy

Data classification standards

We map policies to industry best practices, develop processes to keep new policies up-to-date and develop basic “Do’s and Don’ts” training material to disseminate to all employees. Examples of key areas that are required in any organization include:

Legal and Regulatory Compliance

Privacy

Incident Management

Incident Response and Notification

Virus and Malicious Code Protection

Network Security

Information System Logging and Monitoring

Intrusion Detection and Incident Response

Continuity of Operations and Disaster Recovery

Minimum Security Baselines

Systems and Applications Development Security

Access Control

Remote Access Security

Mobile Computing

Physical and Environmental Security

Personnel Security

Security Awareness and Training

Acceptable Use

Risk Assessment and Data Classification

Information Security Roles and Responsibilities

We will develop “marketing” material that the company can use to educate employees and make the new security policy requirements easily understandable and digestible. “Do’s and Don’ts”, “Top Ten”, “Remote Employee Security” and other concise security material will be developed that can be used throughout the year to keep users informed of their security responsibilities.

How the Process Works

We will conduct a basic analysis of the operating environment. This initial phase will allow us to review current policies, understand the business goals and develop lists of policies needed to cover all aspects of security. We will understand weaknesses in the current security policies and determine what needs to be accomplished. We will meet with the staff regularly and keep constant communication. At the conclusion, the company will receive a well organized detailed and summary report and policies to be used and modified in the future. Procedural recommendations will be made to have the company staff continuously and proactively maintain the new security policies as part of the overall security strategy. The results of the Policy review will be a complete list of security policies that are practical and efficient. Well defined policies will notify external parties such as customers, suppliers, business partners and regulatory agencies of the corporation’s stance on all security issues and sets expectations properly.