Reduce the Likelihood of a Breach
Limit the likelihood of occurrences and ensure there are processes to deal with issues efficiently and effectively by putting standard policies and procedures in place.
Simplify Policy Maintenance
Formal, rationalized policies are efficient to revise and maintain.
Formally documented and enforced policies are key to demonstrate due diligence, proactive threat reduction, and overall compliance consistency.
Eliminate Unnecessary Policies
By aligning to best practices, you ensure you are compliant while potentially eliminating unnecessary or redundant policies, reducing policy fatigue.
Every Security Policy You Need Today
Policies must be reasonable, auditable, enforceable, and measurable.
If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies that are quantified and qualified in order to be relevant.
No published framework is a perfect fit for your organization.
One (or several) frameworks may provide useful guidance in developing your policy suite. From there, figure out what policy items apply to your organization and customize the documents. Otherwise, the policies won’t be enforceable.
Highly effective policies are written without a technical audience in mind.
Your policies should be “skimmable." Few people will fully read a policy before accepting it. Make it obvious where and when a policy applies so that when an employee needs to read a policy, they can easily find relevant information.
Find out if you have the right security policies in place and if they are well written.
Determine Which Framework Fits Your Needs
Choose to align your policy suite to the Info-Tech, NIST 800-171, or ISO 27001 policy framework.
Identify Policy Requirements
Assess the policy requirements that your organization has, based on meeting compliance and regulation obligations, business objectives, and desired best practices.
Determine Policy Status and Assign Development Action
Assess the current state of your existing security policy suite. Identify gaps so that policies can be created or updated to align with industry best practice standards.
Prioritize Policy Initiatives
Use a policy’s alignment to the business and the time required to create, update, or retire the policy to prioritize the list of policy development actions.
Create Your Prioritized Roadmap
Consider policy priorities and business and IT objectives to build a roadmap for developing the security policy suite.