Information Security Policy Development and Assessment

Building a Foundation for Cyber Resilience

An Information Security Policy provides the foundation for a successful Program to protect your information, prepare for and adapt to changing threat conditions, and withstand and recover rapidly from disruptions. A solid foundational Policy is built with straightforward rules, standards, and agreements that conform to industry best practices and regulatory requirements. It provides institutional memory that survives inevitable changes in personnel. It clearly defines information security expectations, activities, roles, and responsibilities. Its requirements, values, and goals must also reflect those of the organization’s culture as a whole.

Sage’s Collaborative Approach

Collaboration is paramount in every Sage engagement to ensure information security initiatives are planned for in the context of each organization’s unique operating environment. Together, we assess your existing security practices, and determine whether they comply with regulatory requirements and/or legal standards pertinent to your industry and align with best practices. Then we expand and build on them strategically to create a comprehensive Information Security Policy tailored to your specific business objectives and cybersecurity maturity goals.

Sage informs the process with federal guidance, industry standards, and international practice standards from the best sources, including the Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards in Technology (NIST), ISO 27002, NSA, and the most critical technology vendors. This ensures your Program meets regulatory expectations and follows appropriate best practices and provides an optimum structure for your organization.

In developing your Information Security Policy, Sage will provide assessments and recommendations in the following areas, and more if needed:

  • Governance (Roles and Responsibilities)
  • Information Security Program Maintenance and Review
  • Information Security Risk Management
  • Information Classification
  • Access Control
  • Network Security
  • Operational Security
  • System Lifecycle Security
  • Physical and Environmental Controls
  • Incident Response
  • Personnel Security
  • Vendor Management
  • Social Media
  • Continuity of Operations / Disaster Recovery

Reports and Deliverables

Once we have evaluated and helped strengthen your Information Security Policy, you receive:

  • An Information Security Policy: Your comprehensive document that clearly outlines the procedures and standards we have developed together.
  • An Acceptable Use Agreement: A contract for employees that clearly communicates the policies and standards that pertain to them.
  • A Regulatory Cross-reference Matrix (if applicable): A tool that provides a map of regulations and the specific Policy sections of your Program to meet them. This matrix can be very helpful during internal and external audits.

No one is immune to cyber-attacks