A security policy is a critical, and often neglected, part of a security governance program. Digital Bond has written and audited many Enterprise and Control System Information Security Policies. Our methodology is unique and extremely effective. Our policies are not documents that sit in a drawer. Rather, they are effective tools for improving and measuring security.
Digital Bond writes effective security policies tailored to each organization’s needs. In the control systems world, there is a wide variety in how active the IT Department is in control system security. There is no universal correct answer to the control system / IT interface and responsibilities, and Digital Bond’s experience with both IT Departments and Operations Departments helps our clients navigate these difficult decisions.
The Digital Bond methodology focuses on setting security classifications and required protections, providing unambiguous policy statements that are easy to understand, and developing a policy that can be audited. In fact, we provide a security policy audit document in conjunction with the policy. A policy statement that can not be audited is unenforceable and is really just a security guideline.
- Protect most critical network resources
- Proactively manage risk with appropriate security controls
- Avoid common mistakes in writing your first policy
- Audit program available from day one
Well written security documents make a security audit very straightforward. Every security requirement with a ‘must’ or ‘shall’ has a corresponding audit procedure. We offer a security audit engagement that should be performed annually by an independent team. This philosophy is similar to the annual accounting audit and is becoming a requirement in many industries.
The first audit of a security policy is often as valuable for training as it is for testing compliance. First audits typically find 50% compliance; second audits typically find 90+% compliance. The improvement is due to a better understanding of what is required and modifications to the policy after the first audit. Digital Bond recommends the first audit six months after the policy is in force and the policy training is completed.