Vancouver Head Office: 170- 422 Richards Street Vancouver, BC V6B 2Z4

Tel. 1.778.801.5635

Calgary Office: Suite 2500-500 4th Avenue SW Calgary, AB T2P 2V6

Tel. 1.587.997.4862

© 2019 by Iron Spear Information Security Ltd.

At Iron Spear, we don't believe in the "one size fits all" philosophy, especially when it comes to policy and standards.  We tailor these to your environment and make them living standards by which your organization is governed.  Our experience with this approach has shown that the consumers of the standards, especially the IT departments, are eager to receive clear and concise requirements that are simple-to-understand and implement.

So many times we come across policies and standards that collect dust on the shelf.  Rarely have we seen standards that are effective and actively used within an organization. Typically, there are a few key reasons for these, which include:

  • Adopting templates from other sources without truly identifying the business requirements for standards.

  • Ad hoc adoption of policies and standards that do not align with industry recognized frameworks.

  • Poor wording that is generic and vague, using terms such as "based on risk" which leaves it up to the consumer to decide the level of control application.

  • Blending of policy and standards wording into a single document which leads to confusion and lack of clarity.

 

When developing your standards we adopt a clear approach which includes: 

  • Establishing a clear taxonomy, what does a policy, standard and guideline mean in your organization.

  • Identifying an industry framework that will best suit your organization (i.e. COBIT, ISO, NIST, etc.).

  • Identifying the key priority standards that are essential to you, then we work on a phased plan for the rest.

  • Not recommending you implement a standard that you cannot realistically implement within 2 years, this merely sets you up for failure.

  • Standards using clear, unambiguous language.  No "based on risk" or "should", "may" and "if possible".

  • Writing standards to be more binary, you either comply or you don't.  No middle ground.  The benefit of this approach includes:

o    Simple measurement of compliance.

o    The ability to use the standards as key performance indicators (KPI's).

o    Streamlines internal and external audits​.

  • Developing the standards in the traditional document form as well as spreadsheets, adding cross-references to internal control requirements, SOX, and any other regulatory standards that you need to comply with.  This allows you to search and sort based on regulatory requirements as well as role or function of the consumer.

  • Developing the policies to support the standards as well as to set the tone of the organization as it pertains to cyber security objectives.