Security icon

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

Unlock This Blueprint

View Storyboard

Solution Set Storyboard Thumbnail

Contributors

  • Michael Santarcangelo, Founder, Security Catalyst
  • Sandy Bacik, Global Risk Assessment Manager, VF Corporation
  • Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board
  • Candy Alexander, GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc.
  • Defense Industry Technology Executive, Information Systems and Technology Branch CIO/CKO, United States Air Force
  • Debbie Christofferson, Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership
  • Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates
  • Kevin Spease, Managing Partner / Security Engineering Consultant, ISSE Services, LLC
  • Rob Marano, Co-founder, Hackerati
  • Mark Leonard, ITS Security Manager, Wesfarmers Insurance
  • Chuck Hathaway, Director of Infrastructure, Catalyst
  • Rebecca Herold, CEO, The Privacy Professor
  • Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.

Your Challenge

  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities and compliance requirements, are rarely comprehensive, and are inefficient to revise and maintain.
  • End users do not traditionally comply with security policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference in daily workflow.

Our Advice

Critical Insight

  • Policies must be reasonable, auditable, enforceable, and measureable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.
  • No published framework is a perfect fit for your organization. One framework (or several) may provide useful guidance in developing your policy suite. From there, figure out what policy items apply to your organization and customize the documents. Otherwise, the policies won’t be enforceable.

Impact and Result

  • Short term: Save time and money using the templates provided to create your own customized security policies mapped to ISO 27001 and NIST standards.
  • Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and deploy security policies, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Formalize the security policy suite

Determine the policy framework that makes sense for your organization, leverage stakeholder support, and prioritize the development of relevant security policies.

3. Implement the security policy program

Ensure proper communication, management, measurement, and continuous maintenance of your security policy suite.

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Formalize the security policy suite

Call #1 - Understand policy needs and begin policy charter.
Call #2 - Review charter and prioritize policy development.
Call #3 - Formalize stakeholder support.

Guided Implementation #2 - Develop the policy suite

Call #1 - Customize the policy templates.
Call #2 - Gather feedback on the policies and get approval.

Guided Implementation #3 - Implement the security policy program

Call #1 - Communicate the security policy program.
Call #2 - Formalize program maintenance.

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Formalize the Policy Program

The Purpose

  • Determine which security policies are necessary to meet your requirements, and obtain recommendations on how to optimize the development.
  • Acquire executive support for the new security policies.
  • Formalize a governing security policy charter.

Key Benefits Achieved

  • Be able to defend the framework and policies written based on business requirements and overarching security needs.
  • Leveraging an executive champion to advocate for the program can help policy adoption across the organization.
  • Formalize the roles, responsibilities, and overall mission of the program.

Activities

Outputs

1.1

Understand the current state of policies

  • Understanding of the current state of policies.
1.2

Right-size your policy suite.

  • Right-sized policy suite
1.3

Understand the relationship between policies and other documents.

  • Defined policy structure for your suite
1.4

Define the policy framework.

  • Defined policy framework
1.5

Prioritize the development of security policies.

  • Prioritized list of security policies
1.6

Discuss strategies to leverage stakeholder support.

  • Action plan to engage stakeholder champion
1.7

Plan to communicate with all stakeholders.

  • Action plan for communication policy program plan with stakeholders
1.8

Develop the security policy charter.

  • Security Policy Charter

Module 2: Develop the Security Policies

The Purpose

Develop a comprehensive suite of security policies that are relevant to the needs of the organization.

Key Benefits Achieved

Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.

Activities

Outputs

2.1

Discuss risks and drivers your organization faces that must be addressed by policies.

  • Understanding of the risks and drivers that will influence policy
2.2

Develop and customize security policies.

  • Up to 14 customized security policies (dependent on need and time)
2.3

Develop a plan to gather feedback from users.

  • Discussed action plan to assess policy feasibility with user group

Module 3: Implement the Security Policy Program

The Purpose

  • Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.
  • Improve compliance and accountability with security policies.
  • Plan for regular review and maintenance of the security policy program.

Key Benefits Achieved

  • Streamlined communication of the policies to users.
  • Comply with rules and regulations and be better prepared for audits.
  • Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

Activities

Outputs

3.1

Plan the communication strategy of new policies.

  • Discussed action plan to communicate the policies with end users
3.2

Discuss myPolicies to automate management and implementation.

  • Understanding of how myPolicies can help policy management and implementation
3.3

Use the design-build-implement framework to build your communication channels.

  • Policy Communication Plan
3.4

Incorporate policies and processes into your training and awareness programs.

  • Action plan to incorporate policies into the security training and awareness programs
3.5

Measure the effectiveness of security policies.

  • Metrics and plans to measure the effectiveness of the program
3.6

Understand the need for regular review and update.

  • Action plan to regularly review and update the policies

Member Testimonials

Unlock Sample Research

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

City of Springfield

Guided Implementation

10/10

N/A

N/A

City of Alexandria, VA

Guided Implementation

10/10

N/A

N/A

City of Springfield

Guided Implementation

10/10

N/A

120

Edgecombe County

Guided Implementation

10/10

N/A

120

Roosevelt Management Company

Guided Implementation

10/10

$21,178

10

Lee County Clerk of Courts

Guided Implementation

10/10

N/A

N/A

Roosevelt Management Company

Guided Implementation

10/10

$6,618

10

Pennon Group

Guided Implementation

9/10

N/A

N/A

Pace Suburban Bus Service

Guided Implementation

10/10

$11,912

5

Texas General Land Office and Veterans Land Board

Guided Implementation

10/10

$1,323

3

Inmarsat Solutions Canada

Guided Implementation

3/10

N/A

N/A

City Of Port St Lucie

Guided Implementation

9/10

N/A

2

CIEE, Org.

Guided Implementation

9/10

$3,970

N/A

Southwest Gas Corporation

Guided Implementation

7/10

N/A

N/A

Securtek Monitoring Solutions Inc

Guided Implementation

10/10

$5,000

20

Eastern Suffolk BOCES

Guided Implementation

10/10

$2,647

10

Lee County Clerk of Courts

Guided Implementation

10/10

N/A

N/A

Inter Continental Real Estate and Development Corporation

Guided Implementation

10/10

$33,091

47

Larimer County, Colorado

Guided Implementation

8/10

N/A

N/A

EBSCO Industries Inc

Guided Implementation

8/10

N/A

1

The Ottawa Hospital

Guided Implementation

8/10

N/A

N/A

Sarnia-Lambton Children?s Aid Society

Guided Implementation

9/10

$8,000

10

Info-Tech Research Group

Guided Implementation

10/10

$100K

110

Pennsylvania Liquor Control Board

Guided Implementation

8/10

N/A

N/A

Tikinagan Child & Family Services

Guided Implementation

9/10

$27,500

85

City of Springfield

Guided Implementation

10/10

$66,183

47

The Ottawa Hospital

Guided Implementation

10/10

N/A

N/A

Briggs & Stratton

Guided Implementation

10/10

N/A

N/A

U.S. Holdings

Guided Implementation

7/10

$33,091

20

City of Springfield

Guided Implementation

10/10

$52,946

60