Security Policies & Standards Development
So many times we come across policies and standards that collect dust on the shelf. Rarely have we seen standards that are effective and actively used within an organization. Typically, there are a few key reasons for these and include:
- Adopting templates from other sources without truly identifying the business requirements for standards
- Ad hoc adoption of policies and standards that do not align to industry recognized frameworks
- Poor wording that is generic and vague, using terms such as "based on risk" which leaves it up to the consumer to decide the level of control application
- Blending of policy and standards wording into a single document which leads to confusion and lack of clarity.
At Iron Spear we don't believe in the "one size fits all" philosophy, especially when it comes to policy and standards. We tailor these to your environment and make them living standards by which your organization is governed. Our experience with this approach has shown that the consumers of the standards, especially the IT departments are eager to receive clear, understand requirements with simple-to-understand metrics.
When developing your standards adopt a clear approach which includes:
- establishing a clear taxonomy, what does a policy, standard and guideline mean in your organization.
- Identifying an industry framework that will best suit your organization (i.e. COBIT, ISO, NIST, etc.)
- Identifying the key priority standards that are essential to you, then we work on a phased plan for the rest.
- Not recommending you implement a standard that you cannot realistically implement within 2 years, this merely sets you up for failure.
- Standards using clear, unambiguous language. No "based on risk" or "should", "may" and "if possible".
- We write standards to be more binary, you either comply or you don't. No middle ground. The benefit to this approach includes:
o Simple measurement of compliance
o The ability to use the standards as key performance indicators (KPI's)
o Streamlines internal and external audits
- We develop the standards in the traditional document form as well as spreadsheets, adding cross-references to internal control requirements, SOX, and any other regulatory standards that you need to comply to. This allow you to search and sort based on regulatory requirements as well as role or function of the consumer.
- We develop the policies to support the standards as well as to set the tone of the organization as it pertains to cyber security.