.: Resources :: Security Policies

FAQ - About Security Policies

Why do we need an IT security policy?

Imagine automobile traffic if there were no traffic laws; if no rules defined what was right and wrong in traffic; if the same amount of people drove on the left and right sides of the road. Imagine if some stopped for green lights and some stopped for red lights, while others didn't stop at all!

Traffic rules provide safer traffic. IT security rules provides IT security.

IT security rules are defined in an IT security policy. A policy defines the "IT traffic rules" of your organization. Your policy should describe how much security your organization needs. It is not necessarliy true that more is better. You just need to define your proper level. You can use a risk assessment method to define what your proper level is. The results of your risk assessment are used to define or refine the contents of your security policy, and your security policy becomes the "traffic rules" of your organization.

Do I need an IT security policy, an information security policy or a security policy?

"IT security" is a subset of "information security" which again is a subset of "security".

Most organizations have a need to secure their information assets and, therefore, an information security policy. There is little value in having IT security without rules for secure information handling.

Whether you also need to expand your information security policy so it becomes a complete security policy depends on the individual needs of your organization. As an example, a security policy also contains rules for fire, personnel, travel safety etc.

SecureAware is designed for managing all three policy types. The data structures in SecureAware are designed to allow content categories and target groups to be mapped into your policy content. That means you can target your policies to the applicable users, both within IT security, information security and security.

The built-in content and structures in SecureAware allow you to build policies that comply with British and International standards. These also contain controls related to physical security.

Can we use our current IT security policy in SecureAware?

Yes. If you do so, you will be able to better communicate your current policies to your users. And you can measure whether or not they know the contents of your policies. Unknown policies offer no value, and with unknown policies it is inevitable that unwanted gaps between reality and policies appear.

Also, your current policy, or your current set of policies, needs to be implemented. The procedure library in SecureAware can be used to link your current or new procedures to your current rules and requirements.

Does it take long time to import our current security policies into SecureAware?

That depends a lot on your current policies. If you already have a complete set of rules, then the work load you are facing is simply to implement your choices in SecureAware and perhaps add or change specific wording to comply with your normal terms. It will be a copy and paste job to a large extent. The more your current policies are based on the structures of BS7799 or ISO17799, the easier it will be to migrate.

If it turns out your current policies have some shortcomings, you may want to decide to implement some new rules. If you do so, your decision-making process becomes quite influent on the time you spend. In such a case, SecureAware helps organize your process for considering all relevant areas and topics, and you will have a library of specific suggestions to evaluate.

If desired, Neupart or Neupart's partners can offer professional services to help you get more value of your current polices with SecureAware.

We do not have any InfoSec policies; why should we use SecureAware?

For many of the same reasons as if you had policies. Not to mention that using SecureAware to create your first policies saves you a lot of time. SecureAware contains objects with template content that you can enable, disable or modify to fit for need. The objects are structured in accordance with BS7799 and ISO 17799 in order to ensure that you address all aspects of your security program.

 

About Neupart

Neupart, an ISO 27001 certified company, provides an all-in-one solution allowing organizations to achieve continuous compliance by automating activities for IT governance, risk management and compliance management.  Whether you need to comply with PCI DSS, ISO 27001, Sarbanes-Oxley, WLA SCS, or manage evolving business risks, Neupart allows you to respond effectively and "future proof" your compliance program. More than 300 organizations worldwide are using SecureAware from Neupart, including governments, utilities, banks and insurance firms, IT Service providers and lotteries.

Contact

Email

Support Sales Newsletter

Phone

Denmark +45 70258030

Germany +49 2102 420926

US (800) 616-8597