Sec Policy Mgmt as a Service

Security Policy Management as a Service 

Security Policy formulation is an integral part of Security Management as a Service at SPS. It is embedded in our security management processes and conversations and assessed and managed monthly in our sessions with various stakeholders. There are four tracks: 

  • Enterprise Security Policy  

  • Application Security Policy  

  • Departmental Security Policy  

  • Compliance Security Policy

Strategy and a Approach:

Regular sessions with stakeholders to cover all the bases: 

  • Phase 1: Monthly security management reviews with Executive sponsor and/or Security Manager - Review of existing security policy to identify gaps in policy management, enforcement and improvement.  

  • Phase 2: Monthly security management sessions with Information Systems designees and Technology providers – Security Policy review at the information system and the component level 

  • Phase 3: Monthly security management sessions with Department Heads or designees – Security Policy review at the departmental, functional and role level. 

  • Phase 4: Monthly security management reviews with Compliance officers or designees - Security Policy review of all applicable Federal, State and Local, Industry, Regulatory policies including but not limited to HIPAA, PCI-DSS, NIST, and ISO 27001. 

The data from all these sessions is captured in CSM and dynamically published on Demand. 

Sample Policies
Configuration and Maintenance Policies:
  • Change Management Policy 
  • Equipment Disposal Policy 
  • Mobile Device (BYOD) Policy 
  • Network Distribution Policy 
  • Remote Access Policy 
  • Router and Switch Security Policy 
  • Server Security Policy 
  • Software Install Policy 
  • Software Licensing Policy 
  • System Account Configuration Policy 
  • Vulnerability Management Policy 
  • Wireless Configuration Policy 
  • Workstation Configuration Policy 
Data Protection Policies and Procedures:
  • Data Backup Policy 
  • Data Classification Guide and Policy 
  • Data Encryption Policy 
Personnel Policies and Procedures:
  • Clean Desk Policy
  • End User Acceptable Use Policy 
  • Email Policy 
  • Information Security Awareness Training Policy 
  • Telework and Remote Access Policy 
  • User Account Creation and Management Policy 
  • User Password Construction and Protection Policy 
Logging Policies and Procedures:
  • Audit Policy 
  • Audit Log Review Procedure 
  • Information Logging Standard 
Here is another set of policies that may be relevant.
  • Network Security Policy 
  • Patching Policy 
  • Password Policy 
  • Supplier Security Policy 
  • Cloud Security Policy 
  • Backup and Recovery Policy 
  • Endpoint Protection Policy 
  • Security Awareness Policy 
  • Social Media Policy
  • Employment Policy  
  • Acceptable Use Policy 
  • Access Control Policy 
  • Contingency Planning Policy 
  • Data Classification Policy 
  • Change Management Policy 
  • Incident Response Policy 
  • Record Retention Policy 
  • Physical Security Policy 
  • Web Access Policy 
  • Cybersecurity Policy 

Security Policy Development – Guidelines 

A policy for information security is a formal high-level statement that embodies the organization’s course of action regarding the use and safeguarding of organizational information resources. The policy statement should communicate the organization\'s beliefs, goals, and objectives for information security. It also provides organization’s leaders with an opportunity to set a clear plan for information security, and describe their role in supporting the organization’s missions and its commitment to comply with relevant laws and regulations.  

To Be Effective, AND Information Security Policy Must: 

  • Require compliance (i.e., it should be mandatory to the intended audience) 
  • Be implementable (e.g., impact on legacy systems and current infrastructure) 
  • Be enforceable. (i.e., failure to comply should result in disciplinary actions) 
  • Be brief and easy to understand 
  • Balance protection with productivity 

Also, The Information Security Policy Should:

  • State why the policy is needed (i.e., business reasons, to ensure compliance with laws, regulations, contracts, and other policies) 
  • Express leadership support for the role of information security in the carrying out of the organization\'s missions, 
  • Focus on desired behaviors (e.g., acceptable use) and outcomes 
  • Define roles and responsibilities 
  • Outline the standards and procedures to be followed. 


A careful balance must be reached to ensure that the policy enhances organizational security by providing enough detail so that community members understand their expected role and contribution but not so much detail that the organization is exposed to unnecessary risk. 

Some elements to be included in information security policies include the following: 

  • Policy statement: Statement of expected behavior, actions, or outcome. The policy statement may also list exclusions (e.g., people or activities expressly excluded from applying the policy). 

  • Who the policy applies to: This section states the policy’s people, units, or departments. This section may also list users who must follow the procedure as part of their job responsibilities. 

  • Policy rationale: The reason for the policy, including any business rationale or legal or regulatory reasons for the procedure. 

  • Policy definitions: This section should define any words of art that are used in the policy. 

  • Compliance language: This section states how the organization will enforce the policy. 

  • Person responsible: This section states who is responsible for answering questions about the policy. 

  • Related documents: This section lists any other documents related to the policy, such as standards, guidelines, or procedures, that must be consulted to follow the policy. 

  • Policy history: This section lists the revision history of the policy and any substantial changes that have occurred over time. 

Information Security Policy Frameworks 

Several frameworks can be used as a foundation for the subject matter included in an organization\'s information security policy. These frameworks can be used as the basis of one significant, overarching information security policy or for more minor policies devoted to discrete information security topics.  

  • NIST 800-53/FISMA 

  • CIS Critical Security Controls 

Choosing the proper policy framework is all about what will work best for the organization and its mission. Organizations should consider the following when selecting a framework for their information security policy: 

  • What works for the organization? 

  • What has not worked before? 

  • What fits the organization’s culture? 

  • What regulatory requirements must be met? 

  • What are the organizational drivers? 

  • What future technology is on the organization’s roadmap? 

  • What resources (staff, budget, skillsets) are needed to obtain the desired outcomes? 

Policy Review And Update Process 

Most organizations will have a documented systematic policy review process (e.g., annually) to ensure that policies are kept up to date and relevant. In some organizations, a policy owner or manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other organizations, the role of policy manager may be played by the Business Owner (e.g., the Chief information Officer may be the owner/manager of the information security policy.) We use the term policy manager in this section. 


In most instances, the information security policy manager will review and update the policy at the required intervals or when external or internal factors require the review and update of the policy. The following are the most common factors that would prompt a review of the organization’s information security policy. 

  • Changes in Federal or State laws and regulations 

  • Changes in technology (e.g., increased use of mobile devices) 

  • Major information security project deployments (e.g., deployment of Mobile device Management (MDM) 

  • Audit findings 

  • Policy format changes (e.g., new policy management function and process) 

  • Increased reliance on third-party service providers (e.g., outsourcing, cloud) 

  • New business practices (e.g., online education, telecommuting, telemedicine) 


 At a minimum, the policy manager must: 

  • Document needed changes 

  • Make changes to a draft version of the policy 

  • Ensure stakeholder review if necessary. For instance, if the policy changes are significant or alter the intent of the original policy, then the policy manager will want to ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee 

  • Publish, communicate, train, and implement according to the organization’s policy management process. 

Standards, Guidelines, and Procedures 

Policies are not the only documents that end users should look to when trying to understand an organization’s information security stance. While policies may state the high-level organizational goals around expected information security behaviors and outcomes, other documents may be used to state a threshold of acceptable behavior, step-by-step processes to follow, or recommended (but not required) actions to take. You may see these other types of documents used in an organization’s information security program to supplement information security policies. The hierarchy for organizational governance documents is typically: 

  • Policies: The highest level of a governance document. Policies typically have general applicability and they rarely change (or are hard to change). They are leadership’s high level statement of information security goals and expectations. 

  • Standards: Standards state the actions needed to meet policy goals. They are more specific than policies and easier to update in response to changing circumstances. Often standards set the minimum level of action needed to comply with a policy. 

  • Procedures: Procedures are often step-by-step checklists that are particular to a task, technology, or department. They are easily updated in response to changing technical or business influences. 

  • Guidelines: Guidelines are documents that specify recommended actions and advice. Organizational employees may not be required to follow guidelines as part of their jobs, but the guidelines are shared in order to promote good information security hygiene practices. Guidelines are flexible and easily updated. 


Our experts and proven frameworks provide deep understanding of business and compliance needs. Govern and protect your business, data, users and assets. Deliver trust when you connect policy, analytics and controls across your entire business. Identify and respond to threats quickly and confidently. AI provides continuous insights to find critical threats faster and respond more efficiently. Security implications change as workloads move from on-premises to cloud. Automate, centralize and simplify with cloud security services. 

An updated cybersecurity policy is a key security resource for all organizations. Without one, end users can make mistakes and cause data breaches. A careless approach can cost an organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes.