|
|
 |
SPYRUS Policies and Procedures - Security Policy and Procedures
The Security Policies and Procedures follows the general format of ISO/IEC IS 17799, as a formal security policy, with procedures and guidelines. The SP&P incorporates parts of section 5 of the CP and CPS - physical and personnel security rules and practices. The SP&P is internal to the customer's organization, but is subject to external review for audit, certification or accreditation purposes.
A Security Policy should be based on an organization's business objectives and business requirements. In a PKI environment, the Security Policy is also based on the CP. It is obviously important, therefore, that all policy documentation derive from one common directing strategy, which is normally dictated by business objectives. Certain elements of the Security Policy and Procedures duplicate requirements and guidelines of the CP and CPS, but the SP&P can stand alone.
Security in general is premised on the principle of risk management. Without a careful analysis of business objectives, threats to the achievement of those objectives, and consequent risks to the organization, it becomes difficult to design the most appropriate and cost-effective security program. This is true as well in the PKI environment.
There are numerous guides on risk management; SPYRUS has incorporated the most up-to-date and respected guidance into our SP&P template. Since SPYRUS participates in the development of many of these guides, as well as international standards on risk management, our approach is certainly consistent with most guidance. Organizations will benefit from our broad and deep experience in the field of risk management.
The objective of the Security Policy and Procedures is to provide a framework for adequate, cost-effective protection of information and assets. The high-level requirements of the Security Policy are:
- Accountability - Appointment of a Company Security Officer
- Authorization - Access control
- Information management - Appointment of an Information Manager
- Asset management - Appointment of a Property Manager
- Security risk management
- Ongoing security awareness program
These requirements are met by the development, implementation, communication and monitoring of procedures addressing all areas of security: personnel, physical, information technology, contracting, business continuity, configuration management and audit. The SPYRUS SP&P template covers all elements of security. Our approach, which is widely accepted by security professionals, considers all elements of security in the context of an integrated whole, with each element complementing and balancing each other element.
SPYRUS Consulting Services offers assistance to clients in all aspects of security planning and management, within a framework of international and/or local legislation, regulation, policies and standards.
|
|
