Information Security Governance

  • slide
Client: Insurance Services
An organization with an existing Information Security group was looking to take the process to the next level. Savant Advisory Inc. was brought in to help.

The first logical step is to undertake an Enterprise Security Assessment. This process utilizes a sub-set of IT Governance to help identify the areas that should be reviewed. With this identified, interviews were setup, documents gathered and other resources were referenced. Within the report, a mechanism to gauge Risk Level was created so that it would be widely understood when the report was presented. The report was drafted and provided to management for comments. A number of items were identified through this process, so it was determined that a strategy was required in order to lay-out how they might go about maturing the identified areas.

The Strategy was developed and linked directly to the areas as noted in the Enterprise Assessment. This provided the organization a path to not only maturing the areas noted in the Assessment, but also provided a view of the entire Information Security structure and how as a whole it could grow. Both the Assessment and the Strategy were presented to management, including the CIO.

One specific item that was noted in the Assessment was the confusing condition of the Information Security Policy. Most IT organizations do not do this very well. The documents that were reviewed appeared to mix Policy, Standards and Procedures into one document. This made the document not only difficult to read and understand, but also made it difficult to find what they were looking for. Savant Advisory Inc. began deconstructing the existing document into it's natural components and then compared the result to existing IT Governance and IT Security frameworks. This allowed the revitalization process to be sure that all the appropriate areas were covered. Once completed, a Policy document (made up of 21 Policy Statements), a series of more than 30 draft Standards documents and a few appropriate Procedural documents were presented.