Information Security Policy Frameworks

Information Security Policy Frameworks

We help Government Agencies and private enterprises enhance the performance of their security teams by leading transformation programmes. We are highly experienced at designing Target Operating Models (TOMs) that present a high-level structure of how security teams would operate in the future to support business needs better. We group security services in the TOM under the Governance, Delivery and Assurance categories. We use the RACI* responsibility assignment model to define security accountability and responsibility. We also improve teamwork by identifying the teams that are consulted and informed of security decisions.

Gap Analysis

Drawing on global standards such as ISO/IEC 27001, we begin our work with a gap analysis to evaluate the current cybersecurity model compared with Target Operating Model. Whilst the needs of the clients determine the in-scope areas, we typically focus the gap analysis on four areas:

Area 1 — Security Organisation

Under Governance, we assess if the model assigns the Board or top leaders ultimate accountability for security. We then evaluate if the model enables the Board to delegate security responsibility to officials or roles such as Departmental heads, security officers, accreditation managers all the way to staff and contract end-users. Under Delivery heading, we assess whether the model ensures that required activities occur to support governance goals for security. Lastly, under Assurance we assess if the activities under the current model meet business requirements. Based on the outcome and your requirements, we may either design a new security TOM or enhance an existing one by closing noted gaps. We ensure that all TOM activities are practical and relevant to your needs.

Area 2 — Securing Information

We determine if your current operating model ensures that information assets obtain appropriate protection based on their sensitivity, value to the organisation and criticality. Under Governance, we evaluate the activities and requirements in place to ensure that internal users, delivery partners and suppliers safely and securely store, process, transmit and destroy sensitive information assets. We also consider whether accountability for securing information lies with top leadership. Additionally, we assess whether the model involves top leadership to delegating responsibility to all end-users. In terms of delivery, we help assess whether all the cybersecurity stakeholders are abiding by the data handling requirements. Lastly, we assess if a process exists to measure compliance with the business requirements for securing information.

Area 3 — Personnel Security

We assess if the model helps you gain confidence about the trustworthiness, integrity and reliability of employees, contractors and temporary staff. Under Governance, we evaluate accountability and responsibility for the measures to prevent unsuitable and unreliable individuals from gaining access to critical assets. Under delivery, we review activities to implement personnel security measures. Finally, we assess the activities to help ensure that the measures meet business needs.

Area 4 — Physical Security

Critical information infrastructure sectors rely upon physical assets such as buildings, roads, plants and pipes. Therefore, our review assesses the Governance, Delivery and Assurance services aimed at protecting these assets against crime, espionage, natural disasters and terrorism threats.