Security Strategy

stratsec works closely with stakeholders to derive a set of foundation principles for the new security or ICT capability.
More than ever, information security strategy is inter-connected with business strategy, and broader IT strategy. As a result, the stratsec approach to framework and strategy development is closely aligned with traditional business strategy development.

Policy and Documentation

Principles are grouped into three disciplines:

  • Governance Principles: The definition of the business rules governing the new security or ICT capability;
  • Assurance Principles: The processes that will provide confidence in the ongoing effectiveness of the new security or ICT capability to meet the needs of the business; and
  • Enabling Principles: The specification of solutions and controls that describe the procedures and technologies that will meet needs of the business.

Our methodology ensures that security documentation is linked to security risks faced by our clients, compliance requirements and is fit-for-purpose given the intended audience. As part of our development methodology, stratsec tests security documentation produced to ensure:

  • coverage of the security risk and compliance requirements for the client;
  • that policy, guidelines and procedures are understandable; and
  • that policy statements are measurable such that compliance can be easily determined.

stratsec delivers security documentation in accordance with suggested documentation frameworks in Australian Government security publications such as ISM or can develop documentation in accordance with specific documentation frameworks used by our clients (e.g. ISO 27001).

We use a similar framework for the review of ICT security and related policy documentation. Our review of policy documentation links policy back to risk and compliance requirements and considers whether policy documentation is both understandable and measurable.

Strategy and planning

The stratsec approach to security strategy development is closely aligned with traditional business strategy development and can be used in the consideration of any new security and/or ICT capability including:

  • ICT Strategy;
  • ICT Security Strategy;
  • Identity Management Strategy;
  • Vulnerability Management Strategy; and
  • Continuity Management Strategy.

Our approach ensures that executives are empowered to make strategic decisions in relation to security based on response to five key business questions:

  • What is the capability need?
  • What is the current state of the capability within the organisation?
  • What are other organisations, industries and competitors doing?
  • What should the organisation be doing? and
  • How should the organisation get there?

The stratsec methodology for strategy development is illustrated in the figure below:

strategy.gif

Contact our Security Strategy leader if you're looking for advice and assistance with your organisation's security policy and strategy planning:

Nick Ellsmore
Chief Technical Officer
stratsec
T: +61 2 9236 7276