Imagine automobile traffic if there were no traffic laws; if no rules defined what was right and wrong in traffic; if the same amount of people drove on the left and right sides of the road. Imagine if some stopped for green lights and some stopped for red lights, while others didn't stop at all!
Traffic rules provide safer traffic. IT security rules provides IT security.
IT security rules are defined in an IT security policy. A policy defines the "IT traffic rules" of your organization. Your policy should describe how much security your organization needs. It is not necessarliy true that more is better. You just need to define your proper level. You can use a risk assessment method to define what your proper level is. The results of your risk assessment are used to define or refine the contents of your security policy, and your security policy becomes the "traffic rules" of your organization.
"IT security" is a subset of "information security" which again is a subset of "security".
Most organizations have a need to secure their information assets and, therefore, an information security policy. There is little value in having IT security without rules for secure information handling.
Whether you also need to expand your information security policy so it becomes a complete security policy depends on the individual needs of your organization. As an example, a security policy also contains rules for fire, personnel, travel safety etc.
SecureAware is designed for managing all three policy types. The data structures in SecureAware are designed to allow content categories and target groups to be mapped into your policy content. That means you can target your policies to the applicable users, both within IT security, information security and security.
The built-in content and structures in SecureAware allow you to build policies that comply with British and International standards. These also contain controls related to physical security.
Yes. If you do so, you will be able to better communicate your current policies to your users. And you can measure whether or not they know the contents of your policies. Unknown policies offer no value, and with unknown policies it is inevitable that unwanted gaps between reality and policies appear.
Also, your current policy, or your current set of policies, needs to be implemented. The procedure library in SecureAware can be used to link your current or new procedures to your current rules and requirements.
That depends a lot on your current policies. If you already have a complete set of rules, then the work load you are facing is simply to implement your choices in SecureAware and perhaps add or change specific wording to comply with your normal terms. It will be a copy and paste job to a large extent.
If it turns out your current policies have some shortcomings, you may want to decide to implement some new policies or rules. If you do so, your decision-making process becomes quite influent on the time you spend. In such a case, SecureAware helps organize your process for considering all relevant areas and topics, and you will have a library of specific suggestions to evaluate.
If desired, Neupart or Neupart's partners can offer professional services to help you get more value of your current polices with SecureAware.
Neupart, an ISO 27001 certified company, provides an all-in-one IT GRC solution allowing organizations to automate IT Governance, Risk and Compliance management. Whether you need to manage evolving business risks or achieve continuous compliance with PCI DSS, ISO 27001, Sarbanes-Oxley, CSA, ENISA or WLA SCS, Neupart allows you to respond effectively - in the cloud or on the ground. More than 300 organizations worldwide are Neupart customers, including governments, utilities, banks and insurance firms, IT Service providers and lotteries. Learn more ..