Security policy and compliance
A security policy is a high-level document, typically owned by senior management, that defines an organisation's business and security goals and objectives. A security policy should define the overall security philosophy but not specify the technology or solution. Once it is established it should not need revision unless there is significant change to the goals or environment of the enterprise.
The security policy forms the basis of security standards and procedures; these then detail which solutions and technologies are used and how they are used. Therefore the security policy needs to capture the real goals of management and define the responsibilities of all stakeholders, i.e. the managers, administrators and users. It should contain enough detail so that it can be built and should also be economically viable and easy to understand.
Security policies are frequently written from a template, with little thought given to the practicalities of implementation. Obtaining real value from documenting the security policy requires careful analysis. The security policy requires
- time invested in understanding a client's business drivers and objectives
- careful consideration of what needs to be protected and from whom
- an understanding of external factors such as the legislative framework governing a client's operations
- a pragmatic and flexible approach: providing useful, readable and workable guidelines to those developing solutions.
This is exactly the service that Castelain provides.
Castelain understands the compliance requirements for Federal Government and financial services and can help with your Gatekeeper, Basel 2 and Identrus programs. We are particularly accustomed to helping Government agencies meet the necessary Federal security guidelines, as outlined in documents such as the Attorney General's Protective Security Manual and Defence Signals Directorate ACSI-33.
