Security Policies and Standards
Security Policies and Standards
Embedded Files
We are exhibiting at IT-SA in Nuremberg on 7-9 October! Stop by our booth 6-342 to meet our experts. See you there!
Our Vision
Our Vision
A solid security policy framework is the foundation for secure enterprise culture, secure development, secure operations and secure processes. Maintaining framework relevance requires dedication, communication and hard work.
Our Service
Our Service
The enterprise policy framework requires constant maintenance in order for it to be relevant. Meeting new compliance requirements and keeping up with new technologies requires adaption and extension of the framework. Often the framework is layered in multiple levels which build on top of each other. A relevant framework cascades requirements from top to bottom and the reader should be able to relate those requirements down-up, i.e. at the lowest level the reader should know WHY a particular measure needs to be implemented.
Generally, the different levels in the framework need to answer different types of questions. Here we recommend the WHY, WHAT, HOW approach where the top level policies describe the WHY, security standards define the WHAT and hardening benchmarks set the HOW.
We recommend the usage of common industry practices like RFC2119 to formulate requirements and differentiate the importance of the requirements.
Less is more! We strive to be concise and reduce content to the bare minimum, which still achieves the common security goals. We relate to common good practices provided by CIS, NIST, ISO, vendor specific security guidelines and boil those down to extract the essence and enrich it with our industry-wide experience to ensure relevance to your organization.
Policy Framework as a Service
Policy Framework as a Service
In agreement with you, we will create a scope of the required maintenance work of your Policy Framework on an annual basis. We will update existing policies and standards, adapt hardening guidelines to most current released software versions and on demand create new hardening guidelines relevant to your operations teams. We will set up review meetings with stakeholders and discuss requirements feasibility with the operation teams.
Security Automation
Security Automation
Our Vision
Our Vision
The security state of large and complex IT infrastructures can be reasonably managed only through automation. Automated technical security compliance verification, monitoring and remediation is the key to more transparency and efficiency for the security organization.
Our Service
Our Service
The enterprise corporate policy framework defines the requirements than need to be met in order to achieve the goals. Cascading down the levels of the framework refines those requirements answering WHY, WHAT and HOW to achieve those.
This builds the foundation for the security automation that should effectively ensure compliance with the policy requirements at large scale across the enterprise IT landscape.
We help our clients achieve automated compliance throughout the life cycle of the systems - from the deployment stage, through monitoring in production stage to decommissioning.
Our expertise in technical compliance stretches across the technology stack - from configuration compliance on hyperscalers (AWS/Azure/GCP), over to network device, hypervisor, OS, database and application configuration compliance.
In order not to introduce a new automation management tool in your environment, we can leverage the already available automation infrastructure of the operations team.
The ultimate purpose of automation is large scale and efficiency. Your organization can become even more efficient extending and mapping the automation security controls to your ISMS controls, thus providing automated ISO/SOC or any other targeted certification compliance reporting. In our experience mapping technical compliance controls to ISMS controls leads to near zero preparation time for external audits who in turn have very high confidence in the audited controls. Together with you we will assess which ISMS controls are potential automation candidates and map those accordingly.
Report abuse