stratsec

strategy. security. solutions.

Security Policy & Documentation and Strategy

HomeServices

Policy and Documentation

stratsec works closely with stakeholders to derive a set of foundation principles for the new security or ICT capability.  Principles are grouped into three disciplines:

  • Governance Principles: The definition of the business rules governing the new security or ICT capability;
  • Assurance Principles: The processes that will provide confidence in the ongoing effectiveness of the new security or ICT capability to meet the needs of the business; and
  • Enabling Principles: The specification of solutions and controls that describe the procedures and technologies that will meet needs of the business.

Our methodology ensures that security documentation is linked to security risks faced by our clients, compliance requirements and is fit-for-purpose given the intended audience.  As part of our development methodology, stratsec tests security documentation produced to ensure:

  • coverage of the security risk and compliance requirements for the client;
  • that policy, guidelines and procedures are understandable; and
  • that policy statements are measurable such that compliance can be easily determined.

stratsec delivers security documentation in accordance with suggested documentation frameworks in Australian Government security publications such as ISM or can develop documentation in accordance with specific documentation frameworks used by our clients (e.g. 7799). 

We use a similar framework for the review of ICT security and related policy documentation.  Our review of policy documentation links policy back to risk and compliance requirements and considers whether policy documentation is both understandable and measurable.

Strategy and planning

The stratsec approach to security strategy development is closely aligned with traditional business strategy development and can be used in the consideration of any new security and/or ICT capability including:

  • ICT Strategy;
  • ICT Security Strategy;
  • Identity Management Strategy;
  • Vulnerability Management Strategy; and
  • Continuity Management Strategy.

Our approach ensures that executives are empowered to make strategic decisions in relation to security based on response to five key business questions:

  • What is the capability need?
  • What is the current state of the capability within the organisation?
  • What are other organisations, industries and competitors doing?
  • What should the organisation be doing? and
  • How should the organisation get there?

Contact us if you're looking for advice and assistance with your organisation's security policy and strategy planning.