'Development of enterprise level Information Security Policies, Procedures and Standards' was an initiative to ensure we have an enterprise wide policy, procedures and standards for ensuring smooth Governance & Compliance of Information Security practices. The standards based on industry benchmark such as CIS, NSA, NIST helps an enterprise to configure, implement, manage and monitor the robust Infrastructure and best security practices through business approved policies and procedures. Through this project, we are coming up with policies, procedures and technical control standards that enable streamlining and strengthening the implementation of Operating Systems, Databases, MS Office / Exchange environments, Server Infrastructures, Network/Firewalls Infrastructure, Virtual machines, Remote Access, Mobile Technologies, Secure file/data transfers, Encryption, Access management, Incident Management, Business Continuity Management etc.
Checklist for Technology/Vendor/Solution Evaluation:
•Ensure company is registered/subscribing to one or more industry standard/benchmark. Eg. Center of Internet Security (CIS), National Institute of Standards and Technology (NIST), National Security Agency (NSA) etc.
•Ensure an Information Security Policy Framework is in place that describes the company strategy to have
- Information Security Policies
- General security controls those are applicable across enterprise
- Technical control areas those are applicable across the enterprise
- Processes and Procedures required for adopting some of the technologies/standards
• Understand the current enterprise implementations, documentations, policies, procedures and other artifacts in place
The infrastructure –
- Types/Kinds of servers
- Different OS’s implemented
- Network/Firewall solutions in place
- Databases being used
- Virtualization strategy
- Data Loss Prevention controls/tools in place
- End-point’s being used
- Strategies for desktops/laptop/mobile device encryptions
- Incident Management in place
- Access and authentication management in place
- Business Continuity / Disaster Recovery Management
• Define the team structure involved in policy development, review, testing, approvals etc. E.g.
- Identify/register/subscribe to industry standard benchmark providers
- Identify the authors/contributors and policy developers within the organization or hire an expert agency to develop the policy framework/policies etc
- Identify the SMEs (Subject Matter Experts) who would be involved in reviewing all of the documents being developed
- Identify the SMEs and technical teams who would be involved in thoroughly testing all of the controls/policies being documented
- Identify the business approvals. Ensure right stakeholders are involved in approving different sets of documentations mentioned above
( Read more: How Should a CISO choose the right Anti-Malware Technology? )
Key Learning: Do's and Don’ts
- Ensure information security strategy/program in place
- Ensure Information security policy framework is in place
- Ensure registration/subscription to industry standard practices and benchmarks.
- Ensure every policy/procedure/control/standard document is thoroughly reviewed and approved by SME’s
- Ensure every control in these documented is tested to fit the business requirements and security practices/strategies of the company
- Avoid the temptation of covering the entire universe in the policies, procedures, controls and standards. The industry benchmarks/standards generally cover the entire gambit of the topic and it is key to understand what is relevant to business and the security strategy of the company and implement only that much as a policy or a standard.
- With Mahesh Sonavane,SunGard Global Technology on How To Evaluate Compliance Solutions ClickToTweet
What are your evaluation parameters for GRC Solutions. Share your views in comments below or write your article here