Develop and Deploy Security Policies
Enhance your overall security posture with a defensible and prescriptive policy suite.
- Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
- Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
- Data breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
- Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.
Our Advice
Critical Insight
- Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.
- Policies must be reasonable, auditable, enforceable, and measurable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.
Impact and Result
- Save time and money using the templates provided to create your own customized security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).
On Demand
Webinar
Improve Your Cybersecurity Posture Through Effective Policy
Play WebinarMember Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.8/10
Overall Impact
$13,926
Average $ Saved
20
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Firstmac Limited
Guided Implementation
9/10
$21,150
20
Robert Dang has been supporting our security documentation to assist in ISO27001. This has been valued support and will also link FMC with Infotech... Read More
Champaign Residential Services Inc
Guided Implementation
10/10
$1,360
1
Thank you for sticking with us as we worked through the hurdles of obtaining approval!
University of Ottawa
Guided Implementation
10/10
N/A
5
Jon experience and richness of experience.
SEAPORT THERAPEUTICS INC.
Guided Implementation
10/10
$34,000
5
City of Lynnwood
Guided Implementation
10/10
N/A
20
The templates were helpful, but the best part was Jon conveying the methodology behind everything. It simplified the process and sped up completion... Read More
Milliman, Inc.
Guided Implementation
10/10
$13,600
5
Petar was amazing. He was efficient, had a wealth of knowledge and provided actionable feedback!
O'Neill Vintners & Distillers
Guided Implementation
10/10
$13,600
55
City of Atlanta / Atlanta Information Management (AIM)
Guided Implementation
9/10
N/A
5
Best part - I could easily understand Mike's explanations. There were no negatives.
Champaign Residential Services Inc
Guided Implementation
10/10
$1,360
1
City of Steamboat Springs
Guided Implementation
10/10
$2,584
20
Jon was an excellent SME. We had to move quite slowly due to a plethora of other commitments. He adjusted his schedule to accommodate us. There ... Read More
City of Walla Walla
Guided Implementation
10/10
$2,720
2
Very insightful discussion with Michel, with action items/direction for next steps to help guide the process.
Legal Services Corporation
Guided Implementation
10/10
$13,700
20
It was so helpful to talk to Petar on a regular basis about our security policies. He provided realtime advice/best practices on each security poli... Read More
Psac
Workshop
10/10
$37,500
50
The best part was the knowledge and guidance of Horia to go over all the policies so quickly and with great feedback and input to guide us. Horia w... Read More
Champaign Residential Services Inc
Guided Implementation
10/10
$13,700
10
Having an outside perspective to help us review each policy has been invaluable. Sometimes, we have blinders on when it comes to our own environmen... Read More
NIPPON GASES EURO-HOLDING, SLU
Workshop
9/10
$36,999
32
Trillium Mutual Insurance Company
Guided Implementation
10/10
$3,000
20
Excellent resource, both knowledgeable and experienced. Recognized our concerns, encouraged us in our progress and showed us other tools which coul... Read More
Caribbean Public Health Agency
Guided Implementation
10/10
$12,999
20
College Medical Center Long Beach
Guided Implementation
10/10
$12,999
50
STERIS Corporation
Guided Implementation
10/10
$12,999
20
The best part was the mapping to the standards of the policy statements. It is something we are keeping as we transfer it to our standard format. ... Read More
Nieuport Aviation
Guided Implementation
10/10
$6,000
10
Eastern Lancaster County School District
Guided Implementation
8/10
$10,399
50
Lake County, FL
Workshop
10/10
N/A
10
Having time to focus on our security policies and to have input from an expert was extremely valuable. We were able to get through several policy d... Read More
Svante
Guided Implementation
8/10
N/A
N/A
The instructor helped me guide which direction and order I should tackle this issue. I'm hoping to continue conversation regarding general security... Read More
United Way Suncoast
Guided Implementation
10/10
N/A
23
Best part of the experience was working with the analyst as he understood what we were looking for as an organization. Worst part was working on th... Read More
Legal Practitioners Fidelity Fund
Guided Implementation
9/10
$2,298
5
State Universities Retirement System Of Illinois
Workshop
10/10
$116K
10
Cameron and Danny were great and highly knowledgeable and did not stop at only policy reviews but helped assess current NIST compliance as part of ... Read More
Caribbean Public Health Agency
Guided Implementation
10/10
$2,599
2
Very knowledgeable Very accommodation
Burke and Herbert Bank and Trust Company
Guided Implementation
10/10
$37,799
20
Factors Group of Companies
Guided Implementation
10/10
$20,500
5
Kern County Information Technology Services
Guided Implementation
9/10
$2,742
5
The interactions with the experts.
Frequently Asked Questions
What is Info-Tech's approach to developing and deploying security policies?
Info-Tech Research Group's Develop and Deploy Security Policies blueprint takes a multi-faceted approach that incorporates foundational technical elements, compliance considerations, and supporting processes through four key phases: assess what security policies currently exist within the organization and consider additional secure policies; develop a policy lifecycle that will define the needs, develop required documentation, and implement, communicate, and measure your policy program; draft a set of security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA); and enhance your overall security posture with a defensible and prescriptive policy suite.
Why do security policies often fail in organizations according to Info-Tech?
Info-Tech Research Group identifies that the problem with security policies isn't development but rather the communication, enforcement, and maintenance of them. According to Security Magazine (2020), 29% of IT workers say it's just too hard and time consuming to track and enforce policies, 25% of IT workers say they don't enforce security policies universally, and 20% of workers don't follow company security policies all the time. Info-Tech emphasizes that without a strong lifecycle to keep policies up to date and easy to use, end users will ignore or work around poorly understood policies, and adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow.
What are Info-Tech's two critical insights about security policies?
Info-Tech Research Group emphasizes two critical insights for security policy success: creating good policies is only half the solution because having a great policy management lifecycle will keep your policies current, effective, and compliant; and policies must be reasonable, auditable, enforceable, and measurable, because if the policy items don't meet these requirements, users can't be expected to adhere to them. Info-Tech recommends focusing on developing policies to be quantified and qualified for them to be relevant, ensuring that policy items meeting these requirements will have a higher level of adherence.
What is Info-Tech's four-phase framework for developing and deploying security policies?
Info-Tech Research Group's framework consists of four phases: Phase 1 (Define Security Policy Program) focuses on developing the policy lifecycle, identifying compliance requirements, and understanding which policies need to be developed, maintained, or decommissioned; Phase 2 (Develop & Implement Policy Suite) involves differentiating between policies, procedures, standards, and guidelines while drafting policies from templates; Phase 3 (Communicate Policy Program) includes identifying changes in the regulatory environment and incorporating policy awareness into training programs; and Phase 4 (Measure Policy Program) focuses on enforcing policies and measuring policy effectiveness while gaining feedback on policy compliance for updates and adaptation.
What tools and templates does Info-Tech provide for security policy development?
Info-Tech Research Group provides seven comprehensive tools for security policy development: the Develop and Deploy Security Policies Deck (four-phase methodology), Security Policy Prioritization Tool (assesses policy importance, ease to implement, and ease to enforce), Security Policy Assessment Tool (assesses policy coverage, communication, adherence, alignment, and overlap), Security Policy Lifecycle Template (includes sections on security vision, mission, and strategic objectives), 19 Policy Suite Templates mapped to the Info-Tech framework (covering Acceptable Use, Application Security, Asset Management, Backup and Recovery, Cloud Security, and 14 additional policy areas), Policy Communication Plan Template (for publishing and communicating policy updates), and Security Awareness and Training Program Development Tool.
What results have organizations achieved using Info-Tech's security policy framework?
According to Info-Tech Research Group's member testimonials, organizations using the Develop and Deploy Security Policies blueprint achieved an average overall impact rating of 9.8 out of 10, average cost savings of $13,926, and average time savings of 20 days. Specific examples include Firstmac Limited achieving 9/10 impact with $21,150 saved and 20 days saved, Champaign Residential Services Inc achieving 10/10 impact with $1,360 saved and 1 day saved, and University of Ottawa achieving 10/10 impact with 5 days saved, demonstrating significant value from Info-Tech's structured security policy approach.
What is the Info-Tech Security Framework and which standards does it align with?
Info-Tech Research Group's Security Framework uses a best-of-breed approach to leverage and align with most major security standards, including ISO 27001/27002, COBIT, Center for Internet Security (CIS) Critical Controls, NIST Cybersecurity Framework, NIST SP 800-53, and NIST SP 800-171. The framework groups policies into governance and management categories, allowing organizations to reduce complexity within the policy creation process by using a single framework to align multiple compliance regimes while ensuring that policies are clear, concise, and consistent across the organization.
What is the policy hierarchy structure recommended by Info-Tech?
Info-Tech Research Group recommends a three-tier policy hierarchy structure: the Security Policy Lifecycle at the top defines the cycle for the security policy program and what must be done but not how to do it, aligning the business, security program, and policies while addressing the "what," "who," "when," and "where"; Security Policies in the middle define high-level overarching concepts of security including scope, purpose, and objectives, addressing the "what" and "why" and changing when business objectives change; and IT and/or Supporting Documentation at the bottom defines enterprise/technology-specific detailed guidelines on how to adhere to policies, addressing the "how" and changing when technology and processes change.
How does Info-Tech's Guided Implementation work for security policy development?
Info-Tech Research Group's Guided Implementation for Develop and Deploy Security Policies is a series of seven calls over the course of two to four months to help implement best practices in organizations. The calls include: Call 1 (scope security policy requirements, objectives, and specific challenges), Call 2 (review policy lifecycle and prioritize policy development), Call 3 (customize the policy templates), Call 4 (gather feedback on policies and get approval), Call 5 (communicate the security policy program), Call 6 (develop policy training and awareness programs), and Call 7 (track policies and exceptions).
What is the relationship between policies, standards, procedures, and guidelines?
Info-Tech Research Group explains that policies provide emphasis and set direction, requiring standards, guidelines, and procedures to support them; standards specify uniform methods of support for policy where compliance is mandatory and include process, frameworks, methodologies, and technology; procedures provide step-by-step instructions to perform desired actions; and guidelines offer recommended actions to consider in the absence of an applicable standard to support a policy. Info-Tech's model emphasizes that if policies describe what needs to happen, then standards explain how it will happen.
What are the 19 policy templates included in Info-Tech's policy suite?
Info-Tech Research Group provides 19 comprehensive security policy templates including: Acceptable Use of Technology Policy, Application Security Policy, Asset Management Policy, Backup and Recovery Policy, Cloud Security Policy, Compliance and Audit Management Policy, Data Security Policy, Endpoint Security Policy, Human Resource Security Policy, Identity and Access Management Policy, Information Security Policy, Network and Communications Security Policy, Physical and Environmental Security Policy, Security Awareness and Training Policy, Security Incident Management Policy, Security Risk Management Policy, Security Threat Detection Policy, System Configuration and Change Management Policy, and Vulnerability Management Policy.
What measured value can organizations expect from Info-Tech's security policy framework?
Info-Tech Research Group quantifies the measured value across four phases: Phase 1 (Define Security Policy Program) saves $1,152 through guidance and templates plus $768 using recommendations and tools; Phase 2 (Develop and Implement Policy Suite) saves $21,600 using templates if starting from scratch; Phase 3 (Communicate Security Policy Program) saves $408 using training and awareness resources; and Phase 4 (Measure Security Policy Program) saves $3,840 using enforcement recommendations plus $7,200 by using recommendations rather than an external consultant, totaling potential savings of nearly $35,000.
What is the cost of data breaches according to Info-Tech's research?
According to Info-Tech Research Group's citation of IBM's 2022 Cost of a Data Breach report (n=537), the cost of a data breach averaged US$4.35 million in 2022, reaching an all-time high. This figure represents a 2.6% increase from 2021 when the average cost of a breach was US$4.24 million, and the average cost has climbed 12.7% since 2020. Info-Tech emphasizes that data breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices, highlighting the critical need for effective policy programs.
What is Info-Tech's Security Policy Prioritization Tool?
Info-Tech Research Group's Security Policy Prioritization Tool is a structured tool that helps organizations prioritize their policy suite to ensure they are addressing the most important policies first. The tool assesses the policy suite on three criteria: policy importance (how critical the policy is to organizational security), ease to implement (how feasible it is to develop and roll out the policy), and ease to enforce (how practical it is to monitor compliance and take corrective action). The output is a prioritized list of policies based on Info-Tech's policy framework, helping organizations focus resources on high-priority security policies.
Who authored Info-Tech's Develop and Deploy Security Policies blueprint?
Info-Tech Research Group's Develop and Deploy Security Policies blueprint was authored by Danny Hammond, Research Analyst in the Security, Risk, Privacy & Compliance Practice at Info-Tech Research Group. The blueprint emphasizes that a policy lifecycle can be the secret sauce to managing policies, noting that a policy for policy's sake is useless if it isn't being used to ensure proper processes are followed, and policies need to be quantified, qualified, and enforced for them to be relevant, while no published framework is going to be a perfect fit for any organization.
Workshop: Develop and Deploy Security Policies
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Define the Security Policy Program
The Purpose
- Define the security policy development program.
- Formalize a governing security policy lifecycle.
Key Benefits Achieved
- Understanding the current state of policies within your organization.
- Prioritizing list of security policies for your organization.
- Being able to defend policies written based on business requirements and overarching security needs.
- Leveraging an executive champion to help policy adoption across the organization.
- Formalizing the roles, responsibilities, and overall mission of the program.
Activities
Outputs
Understand the current state of security policies.
Align your security policies to the Info-Tech framework for compliance.
Understand the relationship between policies and other documents.
Prioritize the development of security policies.
Discuss strategies to leverage stakeholder support.
Plan to communicate with all stakeholders.
Develop the security policy lifecycle.
- Prioritized list of required security policies
- Security policy charter
Module 2: Develop the Security Policy Suite
The Purpose
- Develop a comprehensive suite of security policies that are relevant to the needs of the organization.
Key Benefits Achieved
- Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.
Activities
Outputs
Discuss organizational risks and drivers that must be addressed by policies.
Develop and customize security policies.
- Security policies (approx. 9)
Module 3: Develop the security policy suite (continued)
The Purpose
- Develop a comprehensive suite of security policies that are relevant to the needs of the organization.
Key Benefits Achieved
- Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.
Activities
Outputs
Discuss organizational risks and drivers that must be addressed by policies (continued).
Develop and customize security policies (continued).
Discuss a plan to submit policies for approval.
- Security policies (approx. 9)
Module 4: Implement Security Policy Program
The Purpose
- Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.
- Improve compliance and accountability with security policies.
- Plan for regular review and maintenance of the security policy program.
Key Benefits Achieved
- Streamlined communication of the policies to users.
- Improved end user compliance with policy guidelines and be better prepared for audits.
- Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.
Activities
Outputs
Discuss organizational risks and drivers that must be addressed by policies (continued).
Develop and customize security policies (continued).
Discuss a plan to submit policies for approval.
- Policy communication plan.
- Security awareness and training program development tool.
- Security policy assessment tool.
Develop and Deploy Security Policies
Enhance your overall security posture with a defensible and prescriptive policy suite.
Analyst Perspective
A policy lifecycle can be the secret sauce to managing your policies.
A policy for policy’s sake is useless if it isn’t being used to ensure proper processes are followed. A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant.
Policies should be developed based on the use cases that enable the business to run securely and smoothly. Ensure they are aligned with the corporate culture. Rather than introducing hindrances to daily operations, policies should reflect security practices that support business goals and protection.
No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep your organization secure.
|
Danny Hammond
Research Analyst Security, Risk, Privacy & Compliance Practice Info-Tech Research Group |
Executive Summary
Your Challenge
|
Common Obstacles
InfoSec leaders will struggle to craft the right set of policies without knowing what the organization actually needs, such as:
|
Info-Tech’s Approach
Info-Tech’s Develop and Deploy Security Policies takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:
|
Info-Tech Insight
Creating good policies is only half the solution. Having a great policy management lifecycle will keep your policies current, effective, and compliant.
Your ChallengeThis research is designed to help organizations design a program to develop and deploy security policies
|
The problem with security policies29% Of IT workers say it's just too hard and time consuming to track and enforce. 25% Of IT workers say they don’t enforce security policies universally. 20% Of workers don’t follow company security policies all the time. (Source: Security Magazine, 2020) |
Common obstaclesThe problem with security policies isn’t development; rather, it’s the communication, enforcement, and maintenance of them.
|
(Source: IBM, 2022 Cost of a Data Breach; n=537) Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020. |
Info-Tech’s approach
| The right policy for the right audience. Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.
Actions
|
I. Define Security Policy Program
a) Security policy program lifecycle template b) Policy prioritization tool |
|
II. Develop & Implement Policy Suite
a) Policy template set |
Policies must be reasonable, auditable, enforceable, and measurable. Policy items that meet these requirements will have a higher level of adherence. Focus on efficiently creating policies using pre-developed templates that are mapped to multiple compliance frameworks.
Actions
|
| Gaining feedback on policy compliance is important for updates and adaptation, where necessary, as well as monitoring policy alignment to business objectives.
Actions
|
IV. Measure Policy Program
a) Security policy tracking tool |
III. Communicate Policy Program
a) Security policy awareness & training tool b) Policy communication plan template |
Awareness and training on security policies should be targeted and must be relevant to the employees’ jobs. Employees will be more attentive and willing to incorporate what they learn if they feel that awareness and training material was specifically designed to help them.
Actions
|
|
| Build trust in your policy program by involving stakeholder participation through the entire policy lifecycle. | ||||
Blueprint benefits
IT/InfoSec Benefits
|
Business Benefits
|
Key deliverable:Security Policy TemplatesTemplates for policies that can be used to map policy statements to multiple compliance frameworks. 
|
|
||||||
Measure the value of this blueprint
|
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. Overall Impact9.5 /10Overall Average $ Saved$29,015Overall Average Days Saved25 |
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
|||
Guided Implementation
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is six to ten calls over the course of two to four months.
What does a typical GI on this topic look like?
Phase 1 |
Phase 2 |
Phase 3 |
Phase 4 |
| Call #1: Scope security policy requirements, objectives, and any specific challenges.
Call #2: Review policy lifecycle; prioritize policy development. |
Call #3: Customize the policy templates.
Call #4: Gather feedback on policies and get approval. |
Call #5: Communicate the security policy program.
Call #6: Develop policy training and awareness programs. |
Call #7: Track policies and exceptions. |
Develop and Deploy Security Policies
Phase 1
Define the Security Policy Program
| Phase 1
1.1 Understand the current state 1.2 Align your security policies to the Info-Tech framework 1.3 Document your policy hierarchy 1.4 Prioritize development of security policies 1.5 Leverage stakeholders 1.6 Develop the policy lifecycle |
Phase 2
2.1 Customize policy templates 2.2 Gather feedback from users on policy feasibility 2.3 Submit policies to upper management for approval |
Phase 3
3.1 Understand the need for communicating policies 3.2 Use myPolicies to automate the management of your security policies 3.3 Design, build, and implement your communications plan 3.4 Incorporate policies and processes into your training and awareness programs |
Phase 4
4.1 Assess the state of security policies 4.2 Identify triggers for regular policy review and update 4.3 Develop an action plan to update policies |
This phase will walk you through the following activities:
- Understand the current state of your organization’s security policies.
- Align your security policies to the Info-Tech framework for compliance.
- Prioritize the development of your security policies.
- Leverage key stakeholders to champion the policy initiative.
- Inform all relevant stakeholders of the upcoming policy program.
- Develop the security policy lifecycle.
1.1 Understand the current state of policies
Scenario 1: You have existing policies
|
Scenario 2: You are starting from scratch
|
Policies are living, evolving documents that require regular review and update, so even if you have policies already written, you’re not done with them.
1.2 Align your security policies to the Info-Tech framework for compliance
| You have an opportunity to improve your employee alignment and satisfaction, improve organizational agility, and obtain high policy adherence. This is achieved by translating your corporate culture into a policy-based compliance culture.
Align your security policies to the Info-Tech Security Framework by using Info-Tech’s policy templates. Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:
|
Info-Tech Security Framework
|
1.3 Document your policy hierarchy
Structuring policy components at different levels allows for efficient changes and direct communication depending on what information is needed.
|
Defines the cycle for the security policy program and what must be done but not how to do it. Aligns the business, security program, and policies.
Defines high-level overarching concepts of security within the organization, including the scope, purpose, and objectives of policies.
Defines enterprise/technology – specific, detailed guidelines on how to adhere to policies.
|
Info-Tech Insight
Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.
1.3.1 Understand the relationship between policies and other documents
Policy:
|
||||
Standard:
|
|
Procedure:
|
|
Guideline:Recommended actions to consider in absence of an applicable standard, to support a policy. |
This model is adapted from a framework developed by CISA (Certified Information Systems Auditor).
Supporting Documentation |
||||
Considerations for standards
| Standards. These support policies by being much more specific and outlining key steps or processes that are necessary to meet certain requirements within a policy document. Ideally standards should be based on policy statements with a target of detailing the requirements that show how the organization will implement developed policies.
If policies describe what needs to happen, then standards explain how it will happen. A good example is an email policy that states that emails must be encrypted; this policy can be supported by a standard such as Transport Layer Security (TLS) encryption that specifically ensures that all email communication is encrypted for messages “in transit” from one secure email server that has TLS enabled to another. There are numerous security standards available that support security policies/programs based on the kind of systems and controls that an organization would like to put in place. A good selection of supporting standards can go a long way to further protect users, data, and other organizational assets |
|
1.4 Prioritize development of security policies
The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.
Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary. Info-Tech InsightIf you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies. |  Download the Security Policy Prioritization Tool |
1.5 Leverage stakeholders to champion policies
Info-Tech Insight
While management support is essential to initiating a strong security posture, allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will be less of a police force and more of a partner.
| Executive champion
Identify an executive champion who will ensure that the security program and the security policies are supported. |
Focus on risk and protection
Security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate. |
| Communicate policy initiatives
Inform stakeholders of the policy initiative as security policies are only effective if they support the business requirements and user input is crucial for developing a strong security culture. |
Current security landscape
Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders. |
| Management buy-in
This is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable. |
1.6 Develop the security policy lifecycle
Download the Security Policy Lifecycle Template |
Diagram inspired by: ComplianceBridge, 2021 |
On Demand
Webinar
Improve Your Cybersecurity Posture Through Effective Policy
Play Webinar
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Define the security policy program
- Call 1: Scope security policy requirements, objectives, and any specific challenges.
- Call 2: Review policy lifecycle; prioritize policy development.
Guided Implementation 2: Develop and implement the security policy suite
- Call 1: Customize the policy templates.
- Call 2: Gather feedback on the policies and get approval.
Guided Implementation 3: Communicate the security policy program
- Call 1: Communicate the security policy program.
- Call 2: Develop policy training and awareness programs.
Guided Implementation 4: Measure the security policy program
- Call 1: Track policies and exceptions.
Contributors
- Michael Santarcangelo, Founder, Security Catalyst
- Sandy Bacik, Global Risk Assessment Manager, VF Corporation
- Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board
- Candy Alexander, GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc.
- Defense Industry Technology Executive, Information Systems and Technology Branch CIO/CKO, United States Air Force
- Debbie Christofferson, Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership
- Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates
- Kevin Spease, Managing Partner / Security Engineering Consultant, ISSE Services, LLC
- Rob Marano, Co-founder, Hackerati
- Mark Leonard, ITS Security Manager, Wesfarmers Insurance
- Chuck Hathaway, Director of Infrastructure, Catalyst
- Rebecca Herold, CEO, The Privacy Professor
- Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.
Assess and Manage Security Risks
Assess Your Cybersecurity Insurance Policy
Achieve Digital Resilience by Managing Digital Risk
Prevent Data Loss Across Cloud and Hybrid Environments
Build an IT Risk Management Program
Develop and Deploy Security Policies
Fast Track Your GDPR Compliance Efforts
Build a Security Compliance Program
Embed Privacy and Security Culture Within Your Organization
Establish Effective Security Governance & Management
Improve Security Governance With a Security Steering Committee
Develop Necessary Documentation for GDPR Compliance
Reduce and Manage Your Organization’s Insider Threat Risk
Satisfy Customer Requirements for Information Security
Master M&A Cybersecurity Due Diligence
Integrate IT Risk Into Enterprise Risk
Present Security to Executive Stakeholders
Deliver Customer Value by Building Digital Trust
Address Security and Privacy Risks for Generative AI
Protect Your Organization's Online Reputation
Develop an AI Compliance Strategy
Get Started With AI Red-Teaming
Achieve CMMC Compliance Effectively
Building Info-Tech’s Chatbot
Building the Road to Governing Digital Intelligence
An Operational Framework for Rolling Out AI
Discover and Classify Your Data
Defend Against Deepfake Cyberattacks
