Get Instant Access
to This Blueprint

Security icon

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

  • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
  • Data breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

Our Advice

Critical Insight

  • Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.
  • Policies must be reasonable, auditable, enforceable, and measurable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.

Impact and Result

  • Save time and money using the templates provided to create your own customized security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

Develop and Deploy Security Policies Research & Tools

1. Develop and Deploy Security Policies Deck – A step-by-step guide to help you build, implement, and assess your security policy program.

Our systematic approach will ensure that all identified areas of security have an associated policy.

This blueprint will help you build and implement your security policy program by following our four-phase methodology:

  • Develop the security policy program.
  • Develop and implement the policy suite.
  • Communicate the security policy program.
  • Measure the security policy program.
Develop and Deploy Security Policies – Phases 1-4

2. Security Policy Prioritization Tool – A structured tool to help your organization prioritize your policy suite to ensure that you are addressing the most important policies first.

The Security Policy Prioritization Tool assesses the policy suite on policy importance, ease to implement, and ease to enforce. The output of this tool is your prioritized list of policies based on our policy framework.

Security Policy Prioritization Tool

3. Security Policy Assessment Tool – A structured tool to assess the effectiveness of policies within your organization and determine recommended actions for remediation.

The Security Policy Assessment Tool assesses the policy suite on policy coverage, communication, adherence, alignment, and overlap. The output of this tool is a checklist of remediation actions for each individual policy.

Security Policy Assessment Tool

4. Security Policy Lifecycle Template – A customizable lifecycle template to manage your security policy initiatives.

The Lifecycle Template includes sections on security vision, security mission, strategic security and policy objectives, policy design, roles and responsibilities for developing security policies, and organizational responsibilities.

Security Policy Lifecycle Template

5. Policy Suite Templates – A best-of-breed templates suite mapped to the Info-Tech framework you can customize to reflect your organizational requirements and acquire approval.

Use Info-Tech's security policy templates, which incorporate multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA), to ensure that your policies are clear, concise, and consistent.

Acceptable Use of Technology Policy Template
Application Security Policy Template
Asset Management Policy Template
Backup and Recovery Policy Template
Cloud Security Policy Template
Compliance and Audit Management Policy Template
Data Security Policy Template
Endpoint Security Policy Template
Human Resource Security Policy Template
Identity and Access Management Policy Template
Information Security Policy Template
Network and Communications Security Policy Template
Physical and Environmental Security Policy Template
Security Awareness and Training Policy Template
Security Incident Management Policy Template
Security Risk Management Policy Template
Security Threat Detection Policy Template
System Configuration and Change Management Policy Template
Vulnerability Management Policy Template

6. Policy Communication Plan Template – A template to help you plan your approach for publishing and communicating your policy updates across the entire organization.

This template helps you consider the budget time for communications, identify all stakeholders, and avoid scheduling communications in competition with one another.

Policy Communication Plan Template

7. Security Awareness and Training Program Development Tool – A tool to help you identify initiatives to develop your security awareness and training program.

Use this tool to first identify the initiatives that can grow your program, then as a roadmap tool for tracking progress of completion for those initiatives.

Security Awareness and Training Program Development Tool

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.6/10

Overall Impact

$19,820

Average $ Saved

16

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Lake County, FL

Workshop

10/10

N/A

10

Svante

Guided Implementation

8/10

N/A

N/A

United Way Suncoast

Guided Implementation

10/10

N/A

23

Legal Practitioners Fidelity Fund

Guided Implementation

9/10

$2,393

5

State Universities Retirement System Of Illinois

Workshop

10/10

$113K

10

Caribbean Public Health Agency

Guided Implementation

10/10

$2,519

2

Burke and Herbert Bank and Trust Company

Guided Implementation

10/10

$37,799

20

Factors Group of Companies

Guided Implementation

10/10

$20,500

5

Kern County Information Technology Services

Guided Implementation

9/10

$2,519

5

Camosun College

Guided Implementation

9/10

$10,000

20

City of Alexandria, VA

Guided Implementation

9/10

$81,899

18

Inter Continental Real Estate and Development Corporation

Guided Implementation

10/10

$2,519

5

City Of Chesapeake

Guided Implementation

9/10

N/A

N/A

Cross Insurance

Guided Implementation

8/10

N/A

2

Caribbean Public Health Agency

Guided Implementation

10/10

$12,599

50

Fernco Inc

Guided Implementation

10/10

$31,499

35

Omya (Schweiz) AG

Guided Implementation

10/10

N/A

10

Caerus Operating LLC

Workshop

9/10

$20,159

20

Corix Infrastructure Inc.

Guided Implementation

9/10

$11,500

10

Centrastate Healthcare Systems

Guided Implementation

10/10

$7,439

35

Digital Armour Corporation

Guided Implementation

10/10

$4,959

2

Simcoe Muskoka Catholic District School Board

Guided Implementation

10/10

$10,000

20

Human Resources Professionals Association

Guided Implementation

10/10

$23,500

60

GSW Manufacturing

Guided Implementation

8/10

$5,039

6

Fernco Inc

Guided Implementation

10/10

N/A

10

STgenetics

Guided Implementation

10/10

N/A

10

University of Maribor

Guided Implementation

10/10

$1,800

2

MSS Business Transformation Advisory, Inc.

Guided Implementation

10/10

$12,395

10

Virginia Department of the Treasury

Guided Implementation

10/10

$1,800

50

City Of Issaquah

Guided Implementation

10/10

$31,940

120

Load More Testimonials

Workshop: Develop and Deploy Security Policies

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Define the Security Policy Program

The Purpose

  • Define the security policy development program.
  • Formalize a governing security policy lifecycle.

Key Benefits Achieved

  • Understanding the current state of policies within your organization.
  • Prioritizing list of security policies for your organization.
  • Being able to defend policies written based on business requirements and overarching security needs.
  • Leveraging an executive champion to help policy adoption across the organization.
  • Formalizing the roles, responsibilities, and overall mission of the program.

Activities

Outputs

1.1

Understand the current state of policies.

  • Security Policy Prioritization Tool
1.2

Align your security policies to the Info-Tech framework for compliance.

1.3

Understand the relationship between policies and other documents.

1.4

Prioritize the development of security policies.

  • Security Policy Prioritization Tool
1.5

Discuss strategies to leverage stakeholder support.

1.6

Plan to communicate with all stakeholders.

1.7

Develop the security policy lifecycle.

  • Security Policy Lifecycle Template

Module 2: Develop the Security Policy Suite

The Purpose

  • Develop a comprehensive suite of security policies that are relevant to the needs of the organization.

Key Benefits Achieved

  • Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.

Activities

Outputs

2.1

Discuss the risks and drivers your organization faces that must be addressed by policies.

  • Understanding of the risks and drivers that will influence policy development.
2.2

Develop and customize security policies.

  • Up to 14 customized security policies (dependent on need and time).
2.3

Develop a plan to gather feedback from users.

2.4

Discuss a plan to submit policies for approval.

Module 3: Implement Security Policy Program

The Purpose

  • Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.
  • Improve compliance and accountability with security policies.
  • Plan for regular review and maintenance of the security policy program.

Key Benefits Achieved

  • Streamlined communication of the policies to users.
  • Improved end user compliance with policy guidelines and be better prepared for audits.
  • Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

Activities

Outputs

3.1

Plan the communication strategy of new policies.

  • Policy Communication Plan Template
3.2

Discuss myPolicies to automate management and implementation.

  • Understanding of how myPolicies can help policy management and implementation.
3.3

Incorporate policies and processes into your security awareness and training program.

  • Security Awareness and Training Program Development Tool
3.4

Assess the effectiveness of security policies.

  • Security Policy Assessment Tool
3.5

Understand the need for regular review and update.

  • Action plan to regularly review and update the policies.
Unlock This Blueprint

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

Analyst Perspective

A policy lifecycle can be the secret sauce to managing your policies.

A policy for policy’s sake is useless if it isn’t being used to ensure proper processes are followed. A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant.

Policies should be developed based on the use cases that enable the business to run securely and smoothly. Ensure they are aligned with the corporate culture. Rather than introducing hindrances to daily operations, policies should reflect security practices that support business goals and protection.

No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep your organization secure.

Photo of Danny Hammond, Research Analyst, Security, Risk, Privacy & Compliance Practice, Info-Tech Research Group. Danny Hammond
Research Analyst
Security, Risk, Privacy & Compliance Practice
Info-Tech Research Group

Executive Summary

Your Challenge
  • Security breaches are damaging and costly. Trying to prevent and respond to them without robust, enforceable policies makes a difficult situation even harder to handle.
  • Informal, un-rationalized, ad hoc policies are ineffective because they do not explicitly outline responsibilities and compliance requirements, and they are rarely comprehensive.
  • Without a strong lifecycle to keep policies up to date and easy to use, end users will ignore or work around poorly understood policies.
  • Time and money is wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy program.
 Common Obstacles

InfoSec leaders will struggle to craft the right set of policies without knowing what the organization actually needs, such as:

  • The security policies needed to safeguard infrastructure and resources.
  • The scope the security policies will cover within the organization.
  • The current compliance and regulatory obligations based on location and industry.
InfoSec leaders must understand the business environment and end-user needs before they can select security policies that fit.		 Info-Tech’s Approach

Info-Tech’s Develop and Deploy Security Policies takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:

  • Assess what security policies currently exist within the organization and consider additional secure policies.
  • Develop a policy lifecycle that will define the needs, develop required documentation, and implement, communicate, and measure your policy program.
  • Draft a set of security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

Info-Tech Insight

Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.

Your Challenge

This research is designed to help organizations design a program to develop and deploy security policies

  • A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.
  • The development of policy documents is an ambitious task, but the real challenge comes with communication and enforcement.
  • A good security policy allows employees to know what is required of them and allows management to monitor and audit security practices against a standard policy.
  • Unless the policies are effectively communicated, enforced, and updated, employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless.
  • Without a good policy lifecycle in place, it can be challenging to illustrate the key steps and decisions involved in creating and managing a policy.

The problem with security policies

29% Of IT workers say it's just too hard and time consuming to track and enforce.

25% Of IT workers say they don’t enforce security policies universally.

20% Of workers don’t follow company security policies all the time.

(Source: Security Magazine, 2020)

Common obstacles

The problem with security policies isn’t development; rather, it’s the communication, enforcement, and maintenance of them.

  • Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
  • Date breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.
 Bar chart of the 'Average cost of a data breach' in years '2019-20', '20-21', and '21-22'.
(Source: IBM, 2022 Cost of a Data Breach; n=537)

Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020.

Info-Tech’s approach

The right policy for the right audience. Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.

Actions

  1. Develop policy lifecycle
  2. Identify compliance requirements
  3. Understand which policies need to be developed, maintained, or decommissioned
    4.
I. Define Security Policy Program

a) Security policy program lifecycle template

b) Policy prioritization tool		 Clockwise cycle arrows at the centre of the table. II. Develop & Implement Policy Suite

a) Policy template set

 Policies must be reasonable, auditable, enforceable, and measurable. Policy items that meet these requirements will have a higher level of adherence. Focus on efficiently creating policies using pre-developed templates that are mapped to multiple compliance frameworks.

Actions

  1. Differentiate between policies, procedures, standards, and guidelines
  2. Draft policies from templates
  3. Review policies, including completeness
  4. Approve policies
    5.
Gaining feedback on policy compliance is important for updates and adaptation, where necessary, as well as monitoring policy alignment to business objectives.

Actions

  1. Enforce policies
  2. Measure policy effectiveness
    3.
IV. Measure Policy Program

a) Security policy tracking tool

 III. Communicate Policy Program

a) Security policy awareness & training tool

b) Policy communication plan template		 Awareness and training on security policies should be targeted and must be relevant to the employees’ jobs. Employees will be more attentive and willing to incorporate what they learn if they feel that awareness and training material was specifically designed to help them.

Actions

  1. Identify any changes in the regulatory and compliance environment
  2. Include policy awareness in awareness and training programs
  3. Disseminate policies
    4.
Build trust in your policy program by involving stakeholder participation through the entire policy lifecycle.

Blueprint benefits

IT/InfoSec Benefits

  • Reduces complexity within the policy creation process by using a single framework to align multiple compliance regimes.
  • Introduces a roadmap to clearly educate employees on the do’s and don’ts of IT usage within the organization.
  • Reduces costs and efforts related to managing IT security and other IT-related threats.

Business Benefits

  • Identifies and develops security policies that are essential to your organization’s objectives.
  • Integrates security into corporate culture while maximizing compliance and effectiveness of security policies.
  • Reduces security policy compliance risk.

Key deliverable:

Security Policy Templates

Templates for policies that can be used to map policy statements to multiple compliance frameworks.

Sample of Security Policy Templates.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Security Policy Prioritization Tool

The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.		 Sample of the Security Policy Prioritization Tool.
Sample of the Security Policy Assessment Tool.

Security Policy Assessment Tool

Info-Tech's Security Policy Assessment Tool helps ensure that your policies provide adequate coverage for your organization's security requirements.

Measure the value of this blueprint

Phase

Purpose

Measured Value
Define Security Policy Program Understand the value in formal security policies and determine which policies to prepare to update, eliminate, or add to your current suite. Time, value, and resources saved with guidance and templates:
1 FTE*3 days*$80,000/year = $1,152
Time, value, and resources saved using our recommendations and tools:
1 FTE*2 days*$80,000/year = $768
Develop and Implement the Policy Suite Select from an extensive policy template offering and customize the policies you need to optimize or add to your own policy program. Time, value, and resources saved using our templates:
1 consultant*15 days*$150/hour = $21,600 (if starting from scratch)
Communicate Security Policy Program Use Info-Tech’s methodology and best practices to ensure proper communication, training, and awareness. Time, value, and resources saved using our training and awareness resources:
1 FTE*1.5 days*$80,000/year = $408
Measure Security Policy Program Use Info-Tech’s custom toolkits for continuous tracking and review of your policy suite. Time, value, and resources saved by using our enforcement recommendations:
2 FTEs*5 days*$160,000/year combined = $3,840
Time, value, and resources saved by using our recommendations rather than an external consultant:
1 consultant*5 days*$150/hour = $7,200

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Overall Impact

9.5 /10

Overall Average $ Saved

$29,015

Overall Average Days Saved

25

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is six to ten calls over the course of two to four months.

What does a typical GI on this topic look like?

Phase 1

Phase 2

Phase 3

Phase 4
Call #1: Scope security policy requirements, objectives, and any specific challenges.

Call #2: Review policy lifecycle; prioritize policy development.

 Call #3: Customize the policy templates.

Call #4: Gather feedback on policies and get approval.

 Call #5: Communicate the security policy program.

Call #6: Develop policy training and awareness programs.

 Call #7: Track policies and exceptions.

Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 Day 2 Day 3 Day 4 Day 5
Define the security policy program
Develop the security policy suite
Develop the security policy suite
Implement security policy program
Finalize deliverables and next steps
Activities

1.1 Understand the current state of policies.

1.2 Align your security policies to the Info-Tech framework for compliance.

1.3 Understand the relationship between policies and other documents.

1.4 Prioritize the development of security policies.

1.5 Discuss strategies to leverage stakeholder support.

1.6 Plan to communicate with all stakeholders.

1.7 Develop the security policy lifecycle.

2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

2.2 Develop and customize security policies.

2.1 Discuss the risks and drivers your organization faces that must be addressed by policies (continued).

2.2 Develop and customize security policies (continued).

2.3 Develop a plan to gather feedback from users.

2.4 Discuss a plan to submit policies for approval.

3.1 Plan the communication strategy for new policies.

3.2 Discuss myPolicies to automate management and implementation.

3.3 Incorporate policies into your security awareness and training program.

3.4 Assess the effectiveness of policies.

3.5 Understand the need for regular review and update.

4.1 Review customized lifecycle and policy templates.

4.2 Discuss the plan for policy roll out.

4.3 Schedule follow-up Guided Implementation calls.
Deliverables
  1. Security Policy Prioritization Tool
  2. Security Policy Lifecycle
  1. Security Policies (approx. 9)
  1. Security Policies (approx. 9)
  1. Policy Communication Plan
  2. Security Awareness and Training Program Development Tool
  3. Security Policy Assessment Tool
  1. All deliverables finalized

Develop and Deploy Security Policies

Phase 1

Define the Security Policy Program

Phase 1

1.1 Understand the current state

1.2 Align your security policies to the Info-Tech framework

1.3 Document your policy hierarchy

1.4 Prioritize development of security policies

1.5 Leverage stakeholders

1.6 Develop the policy lifecycle

 Phase 2

2.1 Customize policy templates

2.2 Gather feedback from users on policy feasibility

2.3 Submit policies to upper management for approval

 Phase 3

3.1 Understand the need for communicating policies

3.2 Use myPolicies to automate the management of your security policies

3.3 Design, build, and implement your communications plan

3.4 Incorporate policies and processes into your training and awareness programs

 Phase 4

4.1 Assess the state of security policies

4.2 Identify triggers for regular policy review and update

4.3 Develop an action plan to update policies

This phase will walk you through the following activities:

  • Understand the current state of your organization’s security policies.
  • Align your security policies to the Info-Tech framework for compliance.
  • Prioritize the development of your security policies.
  • Leverage key stakeholders to champion the policy initiative.
  • Inform all relevant stakeholders of the upcoming policy program.
  • Develop the security policy lifecycle.

1.1 Understand the current state of policies

Scenario 1: You have existing policies

  1. Use the Security Policy Prioritization Tool to identify any gaps between the policies you already have and those recommended based on your changing business needs.
  2. As your organization undergoes changes, be sure to incorporate new requirements in the existing policies.
  3. Sometimes, you may have more specific procedures for a domain’s individual security aspects instead of high-level policies.
  4. Group current policies into the domains and use the policy templates to create overarching policies where there are none and improve upon existing high-level policies.

Scenario 2: You are starting from scratch

  1. To get started on new policies, use the Security Policy Prioritization Tool to identify the policies Info-Tech recommends based on your business needs. See the full list of templates in the Appendix to ensure that all relevant topics are addressed.
  2. Whether you’re starting from scratch or have incomplete/ad hoc policies, use Info-Tech’s policy templates to formalize and standardize security requirements for end users.
Info-Tech Insight

Policies are living, evolving documents that require regular review and update, so even if you have policies already written, you’re not done with them.

1.2 Align your security policies to the Info-Tech framework for compliance

You have an opportunity to improve your employee alignment and satisfaction, improve organizational agility, and obtain high policy adherence. This is achieved by translating your corporate culture into a policy-based compliance culture.

Align your security policies to the Info-Tech Security Framework by using Info-Tech’s policy templates.

Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:
  • ISO 27001/27002
  • COBIT
  • Center for Internet Security (CIS) Critical Controls
  • NIST Cybersecurity Framework
  • NIST SP 800-53
  • NIST SP 800-171

Info-Tech Security Framework

Info-Tech Security Framework with policies grouped into categories which are then grouped into 'Governance' and 'Management'.

1.3 Document your policy hierarchy

Structuring policy components at different levels allows for efficient changes and direct communication depending on what information is needed.

Policy hierarchy pyramid with 'Security Policy Lifecycle' on top, then 'Security Policies', then 'IT and/or Supporting Documentation'.

Defines the cycle for the security policy program and what must be done but not how to do it. Aligns the business, security program, and policies.
Addresses the “what,” “who,” “when,” and “where.”

Defines high-level overarching concepts of security within the organization, including the scope, purpose, and objectives of policies.
Addresses the high-level “what” and “why.”
Changes when business objectives change.

Defines enterprise/technology – specific, detailed guidelines on how to adhere to policies.
Addresses the “how.”
Changes when technology and processes change.

Info-Tech Insight

Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.

1.3.1 Understand the relationship between policies and other documents

Policy:
  • Provides emphasis and sets direction.
  • Standards, guidelines, and procedures must be developed to support an overarching policy.
Arrows stemming from the above list, connecting to the three lists below.

Standard:

  • Specifies uniform method of support for policy.
  • Compliance is mandatory.
  • Includes process, frameworks, methodologies, and technology.
 Two-way horizontal arrow.

Procedure:

  • Step-by-step instructions to perform desired actions.
 Two-way horizontal arrow.

Guideline:

Recommended actions to consider in absence of an applicable standard, to support a policy.
This model is adapted from a framework developed by CISA (Certified Information Systems Auditor).

Supporting Documentation

Considerations for standards

Standards. These support policies by being much more specific and outlining key steps or processes that are necessary to meet certain requirements within a policy document. Ideally standards should be based on policy statements with a target of detailing the requirements that show how the organization will implement developed policies.

If policies describe what needs to happen, then standards explain how it will happen.

A good example is an email policy that states that emails must be encrypted; this policy can be supported by a standard such as Transport Layer Security (TLS) encryption that specifically ensures that all email communication is encrypted for messages “in transit” from one secure email server that has TLS enabled to another.

There are numerous security standards available that support security policies/programs based on the kind of systems and controls that an organization would like to put in place. A good selection of supporting standards can go a long way to further protect users, data, and other organizational assets
Key Policies Example Associated Standards
Access Control Policy
  • Password Management User Standard
  • Account Auditing Standard
Data Security Policy
  • Cryptography Standard
  • Data Classification Standard
  • Data Handling Standard
  • Data Retention Standard
Incident Response Policy
  • Incident Response Plan
Network Security Policy
  • Wireless Connectivity Standard
  • Firewall Configuration Standard
  • Network Monitoring Standard
Vendor Management Policy
  • Vendor Risk Management Standard
  • Third-Party Access Control Standard
Application Security Policy
  • Application Security Standard

1.4 Prioritize development of security policies

The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
  • The tool allows you to prioritize your policies based on:
    • Importance: How relevant is this policy to organizational security?
    • Ease to implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?
    • Ease to enforce: How much effort, time, and resources are required to enforce the policy?
  • Additionally, the weighting or priority of each variable of prioritization can be adjusted.

Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary.

Info-Tech Insight

If you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies.

Sample of the Security Policy Prioritization Tool.

Download the Security Policy Prioritization Tool

1.5 Leverage stakeholders to champion policies

Info-Tech Insight

While management support is essential to initiating a strong security posture, allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will be less of a police force and more of a partner.

Executive champion

Identify an executive champion who will ensure that the security program and the security policies are supported.

 Focus on risk and protection

Security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate.
Communicate policy initiatives

Inform stakeholders of the policy initiative as security policies are only effective if they support the business requirements and user input is crucial for developing a strong security culture.

 Current security landscape

Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders.
Management buy-in

This is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable.

1.6 Develop the security policy lifecycle

  1. The security policy lifecycle is an integral component of the security policy program and adds value by:
    • Setting out a roadmap to define the needs, develop required documentation, and implement, communicate ,and measure your policy program.
    • Defining roles and responsibilities for the security policy suite.
    • Aligning the business goals, security program goals, and policy objectives.
  2. Review the sections within the Security Policy Lifecycle Template and delete any sections or subsections that do not apply to your organization.
    • As necessary, modify the lifecycle and receive approved sign-off by your organization’s leadership.
    • Solicit feedback from stakeholders, specifically, IT department management and business stakeholders.

Download the Security Policy Lifecycle Template

 'The Policy Development Lifecycle'; each section has three steps. Sections are 'Define Policy Program', 'Develop & implement policy suite', 'Communicate Policy Program', 'Measure Policy Program'.
Diagram inspired by: ComplianceBridge, 2021

Develop and Deploy Security Policies

Phase 2

Develop and implement the security policy suite

Phase 1

1.1 Understand the current state

1.2 Align your security policies to the Info-Tech framework

1.3 Document your policy hierarchy

1.4 Prioritize development of security policies

1.5 Leverage stakeholders

1.6 Develop the policy lifecycle

Phase 2

2.1 Customize policy templates

2.2 Gather feedback from users on policy feasibility

2.3 Submit policies to upper management for approval

Phase 3

3.1 Understand the need for communicating policies

3.2 Use myPolicies to automate the management of your security policies

3.3 Design, build, and implement your communications plan

3.4 Incorporate policies and processes into your training and awareness programs

Phase 4

4.1 Assess the state of security policies

4.2 Identify triggers for regular policy review and update

4.3 Develop an action plan to update policies

This phase will walk you through the following activities:

  • Customize your prioritized policy templates to develop the suite.
  • Gather and incorporate feedback from users to ensure feasibility of the policy program.
  • Submit the new security policies for approval.

2.1 Customize prioritized templates to develop new policies

Input: Security policy prioritization tool, Existing security policies

Output: Suite of security policies

Materials: Security policy templates

Participants: Policy writer, Security team, Human Resource, Audit, Legal

  1. Policies are essential governance tools that create transparency and set expectations. Successfully drafted policies must be clear, concise, and consistent.
    • Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
    • Be consistent. Write policies that complement each other, not contradict each other.
    • Be concise. Make it as quick and easy as possible to read and understand your policy.
  2. Review your prioritized list of policies from the Security Policy Prioritization Tool. Download the associated policy template for your highest ranked policy.
  3. Follow the instructions written in grey text to fill out each heading.
  4. When your draft is finished, prepare to request sign-off from your signing authority.
  5. Iterate this process until all relevant policies are complete.

Download the Security Policy Templates

2.1 Customize prioritized templates to develop new policies

Samples of prioritized policy templates.

Info-Tech Insight

Focus on efficiently creating policies using Info-Tech’s pre-developed templates that are mapped to multiple compliance frameworks.

2.2 Gather feedback from users to assess policy feasibility

  1. Form a test group of users with various backgrounds within the organization, including employees with different technical skill levels and across various departments.
    • Consider a reasonable sample size (~10 testers).
  2. Present new policies to the stakeholder group.
    • Allow them to read the documents and attempt to comply with the new policies in their daily routines.
  3. Collect feedback from various sources.
    • Consider leveraging interviews, email surveys, or group discussions to gather thoughts, opinions, and insights on policies.
  4. Make reasonable changes to the first draft of the policies before distributing them.
    • Policies will only be adhered to if they’re realistic and user friendly.
 Stakeholders to include
  • Legal
  • Internal Audit
  • Human Resources
  • Risk Management
  • Business Management
  • Corporate Communications
  • Other IT Teams
Info-Tech Insight

Allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies and less resistance. The security team will be viewed less as a police force and more as a partner.

2.3 Submit policies to upper management for approval

Policies need to be accepted by the business and incorporated into the broader policies of the organization.

Submission

Once the policy drafts are completed:
  • Identify who is in charge of approving the policies. Ensure they understand the importance, context, and repercussions of the policies.
  • Submit policy drafts for approval. Draft policies must answer questions such as:
    • Do the policies satisfy compliance and regulatory requirements?
    • Do the policies work with the corporate culture?
    • Do the policies address the underlying need?
  • Leverage the Policy Communication Plan Template in Phase 3 to communicate the overall program.

Approval

If the policy draft is approved:
  • Set the “effective date.”
  • Begin communication, awareness, and training.
If the policy draft is rejected:
  • Acquire feedback and make revisions.
  • Resubmit for approval.

Develop and Deploy Security Policies

Phase 3

Communicate the security policy program

Phase 1

1.1 Understand the current state

1.2 Align your security policies to the Info-Tech framework

1.3 Document your policy hierarchy

1.4 Prioritize development of security policies

1.5 Leverage stakeholders

1.6 Develop the policy lifecycle

Phase 2

2.1 Customize policy templates

2.2 Gather feedback from users on policy feasibility

2.3 Submit policies to upper management for approval

Phase 3

3.1 Understand the need for communicating policies

3.2 Use myPolicies to automate the management of your security policies

3.3 Design, build, and implement your communications plan

3.4 Incorporate policies and processes into your training and awareness programs

Phase 4

4.1 Assess the state of security policies

4.2 Identify triggers for regular policy review and update

4.3 Develop an action plan to update policies

This phase will walk you through the following activities:

  • Understand the need for communication with employees and stakeholders.
  • Use the myPolicies platform to automate the management of your security policies.
  • Design, build, and implement your communications plan.
  • Incorporate policies and processes into training and awareness programs.

3.1 Understand the need for communicating policies with employees

Even the most thorough policies are useless if employees don’t know how to adhere to them.

95% of cybersecurity breaches are caused by human error. (Source: World Economic Forum, 2022)

Since 2020, the cost of addressing an insider security problem has increased by 34%, from $11.45 million in 2020 to $15.38 million in 2022. (Source: Proofpoint report, 2022)
  • Employees can’t protect against and be accountable for what they don’t know.
  • Employees must know that there are new security policies and the impact of such policies.
  • Employees must be able to interpret, understand, and know how to act upon the information in the policies.
  • Employees must understand the threats, where to get help, and from whom to ask questions.
Info-Tech Insight

Policy communication is as important as the policy itself. If your policies aren’t communicated well, your employees won’t get the message. Make it easy for employees to find and comply with policies.

3.2 Use myPolicies to automate the management of your security policies

Info-Tech’s web-based solution to create, distribute, and manage corporate policies, procedures, and forms. myPolicies provides policy managers with the tools they need to mitigate the risk of sanctions and reduce the administrative burden of policy management. It also enables employees to find the policies, procedures, and forms relevant to them and build a culture of compliance.

Features include:

  1. Searchable centralized policy repository
  2. Automated policy distribution
  3. Digital sign-off
  4. 150+ best-practice IT and HR policy templates
  5. Two-way communication between policy owners and employees
  6. One-click policy handbook creation
  7. Audit-ready reports and logs
  8. Version history and historical policy archive
  9. Controlled document access
 Sample of myPolicies.

3.3 Design, build, and implement your communications plan

Input: Security policies

Output: Policy communication plan

Materials: Policy Communication Plan Template

Participants: Human Resources, Security Team

Your end users need to be made aware that your policy exists in order to follow it. Additionally, you need to help them understand the what, why, and how of your policy to obtain their compliance. Employees who do not understand the risk implications of their actions are more likely to create risky situations for the business.

Therefore, the communications plan must incent employees to learn and follow your policies.

  1. Download Info-Tech’s Policy Communication Plan Template.
  2. Use the instructions written in grey text to complete the communications plan.
  3. Publish your policies and implement your communications plan.

Download the Policy Communication Plan Template

3.3.1 Design a communications strategy

A good communications strategy should consider the who, what, how, and when of policy deployment. Use the following checklist to design your strategy:
  • Which employees can we not allow to ignore the policy?
  • Which employees need to understand and accept the policy?
  • Which employees only need access to the policy?
  • Who can answer questions about the policy?
  • What communication tools do we have access to?
  • How will we ensure employees successfully receive and read the policy?
  • How much impact will our deployment model have on the organization (network, existing systems, bandwidth, etc.)?
  • Where will the policies be stored once deployed?
    • (Source: PolicyMatter Ltd, 2005)

3.3.2 Build your communication tools

You need to decide how your policies go from your hands to those of your employees. When your policies get updated, your employees should be made aware immediately. Whatever channels you use, they should follow these four best practices:
  1. Standard — Your policies should all come in the same electronic format. Policy updates should be documented and stored with your policies. All company policies should be created using the same template.
  2. Access — Policies need to be made readily accessible to the staff they apply to. Your policies should be located in a centralized repository. SOPs, standards, guidelines, and best practices should be in a nearby repository if they are referenced.
  3. Ownership — Each document should have an author, approver, and moderator who oversees the review of that policy. It should be obvious who can be asked questions relevant to the policy. Contact information for the question taker should be easy to find.
  4. Complement — Use a variety of channels to spread awareness for your policies. Email, office intranet, information sessions, and one-on-one interaction are examples of complementary channels.

3.3.3 Communicate and distribute policies

The following tips focus on communicating new and updated policies with users.
  1. Specify how to tackle security issues at all stages of breaches; present policies in terms of prevention, detection, and response.
  2. Demonstrate the impact of security policy violations. Employees who are not aware of the damage a simple policy violation can cause tend not to take policies seriously.
  3. Communicate the consequences – up to and including termination – but ensure you maintain a proactive message of “if you practice what the policies preach, and help us, this will likely not be a reality for you.”
  4. Provide an additional channel of informal communication. Some employees respond better to informal settings for asking questions and getting assistance.
  5. Offer clear incentives as employees often respond better to instant gratification than to the potential for preventing a security breach that might never actually happen. It is difficult to link behaviors with security benefits.
  6. Inform employees that certain processes are already in place to protect them as users, but they also have accountability and responsibility in this process – technology alone cannot fully protect the organization.

3.4 Incorporate policies and processes into your training and awareness programs

Education

It is important to educate, create awareness, and train users on IT security. However, without policies and processes users will be aware but unable to act on their knowledge and there will be no consequence to their actions.

 Policy

Policies are needed to enforce accountability for end users. Policies are the foundation of any training program, but without educating users on your policies and the processes to back up your policies, the policies will be ineffective.

Process

Processes are needed to help end users deal with a variety of different situations. Processes will change your users’ behavior, but without policies to enforce your processes, and education to help users understand them, your processes won’t be followed.
Stock image of a padlock
See Develop a Security Awareness and Training Program for more guidance.		 Successful organizations combine education, policies, and processes to create effective security training and awareness programs:
  • Educate end users on your policies, processes, and the resources available for reacting to threats.
  • Creating policies will create accountability for security in your organization and will stand as the foundation of your awareness and training program.
  • Applying processes to your policies will change end-user behavior to guide them on how to comply with your policies.

Develop and Deploy Security Policies

Phase 4

Measure the security policy program

Phase 1

1.1 Understand the current state

1.2 Align your security policies to the Info-Tech framework

1.3 Document your policy hierarchy

1.4 Prioritize development of security policies

1.5 Leverage stakeholders

1.6 Develop the policy lifecycle

Phase 2

2.1 Customize policy templates

2.2 Gather feedback from users on policy feasibility

2.3 Submit policies to upper management for approval

Phase 3

3.1 Understand the need for communicating policies

3.2 Use myPolicies to automate the management of your security policies

3.3 Design, build, and implement your communications plan

3.4 Incorporate policies and processes into your training and awareness programs

Phase 4

4.1 Assess the state of security policies

4.2 Identify triggers for regular policy review and update

4.3 Develop an action plan to update policies

This phase will walk you through the following activities:

  • Assess the state of security policies in your organization.
  • Understand the need for regular review and maintenance and creating an action plan.
  • Develop an action plan to update policies.

4.1 Assess the state of security policies

The Info-Tech Security Policy Assessment Tool will help you ensure adequate coverage of your organization's security requirements.
  • The tool allows you to assess your policies based on
    • Existence – Does the policy exist within the organization?
    • Coverage – What is the extent to which the policy addresses the selected risk area?
    • Communication – Has the policy been formally communicated to the intended audience?
    • Adherence – Are there frequent policy violations?
    • Alignment – Are there contradictions with other policies?
    • Overlap – Does the scope of the policy overlap with any other policies?
Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary.

Download the Security Policy Assessment Tool

 Sample of the Security Policy Assessment Tool.

4.2 Identify triggers for regular policy review and update

Organizations that do not adhere to a cycle to regularly review and update security policies face a real risk of exposure to security breaches.
  • Security policies that are out of date are about as useful as not having any policies and will leave gaping vulnerabilities that can easily be exploited.
  • Adjustments and updates must be regularly applied to security policies that are no longer applicable to the business.
  • With the emergence of new threats and technologies, it is crucial to stay up to date with security issues and solutions to protect your organization.
  • A good security automation program can be the solution to ensuring that your security program remains relevant and useful.
  • Security stakeholders must keep a close watch on incidents, traffic flows, and early warning signs to identify new threats and update policies appropriately.
Identify when to update policies:
  • Introduction of new technology (hardware or software)
  • New/updated compliance or regulatory mandates
  • Corporate changes including company growth or workforce reduction
  • Introduction of new business practices or other policies
  • Periodically, regardless of changes to business/technology
 Identify why to review policies:
  • Ensure alignment with current security issues
  • Understand the actual security posture of your organization
  • Optimize security investments by prioritizing the more critical controls
  • Demonstrate to stakeholders, including auditors, that security is a key priority

4.3 Develop an action plan to update policies

The revision process can mimic the initial development process, but should be shorter and less intense as at this point:
  • Management is familiar with the process.
  • Employees know what to expect in terms of compliance.
  • General topics are already mapped to appropriate policies.
  • Optimizing and improving documents is the goal, not starting from scratch unless new policies are required.
Investigate problems and difficulties with previous policies and determine:
  • How effective was the awareness and training program?
  • Which policies were difficult to understand?
  • Which policies need more effort to enforce?
  • Where were there frequent violations? Why?
  • What were the security audit results?
  • Is the policy still necessary to the business?

Plan to update:

  • Assign accountability for who will be in charge of ensuring maintenance of the policies.
  • Develop a schedule with well-defined tasks, responsibilities, and deadlines.
  • Leverage feedback from all users. Give each department an opportunity to voice their concerns and make an impact on the policies. When the leaders of the individual departments are involved, they’re more likely to support the policies and encourage their teams to follow them.

Summary of Accomplishment

Problem Solved

By following the steps in this blueprint, you will have developed a program and related processes for developing and deploying security policies, including:
  1. Understanding how to prioritize policies in terms of implementation.
  2. Reviewing the difference between a policy and procedure and why it’s beneficial to create both.
  3. Developing policy content through the use of templates.
  4. Assessing your current policies or knowing how to start from scratch and what policies to begin with to build a suite.
  5. Exploring policy communication and enforcement best practices.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889

Insight summary

Create a Policy Lifecycle

Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.

Understand the Audience

The right policy for the right audience. Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.

Standardize Policies

Policies must be reasonable, auditable, enforceable, and measurable. Focus on creating policies using pre-developed templates that are mapped to multiple compliance frameworks.

Communication Is Key

Always communicate. Employees will be more attentive and willing to incorporate what they learn if they feel that awareness and training material was specifically designed to help them.

Stakeholder Feedback = Updated and Effective Policies

Feedback is key. Gain feedback on policy usage and utilization to help with updates and adaptation, where necessary, and monitor policy alignment to business objectives.

Related Info-Tech Research

Stock image of a wall of servers. Build an Information Security Strategy
  • Many security leaders struggle to decide how to best to prioritize their scarce information security resources.
  • The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less so.
Stock image of a smartphone with surrounding security graphics. Build a Security Compliance Program
  • Reduce complexity within the control environment by using a single framework to align multiple compliance regimes.
  • Reduce costs and efforts related to managing IT audits through planning and preparation.
  • Comply with NIST, ISO, CMMC, SOC2, PCI, CIS, and other cybersecurity and data protection requirements.
Stock image of two people working at a computer. Implement a Security Governance and Management Program
  • Your security governance and management program needs to be aligned with business goals to be effective.
  • This approach also helps to provide a starting point to develop a realistic governance and management program.
  • This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

Bibliography

“20% Of Workers Don't Follow Company Security Policies All the Time.” Security Magazine, BNP Media, 2020. Web.

2013 Cost of Data Breach Study: Global Analysis. Ponemon Institute LLC, 2013.

Bacik, Sandy. Building an Effective Information Security Policy Architecture. CRC Press, 2008.

Canavan, Sorcha. “Information Security Policy - A Development Guide for Large and Small Companies.” SANS Institute Reading Room, 2006. Web.

“CISA: Certified Information Systems Auditor Study: Understanding Policies, Standards, Guidelines, and Procedures.” CISA, 3 April 2011. Web.

COBIT 5 for Information Security. ISACA, 2012.

ComplianceBridge Policies & Procedures Team. “Your Policy for Policies: Creating a Policy Management Framework.” ComplianceBridge Corporation, 2021. Web.

“Cost of a Data Breach Report 2022.” IBM, 2022. Web.

“Data Leakage Worldwide: The Effectiveness of Security Policies.” Cisco, 12 March 2014. Web.

Heinl, Chris. “3 Best Practices for Publishing Policies & Procedures.” HospitalPortal.net, 29 Jan. 2013. Web.

ISO/IEC 27001:2013. Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC, 2013.

McConnell, Kerry D. “How to Develop Good Security Policies and Tips of Assessment and Enforcement.” SANS Security Essentials, GSEC Practical Assignment, Version 1.3: 2002. Web.

Penman, Carrie, and Randy Stephens. “2016 Ethics & Compliance Policy Management Benchmark Report.” NAVEX Global, 2016. Web.

Mendoza, N.F. “How poor security practices from remote employees are wasting the time of IT staff.” techrepublic.com, 4 Aug. 2020. Web.

Ross, Ron, et al. “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” NIST Special Publication 800-171, National Institute of Standards and Technology, June 2015

Reed, Brian. “Insider Threats (Still) On The Rise - Facts & Data | Proofpoint US.” Proofpoint.com, Jan. 2022. Web.

Spitzner, Lance. “Human Metrics: Measuring Behavior.” SANS Institute, 21 Oct. 2014. Web.

Villiers, Marilise de, Mathieu Cousin, and Inderpal Dhami. From Promoting Awareness to Embedding Behaviours. Information Security Forum Limited, 2014. Web.

Weise, Joel. Developing a Security Policy. Sun Microsystems Inc., Dec. 2001. Web.

Wunder, John, Adam Halbardier, and David Waltermire. Specifications for Asset Identification 1.1. National Institute of Standards and Technology, June 2011. Web.

The Global Risks Report 2022.” World Economic Forum, 2022.

Enhance your overall security posture with a defensible and prescriptive policy suite.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.6/10
Overall Impact

$19,820
Average $ Saved

16
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Define the security policy program
  • Call 1: Scope security policy requirements, objectives, and any specific challenges.
  • Call 2: Review policy lifecycle; prioritize policy development.

Guided Implementation 2: Develop and implement the security policy suite
  • Call 1: Customize the policy templates.
  • Call 2: Gather feedback on the policies and get approval.

Guided Implementation 3: Communicate the security policy program
  • Call 1: Communicate the security policy program.
  • Call 2: Develop policy training and awareness programs.

Guided Implementation 4: Measure the security policy program
  • Call 1: Track policies and exceptions.

Author

Danny Hammond

Contributors

  • Michael Santarcangelo, Founder, Security Catalyst
  • Sandy Bacik, Global Risk Assessment Manager, VF Corporation
  • Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board
  • Candy Alexander, GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc.
  • Defense Industry Technology Executive, Information Systems and Technology Branch CIO/CKO, United States Air Force
  • Debbie Christofferson, Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership
  • Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates
  • Kevin Spease, Managing Partner / Security Engineering Consultant, ISSE Services, LLC
  • Rob Marano, Co-founder, Hackerati
  • Mark Leonard, ITS Security Manager, Wesfarmers Insurance
  • Chuck Hathaway, Director of Infrastructure, Catalyst
  • Rebecca Herold, CEO, The Privacy Professor
  • Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.

Related Content: Governance, Risk & Compliance

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019
© Info-Tech Research Group | Terms of Use | Privacy Policy