Get Instant Access
to This Blueprint

Security icon

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

  • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
  • Data breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

Our Advice

Critical Insight

  • Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.
  • Policies must be reasonable, auditable, enforceable, and measurable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.

Impact and Result

  • Save time and money using the templates provided to create your own customized security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

Develop and Deploy Security Policies Research & Tools

1. Develop and Deploy Security Policies Deck – A step-by-step guide to help you build, implement, and assess your security policy program.

Our systematic approach will ensure that all identified areas of security have an associated policy.

This blueprint will help you build and implement your security policy program by following our four-phase methodology:

  • Develop the security policy program.
  • Develop and implement the policy suite.
  • Communicate the security policy program.
  • Measure the security policy program.

2. Security Policy Prioritization Tool – A structured tool to help your organization prioritize your policy suite to ensure that you are addressing the most important policies first.

The Security Policy Prioritization Tool assesses the policy suite on policy importance, ease to implement, and ease to enforce. The output of this tool is your prioritized list of policies based on our policy framework.

3. Security Policy Assessment Tool – A structured tool to assess the effectiveness of policies within your organization and determine recommended actions for remediation.

The Security Policy Assessment Tool assesses the policy suite on policy coverage, communication, adherence, alignment, and overlap. The output of this tool is a checklist of remediation actions for each individual policy.

4. Security Policy Lifecycle Template – A customizable lifecycle template to manage your security policy initiatives.

The Lifecycle Template includes sections on security vision, security mission, strategic security and policy objectives, policy design, roles and responsibilities for developing security policies, and organizational responsibilities.

6. Policy Communication Plan Template – A template to help you plan your approach for publishing and communicating your policy updates across the entire organization.

This template helps you consider the budget time for communications, identify all stakeholders, and avoid scheduling communications in competition with one another.

7. Security Awareness and Training Program Development Tool – A tool to help you identify initiatives to develop your security awareness and training program.

Use this tool to first identify the initiatives that can grow your program, then as a roadmap tool for tracking progress of completion for those initiatives.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$20,205


Average $ Saved

19


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Champaign Residential Services Inc

Guided Implementation

10/10

$12,999

10

Having an outside perspective to help us review each policy has been invaluable. Sometimes, we have blinders on when it comes to our own environmen... Read More

NIPPON GASES EURO-HOLDING, SLU

Workshop

9/10

$35,500

32

Trillium Mutual Insurance Company

Guided Implementation

10/10

$3,000

20

Excellent resource, both knowledgeable and experienced. Recognized our concerns, encouraged us in our progress and showed us other tools which coul... Read More

Caribbean Public Health Agency

Guided Implementation

10/10

$12,999

20

College Medical Center Long Beach

Guided Implementation

10/10

$12,999

50

STERIS Corporation

Guided Implementation

10/10

$12,999

20

The best part was the mapping to the standards of the policy statements. It is something we are keeping as we transfer it to our standard format. ... Read More

Nieuport Aviation

Guided Implementation

10/10

$6,000

10

Eastern Lancaster County School District

Guided Implementation

8/10

$10,399

50

Lake County, FL

Workshop

10/10

N/A

10

Having time to focus on our security policies and to have input from an expert was extremely valuable. We were able to get through several policy d... Read More

Svante

Guided Implementation

8/10

N/A

N/A

The instructor helped me guide which direction and order I should tackle this issue. I'm hoping to continue conversation regarding general security... Read More

United Way Suncoast

Guided Implementation

10/10

N/A

23

Best part of the experience was working with the analyst as he understood what we were looking for as an organization. Worst part was working on th... Read More

Legal Practitioners Fidelity Fund

Guided Implementation

9/10

$2,298

5

State Universities Retirement System Of Illinois

Workshop

10/10

$116K

10

Cameron and Danny were great and highly knowledgeable and did not stop at only policy reviews but helped assess current NIST compliance as part of ... Read More

Caribbean Public Health Agency

Guided Implementation

10/10

$2,599

2

Very knowledgeable Very accommodation

Burke and Herbert Bank and Trust Company

Guided Implementation

10/10

$37,799

20

Factors Group of Companies

Guided Implementation

10/10

$20,500

5

Kern County Information Technology Services

Guided Implementation

9/10

$2,599

5

The interactions with the experts.

Camosun College

Guided Implementation

9/10

$10,000

20

The part was seeing how all the security policies work together, how simple they are yet effective. The downside is that when I took our work to se... Read More

City of Alexandria, VA

Guided Implementation

9/10

$84,499

18

The best part was talking to an experienced consultant about the pain points that were having throughout the process. The worst part was trying to... Read More

Inter Continental Real Estate and Development Corporation

Guided Implementation

10/10

$2,599

5

It helps to have someone give guidance on what policies should look like and what not to put in them.

City Of Chesapeake

Guided Implementation

9/10

N/A

N/A

The consultant was very knowledgeable and professional.

Cross Insurance

Guided Implementation

8/10

N/A

2

The best part was discussion around ideas of building engagement between the business and security posture as well as participation from staff. ... Read More

Caribbean Public Health Agency

Guided Implementation

10/10

$12,599

50

Best: Very knowledgeable and give good advise Switch consultants but these things happen

Fernco Inc

Guided Implementation

10/10

$31,499

35

Best: The templates and advisory sessions gave a good starting point to establish security policies and procedures Worst: The amount of time r... Read More

Omya (Schweiz) AG

Guided Implementation

10/10

N/A

10

Caerus Operating LLC

Workshop

9/10

$20,159

20

Workshop ran ver smoothly and the pre calls worked out well to make sure expectations were meet during the workshop and they were

Corix Infrastructure Inc.

Guided Implementation

9/10

$11,500

10

Centrastate Healthcare Systems

Guided Implementation

10/10

$7,439

35

Ian was fantastic' I would recommend him on all projects

Digital Armour Corporation

Guided Implementation

10/10

$4,959

2

Isaac

Simcoe Muskoka Catholic District School Board

Guided Implementation

10/10

$10,000

20

Working with Ian Mulholland has been a great pleasure. His breadth of knowledge and expertise in all aspects of Security/Governance is amazing. His... Read More


Workshop: Develop and Deploy Security Policies

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Define the Security Policy Program

The Purpose

  • Define the security policy development program.
  • Formalize a governing security policy lifecycle.

Key Benefits Achieved

  • Understanding the current state of policies within your organization.
  • Prioritizing list of security policies for your organization.
  • Being able to defend policies written based on business requirements and overarching security needs.
  • Leveraging an executive champion to help policy adoption across the organization.
  • Formalizing the roles, responsibilities, and overall mission of the program.

Activities

Outputs

1.1

Understand the current state of policies.

  • Security Policy Prioritization Tool
1.2

Align your security policies to the Info-Tech framework for compliance.

1.3

Understand the relationship between policies and other documents.

1.4

Prioritize the development of security policies.

  • Security Policy Prioritization Tool
1.5

Discuss strategies to leverage stakeholder support.

1.6

Plan to communicate with all stakeholders.

1.7

Develop the security policy lifecycle.

  • Security Policy Lifecycle Template

Module 2: Develop the Security Policy Suite

The Purpose

  • Develop a comprehensive suite of security policies that are relevant to the needs of the organization.

Key Benefits Achieved

  • Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.

Activities

Outputs

2.1

Discuss the risks and drivers your organization faces that must be addressed by policies.

  • Understanding of the risks and drivers that will influence policy development.
2.2

Develop and customize security policies.

  • Up to 14 customized security policies (dependent on need and time).
2.3

Develop a plan to gather feedback from users.

2.4

Discuss a plan to submit policies for approval.

Module 3: Implement Security Policy Program

The Purpose

  • Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.
  • Improve compliance and accountability with security policies.
  • Plan for regular review and maintenance of the security policy program.

Key Benefits Achieved

  • Streamlined communication of the policies to users.
  • Improved end user compliance with policy guidelines and be better prepared for audits.
  • Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

Activities

Outputs

3.1

Plan the communication strategy of new policies.

  • Policy Communication Plan Template
3.2

Discuss myPolicies to automate management and implementation.

  • Understanding of how myPolicies can help policy management and implementation.
3.3

Incorporate policies and processes into your security awareness and training program.

  • Security Awareness and Training Program Development Tool
3.4

Assess the effectiveness of security policies.

  • Security Policy Assessment Tool
3.5

Understand the need for regular review and update.

  • Action plan to regularly review and update the policies.

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

Analyst Perspective

A policy lifecycle can be the secret sauce to managing your policies.

A policy for policy’s sake is useless if it isn’t being used to ensure proper processes are followed. A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant.

Policies should be developed based on the use cases that enable the business to run securely and smoothly. Ensure they are aligned with the corporate culture. Rather than introducing hindrances to daily operations, policies should reflect security practices that support business goals and protection.

No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep your organization secure.

Photo of Danny Hammond, Research Analyst, Security, Risk, Privacy & Compliance Practice, Info-Tech Research Group. Danny Hammond
Research Analyst
Security, Risk, Privacy & Compliance Practice
Info-Tech Research Group

Executive Summary

Your Challenge
  • Security breaches are damaging and costly. Trying to prevent and respond to them without robust, enforceable policies makes a difficult situation even harder to handle.
  • Informal, un-rationalized, ad hoc policies are ineffective because they do not explicitly outline responsibilities and compliance requirements, and they are rarely comprehensive.
  • Without a strong lifecycle to keep policies up to date and easy to use, end users will ignore or work around poorly understood policies.
  • Time and money is wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy program.
Common Obstacles

InfoSec leaders will struggle to craft the right set of policies without knowing what the organization actually needs, such as:

  • The security policies needed to safeguard infrastructure and resources.
  • The scope the security policies will cover within the organization.
  • The current compliance and regulatory obligations based on location and industry.
InfoSec leaders must understand the business environment and end-user needs before they can select security policies that fit.
Info-Tech’s Approach

Info-Tech’s Develop and Deploy Security Policies takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:

  • Assess what security policies currently exist within the organization and consider additional secure policies.
  • Develop a policy lifecycle that will define the needs, develop required documentation, and implement, communicate, and measure your policy program.
  • Draft a set of security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

Info-Tech Insight

Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.

Your Challenge

This research is designed to help organizations design a program to develop and deploy security policies

  • A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.
  • The development of policy documents is an ambitious task, but the real challenge comes with communication and enforcement.
  • A good security policy allows employees to know what is required of them and allows management to monitor and audit security practices against a standard policy.
  • Unless the policies are effectively communicated, enforced, and updated, employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless.
  • Without a good policy lifecycle in place, it can be challenging to illustrate the key steps and decisions involved in creating and managing a policy.

The problem with security policies

29% Of IT workers say it's just too hard and time consuming to track and enforce.

25% Of IT workers say they don’t enforce security policies universally.

20% Of workers don’t follow company security policies all the time.

(Source: Security Magazine, 2020)

Common obstacles

The problem with security policies isn’t development; rather, it’s the communication, enforcement, and maintenance of them.

  • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
  • Date breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.
Bar chart of the 'Average cost of a data breach' in years '2019-20', '20-21', and '21-22'.
(Source: IBM, 2022 Cost of a Data Breach; n=537)

Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020.

Info-Tech’s approach

The right policy for the right audience. Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.

Actions

  1. Develop policy lifecycle
  2. Identify compliance requirements
  3. Understand which policies need to be developed, maintained, or decommissioned
I. Define Security Policy Program

a) Security policy program lifecycle template

b) Policy prioritization tool
Clockwise cycle arrows at the centre of the table. II. Develop & Implement Policy Suite

a) Policy template set

Policies must be reasonable, auditable, enforceable, and measurable. Policy items that meet these requirements will have a higher level of adherence. Focus on efficiently creating policies using pre-developed templates that are mapped to multiple compliance frameworks.

Actions

  1. Differentiate between policies, procedures, standards, and guidelines
  2. Draft policies from templates
  3. Review policies, including completeness
  4. Approve policies
Gaining feedback on policy compliance is important for updates and adaptation, where necessary, as well as monitoring policy alignment to business objectives.

Actions

  1. Enforce policies
  2. Measure policy effectiveness
IV. Measure Policy Program

a) Security policy tracking tool

III. Communicate Policy Program

a) Security policy awareness & training tool

b) Policy communication plan template
Awareness and training on security policies should be targeted and must be relevant to the employees’ jobs. Employees will be more attentive and willing to incorporate what they learn if they feel that awareness and training material was specifically designed to help them.

Actions

  1. Identify any changes in the regulatory and compliance environment
  2. Include policy awareness in awareness and training programs
  3. Disseminate policies
Build trust in your policy program by involving stakeholder participation through the entire policy lifecycle.

Blueprint benefits

IT/InfoSec Benefits

  • Reduces complexity within the policy creation process by using a single framework to align multiple compliance regimes.
  • Introduces a roadmap to clearly educate employees on the do’s and don’ts of IT usage within the organization.
  • Reduces costs and efforts related to managing IT security and other IT-related threats.

Business Benefits

  • Identifies and develops security policies that are essential to your organization’s objectives.
  • Integrates security into corporate culture while maximizing compliance and effectiveness of security policies.
  • Reduces security policy compliance risk.

Key deliverable:

Security Policy Templates

Templates for policies that can be used to map policy statements to multiple compliance frameworks.

Sample of Security Policy Templates.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Security Policy Prioritization Tool

The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
Sample of the Security Policy Prioritization Tool.
Sample of the Security Policy Assessment Tool.

Security Policy Assessment Tool

Info-Tech's Security Policy Assessment Tool helps ensure that your policies provide adequate coverage for your organization's security requirements.

Measure the value of this blueprint

Phase

Purpose

Measured Value

Define Security Policy Program Understand the value in formal security policies and determine which policies to prepare to update, eliminate, or add to your current suite. Time, value, and resources saved with guidance and templates:
1 FTE*3 days*$80,000/year = $1,152
Time, value, and resources saved using our recommendations and tools:
1 FTE*2 days*$80,000/year = $768
Develop and Implement the Policy Suite Select from an extensive policy template offering and customize the policies you need to optimize or add to your own policy program. Time, value, and resources saved using our templates:
1 consultant*15 days*$150/hour = $21,600 (if starting from scratch)
Communicate Security Policy Program Use Info-Tech’s methodology and best practices to ensure proper communication, training, and awareness. Time, value, and resources saved using our training and awareness resources:
1 FTE*1.5 days*$80,000/year = $408
Measure Security Policy Program Use Info-Tech’s custom toolkits for continuous tracking and review of your policy suite. Time, value, and resources saved by using our enforcement recommendations:
2 FTEs*5 days*$160,000/year combined = $3,840
Time, value, and resources saved by using our recommendations rather than an external consultant:
1 consultant*5 days*$150/hour = $7,200

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Overall Impact

9.5 /10

Overall Average $ Saved

$29,015

Overall Average Days Saved

25

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is six to ten calls over the course of two to four months.

What does a typical GI on this topic look like?

Phase 1

Phase 2

Phase 3

Phase 4

Call #1: Scope security policy requirements, objectives, and any specific challenges.

Call #2: Review policy lifecycle; prioritize policy development.

Call #3: Customize the policy templates.

Call #4: Gather feedback on policies and get approval.

Call #5: Communicate the security policy program.

Call #6: Develop policy training and awareness programs.

Call #7: Track policies and exceptions.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 Day 2 Day 3 Day 4 Day 5
Define the security policy program
Develop the security policy suite
Develop the security policy suite
Implement security policy program
Finalize deliverables and next steps
Activities

1.1 Understand the current state of policies.

1.2 Align your security policies to the Info-Tech framework for compliance.

1.3 Understand the relationship between policies and other documents.

1.4 Prioritize the development of security policies.

1.5 Discuss strategies to leverage stakeholder support.

1.6 Plan to communicate with all stakeholders.

1.7 Develop the security policy lifecycle.

2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

2.2 Develop and customize security policies.

2.1 Discuss the risks and drivers your organization faces that must be addressed by policies (continued).

2.2 Develop and customize security policies (continued).

2.3 Develop a plan to gather feedback from users.

2.4 Discuss a plan to submit policies for approval.

3.1 Plan the communication strategy for new policies.

3.2 Discuss myPolicies to automate management and implementation.

3.3 Incorporate policies into your security awareness and training program.

3.4 Assess the effectiveness of policies.

3.5 Understand the need for regular review and update.

4.1 Review customized lifecycle and policy templates.

4.2 Discuss the plan for policy roll out.

4.3 Schedule follow-up Guided Implementation calls.

Deliverables
  1. Security Policy Prioritization Tool
  2. Security Policy Lifecycle
  1. Security Policies (approx. 9)
  1. Security Policies (approx. 9)
  1. Policy Communication Plan
  2. Security Awareness and Training Program Development Tool
  3. Security Policy Assessment Tool
  1. All deliverables finalized

Develop and Deploy Security Policies

Phase 1

Define the Security Policy Program

Phase 1

1.1 Understand the current state

1.2 Align your security policies to the Info-Tech framework

1.3 Document your policy hierarchy

1.4 Prioritize development of security policies

1.5 Leverage stakeholders

1.6 Develop the policy lifecycle

Phase 2

2.1 Customize policy templates

2.2 Gather feedback from users on policy feasibility

2.3 Submit policies to upper management for approval

Phase 3

3.1 Understand the need for communicating policies

3.2 Use myPolicies to automate the management of your security policies

3.3 Design, build, and implement your communications plan

3.4 Incorporate policies and processes into your training and awareness programs

Phase 4

4.1 Assess the state of security policies

4.2 Identify triggers for regular policy review and update

4.3 Develop an action plan to update policies

This phase will walk you through the following activities:

  • Understand the current state of your organization’s security policies.
  • Align your security policies to the Info-Tech framework for compliance.
  • Prioritize the development of your security policies.
  • Leverage key stakeholders to champion the policy initiative.
  • Inform all relevant stakeholders of the upcoming policy program.
  • Develop the security policy lifecycle.

1.1 Understand the current state of policies

Scenario 1: You have existing policies

  1. Use the Security Policy Prioritization Tool to identify any gaps between the policies you already have and those recommended based on your changing business needs.
  2. As your organization undergoes changes, be sure to incorporate new requirements in the existing policies.
  3. Sometimes, you may have more specific procedures for a domain’s individual security aspects instead of high-level policies.
  4. Group current policies into the domains and use the policy templates to create overarching policies where there are none and improve upon existing high-level policies.

Scenario 2: You are starting from scratch

  1. To get started on new policies, use the Security Policy Prioritization Tool to identify the policies Info-Tech recommends based on your business needs. See the full list of templates in the Appendix to ensure that all relevant topics are addressed.
  2. Whether you’re starting from scratch or have incomplete/ad hoc policies, use Info-Tech’s policy templates to formalize and standardize security requirements for end users.
Info-Tech Insight

Policies are living, evolving documents that require regular review and update, so even if you have policies already written, you’re not done with them.

1.2 Align your security policies to the Info-Tech framework for compliance

You have an opportunity to improve your employee alignment and satisfaction, improve organizational agility, and obtain high policy adherence. This is achieved by translating your corporate culture into a policy-based compliance culture.

Align your security policies to the Info-Tech Security Framework by using Info-Tech’s policy templates.

Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:
  • ISO 27001/27002
  • COBIT
  • Center for Internet Security (CIS) Critical Controls
  • NIST Cybersecurity Framework
  • NIST SP 800-53
  • NIST SP 800-171

Info-Tech Security Framework

Info-Tech Security Framework with policies grouped into categories which are then grouped into 'Governance' and 'Management'.

1.3 Document your policy hierarchy

Structuring policy components at different levels allows for efficient changes and direct communication depending on what information is needed.

Policy hierarchy pyramid with 'Security Policy Lifecycle' on top, then 'Security Policies', then 'IT and/or Supporting Documentation'.

Defines the cycle for the security policy program and what must be done but not how to do it. Aligns the business, security program, and policies.
Addresses the “what,” “who,” “when,” and “where.”

Defines high-level overarching concepts of security within the organization, including the scope, purpose, and objectives of policies.
Addresses the high-level “what” and “why.”
Changes when business objectives change.

Defines enterprise/technology – specific, detailed guidelines on how to adhere to policies.
Addresses the “how.”
Changes when technology and processes change.

Info-Tech Insight

Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.

1.3.1 Understand the relationship between policies and other documents

Policy:
  • Provides emphasis and sets direction.
  • Standards, guidelines, and procedures must be developed to support an overarching policy.
Arrows stemming from the above list, connecting to the three lists below.

Standard:

  • Specifies uniform method of support for policy.
  • Compliance is mandatory.
  • Includes process, frameworks, methodologies, and technology.
Two-way horizontal arrow.

Procedure:

  • Step-by-step instructions to perform desired actions.
Two-way horizontal arrow.

Guideline:

Recommended actions to consider in absence of an applicable standard, to support a policy.
This model is adapted from a framework developed by CISA (Certified Information Systems Auditor).

Supporting Documentation

Considerations for standards

Standards. These support policies by being much more specific and outlining key steps or processes that are necessary to meet certain requirements within a policy document. Ideally standards should be based on policy statements with a target of detailing the requirements that show how the organization will implement developed policies.

If policies describe what needs to happen, then standards explain how it will happen.

A good example is an email policy that states that emails must be encrypted; this policy can be supported by a standard such as Transport Layer Security (TLS) encryption that specifically ensures that all email communication is encrypted for messages “in transit” from one secure email server that has TLS enabled to another.

There are numerous security standards available that support security policies/programs based on the kind of systems and controls that an organization would like to put in place. A good selection of supporting standards can go a long way to further protect users, data, and other organizational assets
Key Policies Example Associated Standards
Access Control Policy
  • Password Management User Standard
  • Account Auditing Standard
Data Security Policy
  • Cryptography Standard
  • Data Classification Standard
  • Data Handling Standard
  • Data Retention Standard
Incident Response Policy
  • Incident Response Plan
Network Security Policy
  • Wireless Connectivity Standard
  • Firewall Configuration Standard
  • Network Monitoring Standard
Vendor Management Policy
  • Vendor Risk Management Standard
  • Third-Party Access Control Standard
Application Security Policy
  • Application Security Standard

1.4 Prioritize development of security policies

The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
  • The tool allows you to prioritize your policies based on:
    • Importance: How relevant is this policy to organizational security?
    • Ease to implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?
    • Ease to enforce: How much effort, time, and resources are required to enforce the policy?
  • Additionally, the weighting or priority of each variable of prioritization can be adjusted.

Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary.

Info-Tech Insight

If you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies.

Sample of the Security Policy Prioritization Tool.

Download the Security Policy Prioritization Tool

1.5 Leverage stakeholders to champion policies

Info-Tech Insight

While management support is essential to initiating a strong security posture, allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will be less of a police force and more of a partner.

Executive champion

Identify an executive champion who will ensure that the security program and the security policies are supported.

Focus on risk and protection

Security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate.

Communicate policy initiatives

Inform stakeholders of the policy initiative as security policies are only effective if they support the business requirements and user input is crucial for developing a strong security culture.

Current security landscape

Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders.

Management buy-in

This is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable.

Enhance your overall security posture with a defensible and prescriptive policy suite.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.5/10
Overall Impact

$20,205
Average $ Saved

19
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Define the security policy program
  • Call 1: Scope security policy requirements, objectives, and any specific challenges.
  • Call 2: Review policy lifecycle; prioritize policy development.

Guided Implementation 2: Develop and implement the security policy suite
  • Call 1: Customize the policy templates.
  • Call 2: Gather feedback on the policies and get approval.

Guided Implementation 3: Communicate the security policy program
  • Call 1: Communicate the security policy program.
  • Call 2: Develop policy training and awareness programs.

Guided Implementation 4: Measure the security policy program
  • Call 1: Track policies and exceptions.

Author

Danny Hammond

Contributors

  • Michael Santarcangelo, Founder, Security Catalyst
  • Sandy Bacik, Global Risk Assessment Manager, VF Corporation
  • Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board
  • Candy Alexander, GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc.
  • Defense Industry Technology Executive, Information Systems and Technology Branch CIO/CKO, United States Air Force
  • Debbie Christofferson, Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership
  • Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates
  • Kevin Spease, Managing Partner / Security Engineering Consultant, ISSE Services, LLC
  • Rob Marano, Co-founder, Hackerati
  • Mark Leonard, ITS Security Manager, Wesfarmers Insurance
  • Chuck Hathaway, Director of Infrastructure, Catalyst
  • Rebecca Herold, CEO, The Privacy Professor
  • Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019