Effective security policies form the foundations for cogent and efficient security programs and practice. To be practical and applicable security policy documentation must specifically address the issues and risks that affect your organisation, without neglecting to encompass your organisational goals. Attempting to create policy documentation by the use of standardised templates is highly unlikely to result in either a useful documentation set, or indeed a security program that is effective at mitigating and remediating risk.
The Xiphos Research policy review and development services are specifically designed to address the needs of enterprises in both formulating and improving the effectiveness of organisation wide security policies.
The security policy review services we offer seek to identify and eliminate outdated or incomplete policy documentation, and improve the overall effectiveness of such documentation in preventing malicious or accidental attacks against the security posture of our clients. As well as determining deficits in existing documentation, and outlining practical steps that can be taken to improve their effectiveness and efficiency, the policy review service also includes a recognition of the regulatory and compliance requirements that apply to our clients businesses and industries.
In addition to the review of existing security policy documentation, we also work with our clients in formulating and developing security policies. We work closely with our clients throughout the development process, from the creation of high level security overviews, to the development of detailed and relevant standards and procedures documentation. The typical policy development process encompasses a range of stages (each adjusted to suit the needs of clients). These include:
- A comprehensive review of organisational issues, objective, priorities and risks
- Threat modelling and identification of key organisational concerns
- Identification and review of existing mitigation and prevention strategies, as well as organisational practices
- Interviews with key security stakeholders, technical specialist staff and managers
- Creation and revision of security policy documentation sets
- On-going liaison and education to ensure documentation does not stagnate following completion of engagement
For additional information or assistance with our policy review and development service offerings, contact us.