Security Policy

In order to be effective, security policies must be clear and communicated.

The vast majority of companies fail in defining and communicating the right level of policy for their organisation. All too often security policies are relegated to a sub section within a large staff handbook that new employees are asked to sign at induction but never to see again.

How can you utilise documented polices as an instrument to communicate your organisation’s intent and expectations in a way that your employees can understand the policies and act upon them?

Employee Risk have developed a successful and proven model for the development and communication of policies. Our policy set is based upon industry best practise, in particular ISO 27001 and 27002 Standards. Further to this, all our policies satisfy 100% FSA Handbook, PCI DSS, Sarbanes Oxley, Solvency II security requirements, and as such can provide evidential support to your business’s efforts in meeting your compliance obligations to these standards. Our policies meet the Data Protection legislation obligations of most countries of the world including the UK and USA.

Our Approach

Our policies have matured and evolved over years of feedback and discussion to become best in class. It is our experience that it is not practical to expect employees to wade through multiple pages of a long security policy to try to understand what parts of the security policy are relevant to them, Employee Risk policies are written as individual high level statements that are easy to communicate and understand. This is why we refer to our solution as a ‘policy set’ – our individuals policies can be grouped together to communicate to specific audiences (e.g. grouping the applications development policies for developers).

Ideally all the policies, if deployed properly, will have supporting guidance documentation that provides further detail on implementation, if you do not have such documentation then we suggest you look at our RiskFramework solution.

Policy set

Here is our current range of policies:


SECURITY POLICY & GOVERNANCE               

Management Commitment          

Information Security Policy         

Information Security Standards   

Industry Standards     

Configuration Standards               

Risk Management       

Risk Register              

Risk Analysis              

Governance of information security             

Information Security Function    

Information Security Management Committee               

Security awareness    

Legal & Regulatory compliance    

Security Audit / review               

HUMAN RESOURCES SECURITY      

Prior to Employment 

Screening 

During Employment   

Terms & Conditions of Employment             

Training    

Disciplinary Process  

Termination Responsibilities       

Return of assets         

Removal of access rights              

Third Parties and Contractors     

Security in third party agreements               

Confidentiality agreements         

Outsourcing               

ASSET MANAGEMENT & INFORMATION HANDLING

Information classification             

Inventory of assets     

Ownership                 

Information Handling  

Information Privacy    

Retention Policy        

Information backup    

Acceptable use          

General Usage            

Email         

Intranet    

Internet    

Telephone                  

Employee Monitoring 

PHYSICAL SECURITY         

Visitors     

ID Cards   

Out-of-hours access  

Clear Desk                 

Computer / Communication Rooms             

Power supply             

Environmental Protection           

ACCESS CONTROL              

Access Control Policy                 

Warning screen          

Login process             

Authentication           

Superuser Accounts  

Shared User Accounts                 

Password Standard     

Password Security     

Unattended Computers              

Review of access       

SYSTEMS MANAGEMENT 

Patch Management     

Malware protection   

Desktops  

Inventory of desktop applications                 

Protection of spreadsheets          

Mobile Devices          

Portable Storage         

Servers     

Database security      

Security Logging         

System Monitoring     

NETWORK MANAGEMENT                

Service Agreements  

Network Design        

Network Redundancy                 

Network Administration             

Out of Band Management            

Network Documentation            

Network Monitoring  

Network Segregation 

Intrusion Detection   

Perimeter Security    

External Access         

Wireless Access        

Remote Access          

Third Party Access    

Teleworking               

APPLICATION SECURITY 

Security Requirements               

Development & Build                  

Quality Assurance     

Change Management  

Resilience

Application Login process            

Development environments       

Back-ups  

Testing     

Use Acceptance Testing             

Test data  

Installation Process    

Post-implementation review       

Cryptography             

Cryptographic standard               

Key Management        

HANDLING SECURITY INCIDENTS                  

Reporting Incidents   

Incident Handling       

Incident Handling Team               

Forensic investigations                

Incident Review        

BUSINESS CONTINUITY  

Business Continuity Management                 

Business Continuity Plans           

Validation and maintenance         


You can download a sample policy here.

Guidance & Process Documents

Employee Risk provides industry proven process and guidance documentation, this includes but is not limited to the following:

Incident Handling Process

Information Classification Scheme

Change Control Process

Business Continuity Process

Anti-Virus Strategy

Security Awareness Strategy

Legal & Regulatory Guide

Data Leakage Prevention

Third Party Review Process

Services

Governance & Compliance

Security Audit & Review
Risk Management
ISO 27001
PCI DSS
Security Awareness

Insider Threat

Counter Surveillance
Personnel Vetting
Social Engineering
Data Loss Prevention

Security Training

 

Vulnerability Assessment

Penetration Testing
Emergency Response
Physical Security

Technical Consultancy

Application Security
Website Security
Network / System Hardening
Wireless Security Audit
Forensics & Recovery

Business Continuity & Disaster Recovery

Solutions

Security Framework

Framework
Policy

Security Standards

Cisco
Microsoft Desktop
Microsoft Server &
Active Directory

Oracle

Security Awareness
Materials

Industries

Financial
Government
Health Care
Telecoms
Education
Home & VIP