Information Security Policy Development
Service Description
We will provide high-level guidance on how to approach information security and propose a written information security policy. The Information Security Policy relies on several subsidiary policies to provide operational guidance on performing particular activities. While those subsidiary policies may be updated frequently to reflect changes in the company or evolving best practices, this overarching Information Security Policy should remain a relatively static, high-level description of other specific InfoSec policies.
An Information Security Policy is essential for an organization to securely and consistently protect its data. This policy establishes clear expectations surrounding information security for the entire organization. It identifies high-level activities for implementing an approach to information security, articulates the principles those activities should meet or exceed, and establishes definitions for classifying the sensitivity of different types of systems and/or information.
These activities include efforts to protect information, systems and data, efforts to detect when information resources have been or are at risk of becoming compromised, and efforts to respond when breaches or potential breaches arise. They also include efforts to gather intelligence or other publicly available information to improve prevention, detection and response activities, as well as efforts to develop the cultural, managerial and governance structures necessary to improve information security.
Our Methodology
We will start by understanding what security policies and procedures you have in place today. We will identify gaps in areas of information security that are not well defined and then provide recommendations on how to incorporate these items into your policy. We will review this documentation as well as anything else that is relevant to the following areas:
- Acceptable Use
- Corporate Equipment
- Cloud Storage
- Wireless Access
- Data Protection
- Security
- Access Management
- Infrastructure Management
- Threat Intelligence
- Cybersecurity Management
- Computing Providers
- Communications
- Awareness and Training
- External Communications
We will then interview your key personnel supporting these functions to identify discrepancies between stated procedures and actual processes. Where these discrepancies exist, we will determine if there are valid cultural or risk-specific reasons to deviate from stated processes. Additionally, CAG will offer suggestions for improvements based on industry best practice and core critical controls.
Following these discussions, we will document our proposed information security policy to fit your needs. Our goal is to not only define processes that are best practice, but to recommend practices that are most appropriate for your company culture, size and employee characteristics. If you have edits, we will incorporate those into the policy before providing it to you for final review and feedback.
Our Deliverables
In addition to the usual status updates and meetings, CAG will deliver written drafts of the following material:
- One tailored information security policy
Note: Project plan will be developed at the start of each engagement.
