When InfoDefense security experts conduct a gap analysis, we begin with the appropriate regulatory documentation to generate requirements. We then work with you to determine if documented processes are in place that address the intent of each requirement. Those requirements not met constitute the regulatory gap, which can be used as a foundation for enterprise-level programs designed to improve your compliance levels.
Policies specify the intent of your organization to grant authority, define roles and responsibilities and establish high-level requirements for protecting your information resources. Policies tend to be strategic in nature, specifying the desired security state, but not how to achieve it. Standards, on the other hand, define mandatory settings, controls and requirements that must be implemented to achieve the objectives defined by policies. InfoDefense has a library of documents that can help you define your policies and standards through a fully-realized framework.
Information security policies and procedures are the cornerstone of any company’s information security, and they are typically the items that receive the greatest scrutiny from auditors. Disconnected or poorly communicated security policies fail to demonstrate compliance and can drag down the overall information security program with them. InfoDefense has a wealth of expertise in the development of security procedures, which we tailor to your company’s specific needs while ensuring you have full coverage of your policies and standards and that you can meet obligations from a regulatory perspective.
Connecting to your vendors is almost a necessity in today’s interconnected world, and securing your vendor communications is just as necessary to ensure the integrity of your systems is maintained. In addition to systems-based solutions, InfoDefense provides services to design and implement standards, policies and processes to ensure not only your current vendors provide secure integration into your business, but that future vendor due diligence will become a standard part of the vendor certification process.
Security in any information system should be sufficient to mitigate its risks. However, the process to determine which security controls are appropriate and cost effective is often a complicated and occasionally subjective. Information risk analysis puts this process on an objective footing to remove any questions about whether information systems are secure. InfoDefense uses a two-pronged approach to information risk analysis which is quantitative and qualitative. Quantitative risk analysis is focused on two elements: the risk of incurring a loss and the resulting financial impact should that loss occur. Because there is typically a lack of reliability in establishing these metrics, we typically use qualitative risk assessment to focus solely on the financial impact.
An effective security strategy requires alignment between the information security organization and business leadership. This alignment is best provided through an information security governance committee made up of technology leadership, security leadership and business executives. This steering committee has the primary task of coordinating corporate security initiatives at the executive level, providing guidance to technology and security organizations while ensuring transparency in the prioritization of strategic security initiatives. At InfoDefense, we have experienced the initiation of this committee process both from a provider and a technology and security leadership perspective. We can leverage this experience to help you identify the need and provide the justification for a security governance committee.