Policies and supporting documentation are a critical foundational element for any information security program. When properly managed, they set expectations about employee behavior; ultimately communicating institutional beliefs and operational values about protecting critical information assets. Because variables in employee behavior represent one of the greatest security risks for an organization, it is important to communicate and validate the understanding of policies across the organization.
As organizations grow and change, the day-to-day operations can also evolve away from the defined policies. If policies have not been updated to address ongoing changes in the organization, the inherent gaps can dramatically increase risk across the enterprise.
Approach
To address these challenges, VioPoint works with information security stakeholders to review all of the relevant policies, procedures, standards and guidelines that have been published and disseminated to users in the organization. VioPoint evaluates policies against necessary requirements (compliance, best practices, etc.) to ensure they align with organizational business plans or other mandates. The types of items included in these projects include but are not limited to:
- Policy document structure (author, version, change control, etc.)
- Policy language (enforceable language items, appropriate security policy statements, etc.)
- Overall clarity and cross referencing (separation of policy statements, procedures, guidelines, standards, etc.)
- The overall process for reviewing and approving policies on a periodic basis within the organization.
Results
During a policy gap and development review, VioPoint evaluates existing policy documents and compares them to best practice or other compliance mandates. Identified gaps are documented and recommendations for improvement include an explanation of what current documentation has been missed from both a technical and administrative perspective. VioPoint also provides recommendations on how organizations can manage this lifecycle more efficiently through disciplined processes. Specifically for this area, VioPoint will:
- Evaluate organizational policies, information technology specific policies, security strategy documents and any other relevant supporting documentation.
- Identify policy gaps for potential weaknesses and disclose theoretical exposures.
- Align exposures from past testing activities with missing policy or procedure items.
- Define the roles and responsibilities for policy decision makers and any committee members tasked with creating or maintaining policies.
VioPoint will also recommend changes to existing policies (document structure, policy statements, etc.) and delineate any additional policies that should be implemented. The findings will include advice on how to effectively prepare for future policy awareness activities.
Related Security Offerings
These related service offerings may also be of interest to you:
