Develop and Deploy Security Policies

Enhance your overall security posture while using time, money, and resources effectively.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Security breaches are inevitable and costly. Standard policies and procedures must be in place to limit the likelihood of occurrences and to ensure there are processes in place to deal with issues efficiently and effectively.
  • Time and money are wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy.


Our Advice

Critical Insight

  • Security policies and procedures must be integrated into job descriptions and employee routines. Security is often viewed as a lower priority to employees than short-term productivity and revenue generation.
  • Security policies are living documents that require reviews and updates to maintain relevance. If policies do not work, they have to change or the behavior has to change.
  • Communication and enforcement of policies are often greater challenges. Developing policies can be standardized, but the human aspects of compliance with policies are more difficult to predict and control.

Impact and Result

  • Short term: Save time and money using the templates provided to create your own customized security policies mapped to ISO 27001 and NIST standards.
  • Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures.

Contributors

  • Michael Santarcangelo, Founder, Security Catalyst
  • Sandy Bacik, Global Risk Assessment Manager, VF Corporation 
  • Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board 
  • Candy Alexander,  GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc. 
  • Defense Industry Technology Executive,  Information Systems and Technology Branch CIO/CKO,  United States Air Force 
  • Debbie Christofferson,  Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership 
  • Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates 
  • Kevin Spease,  Managing Partner / Security Engineering Consultant, ISSE Services, LLC 
  • Rob Marano, Co-founder, Hackerati 
  • Mark Leonard, ITS Security Manager, Wesfarmers Insurance 
  • Chuck Hathaway, Director of Infrastructure,  Catalyst 
  • Rebecca Herold, CEO, The Privacy Professor 
  • Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

  1. Make the case, assess and prioritize policies

    Acquire key stakeholder support and identify the target state of security policies in the organization.

  2. Develop the foundational policy suite

    Understand the hierarchy of the policy suite and develop the relevant security policies.

  3. Develop the procedural policy suite

    Leverage security policy templates as a starting point for developing procedures.

  4. Communicate and enforce the policies

    Understand the need for a program to communicate security policies with employees.

  5. Review and update the policies

    Measure the effectiveness of security policies within your organization.

Guided Implementation icon Guided Implementation

This guided implementation is a nine call advisory process.

    Guided Implementation #1 - Make the case, assess and prioritize policies

  • Call #1: Complete the stakeholder communication template.

  • Call #2: Establish business requirements and conduct gap analysis.

  • Call #3: Prioritize the implementation of the policies.

  • Guided Implementation #2 - Develop the policy suite

  • Call #1: Develop the governing Information Security Policy Charter.

  • Call #2: Develop the relevant security policies and gather feedback.

  • Guided Implementation #3 - Communicate & enforce the policies

  • Call #1: Communicate awareness and training of new policies.

  • Call #2: Set goals and determine success metrics.

  • Guided Implementation #4 - Review & update the policies

  • Call #1: Measure the effectiveness of the policies.

  • Call #2: Develop an action plan for updates.

Onsite Workshop

Module 1: Assess & Prioritize the Policies

The Purpose

  • Acquire executive support for the new security policies.
  • Determine which security policies are necessary to meet your requirements, and obtain recommendations on how to optimize them.
  • Develop a prioritized shortlist of security policies which should be developed and deployed to reach the organization’s objectives.

Key Benefits Achieved

  • Defend your decision to implement a security policy because you understand the necessity of it.
  • Progress the plan to develop and deploy new security policies or update current ones with essential stakeholder buy-in.
  • Implement a prioritized phased release of new policies, maximizing business alignment.

Activities: Outputs:
1.1 Define the necessity for policies and identify current pain points.
  • Understand your organization’s specific need for security policies.
1.2 Acquire executive support for the new security policies.
  • Formal stakeholder support acquired.
1.3 Identify the target policy requirements for your organization.
  • Business requirement checklist completed.
1.4 Identity the current state and maturity of policies.
  • Current state assessment completed.
1.5 Discuss recommended actions to close your policy gaps.
  • Recommended actions to reach the target state of policies from the current state.
1.6 Prioritize the development of policies.
  • Action effort analysis completed; list of policies to implement prioritized.

Module 2: Develop the Policy Suite

The Purpose

  • Formalize a governing information security policy charter.
  • Develop a comprehensive suite of security policies that are relevant to the needs of the organization.
  • Ensure usability of the policies.

Key Benefits Achieved

  • Formally document security policies.
  • Save time and money in producing the documents from Info-Tech templates.
  • Clearly define responsibilities and purpose.

Activities: Outputs:
2.1 Introduce the hierarchy of the policy suite.
  • Structured hierarchy of policy suite planned.
2.2 Develop the governing Information Security Policy Charter.
  • Governing Information Security Policy Charter completed.
2.3 Develop the relevant security policies.
  • Comprehensive suite of security policies formalized.
2.4 Discuss the purpose and tips for developing a test group of users to assess the feasibility of the new policies.
  • Strategy to gather input from users to ensure usability defined.

Module 3: Communicate & Enforce the Policies

The Purpose

  • Ensure users have awareness and knowledge of the rationale and steps to comply with the new security polices.
  • Improve compliance and accountability with security policies.
  • Ensure due diligence by the organization.

Key Benefits Achieved

  • Communicate the importance of policies to employees.
  • Enhance the overall security posture of the organization.
  • Comply with rules and regulations and be better prepared for audits.
  • Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

Activities: Outputs:
3.1 Understand the need for a program to communicate security policies with employees.
  • The need for a proper communication program understood.
3.2 Discuss best practices to optimize the communication and distribution of policies.
  • Tips and suggested actions to optimize the communication and distribution of policies identified.
3.3 Customize and review the training and awareness communication template.
  • Awareness and training template formalized.
3.4 Understand the need for policy enforcement.
  • The need for policy enforcement understood.
3.5 Discuss best practices to seamlessly incorporate security policies into daily routines.
  • Tips and suggestions to incorporate policy enforcement into daily routines identified.
3.6 Set goals and determine success metrics for enforcement.
  • Goals and success metrics to evaluate enforcement defined.

Module 4: Review & Update the Policies

The Purpose

  • Measure the effectiveness of the security policies.
  • Understand where updates and revisions are necessary to the security policy's lifecycle.
  • Develop a plan for updating the policies.

Key Benefits Achieved

  • Validate the effectiveness and compliance of the new policies.
  • Change the policies as necessary to maintain relevancy to the user base, technology, and business objectives, or make changes to the behaviors of the end users to maximize effectiveness of crucial policies.

Activities: Outputs:
4.1 Understand the plan to evaluate policy effectiveness.
  • Policy review matrix understood.
4.2 Strategize the process for updating policies when necessary.
  • Action plan to make necessary policy revisions established.

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now

Hide Details

Search Code: 75660
Published: August 7, 2014
Last Revised: February 2, 2015

GET HELP Contact Us
×
VL Methodology