Security Policies and Standards
A solid security policy framework is the foundation for secure enterprise culture, secure development, secure operations and secure processes. Maintaining framework relevance requires dedication, communication and hard work.
The enterprise policy framework requires constant maintenance in order for it to be relevant. Meeting new compliance requirements and keeping up with new technologies requires adaption and extension of the framework. Often the framework is layered in multiple levels which build on top of each other. A relevant framework cascades requirements from top to bottom and the reader should be able to relate those requirements down-up, i.e. at the lowest level the reader should know WHY a particular measure needs to be implemented.
Generally, the different levels in the framework need to answer different types of questions. Here we recommend the WHY, WHAT, HOW approach where the top level policies describe the WHY, security standards define the WHAT and hardening benchmarks set the HOW.
We recommend the usage of common industry practices like RFC2119 to formulate requirements and differentiate the importance of the requirements.
Less is more! We strive to be concise and reduce content to the bare minimum, which still achieves the common security goals. We relate to common good practices provided by CIS, NIST, ISO, vendor specific security guidelines and boil those down to extract the essence and enrich it with our industry-wide experience to ensure relevance to your organization.
Policy Framework as a Service
In agreement with you, we will create a scope of the required maintenance work of your Policy Framework on an annual basis. We will update existing policies and standards, adapt hardening guidelines to most current released software versions and on demand create new hardening guidelines relevant to your operations teams. We will set up review meetings with stakeholders and discuss requirements feasibility with the operation teams.