Policy and Standards Development
At Iron Spear, we don’t believe in the “one size fits all” philosophy, especially when it comes to policy and standards. We tailor these to your environment and make them living standards by which your organization is governed. Our experience with this approach has shown that the consumers of the standards, especially the IT departments, are eager to receive clear and concise requirements that are simple-to-understand and implement.
So many times we come across policies and standards that collect dust on the shelf. In fact, it’s rare that we see standards that are effective and actively used within an organization. Typically, there are a few key reasons for this, which include:
Adopting templates from other sources without truly identifying the business requirements for standards.
Ad hoc adoption of policies and standards that do not align with industry recognized frameworks.
Poor wording that is generic and vague, using terms such as “based on risk” which leaves it up to the consumer to decide the level of control application.
Blending of policy and standards wording into a single document which leads to confusion and lack of clarity.
When developing your standards we adopt a clear approach which includes:
Establishing a clear taxonomy, what does a policy, standard and guideline mean in your organization.
Identifying an industry framework that will best suit your organization (i.e. COBIT, ISO, NIST, etc.).
Identifying the key priority standards that are essential to you, then we work on a phased plan for the rest.
Not recommending you implement a standard that you cannot realistically implement within 2 years, this merely sets you up for failure.
Standards using clear, unambiguous language. No “based on risk” or “should”, “may” and “if possible”.
Writing standards to be more binary, you either comply or you don’t. No middle ground. The benefit of this approach includes:
o Simple measurement of compliance.
o The ability to use the standards as key performance indicators (KPI’s).
o Streamlines internal and external audits.
Developing the standards in the traditional document form as well as spreadsheets, adding cross-references to internal control requirements, SOX, and any other regulatory standards that you need to comply with. This allows you to search and sort based on regulatory requirements as well as role or function of the consumer.
Developing the policies to support the standards as well as to set the tone of the organization as it pertains to cyber security objectives.
“Your approach is unique and gives us flexibility.”
– CIO, Crown Corporation
“First time someone was actually able to tell me how we are doing and what I need to be concerned about.”
– Shipping Company CEO
“…your contribution to this audit was invaluable…”
– Senior Government Auditor
Iron Spear is committed to you. We know how important your online security is and we are ready to help you establish guidelines to keep your data safe. Contact us today.
Explore how Iron Spear can bring insight and value into your cyber security program, or perhaps you are simply seeking some advice around cyber security. Give us a call or send us an email and we will be happy to assist.
Call Us: Toll Free 1.800.561.4007