安全政策的策畫與發展

本報告不管是在安全政策開發階段、或選擇適用於目前需求的最新方案時皆可使用。

開發安全政策的優點

• 強化整體安全：提早避免問題、減少安全狀況、延長應用的運作時間。
• 可強化監查與法令要求遵守的事項。
• 提高業務效率。
• 改善對於責任的說明。

本調查報告的優勢

• 可使用已完成的範本(以最佳實例與Info-Tech的經驗為基準) 。
• 掌握與政策開發相關的整體流程。
• 促進有效的溝通與實施政策的策略。
• 透過分析師的協助實施更高品質的政策。

本調查報告可支援以下安全部門負責人的問題：

• 臨時引進必要的非公式安全政策。
• 目前的政策無法遵守法令並說明相關責任。
• 政策已過時。
• 準備安全政策監查。

本報告提供最佳實例調查、實例分析、IT政策範本等Word檔案、在撰寫計畫時非常有幫助。另外還提供安全政策優先順序設定與IT政策方案成熟度評價等2種Excel資料工具類。

A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.

The policy allows employees to know what is required of them and allows management to monitor and audit their security practices against a standard policy.

Formally documented policies are often required for compliance with regulations.

The development of the policy documents is an ambitious task, but the real challenge comes later in the process.

Unless the policies are effectively communicated, enforced, and updated employees won't know what's required of them and will not comply with essential standards, making the policies powerless.

86% of companies have security policies but only 40% of non-IT employees are aware of these policies. 46% of companies reported insufficient time and resources to update or implement policies. 77% of IT professionals believe their policies need improvement and updting.

This blueprint applies to you whether your needs are developing policies from scratch or optimizing and updating your security posture.

Value of developing security policies:

• Enhanced overall security posture: fewer security incidents and more uptime of applications, as issues are pre-emptively avoided.

• Better prepared for auditing and compliance requirements.

• Increased operational efficiency.

• Increased accountability.

Value of Info-Tech's security policy blueprint:

• Pre-made templates (based on best practices and our experience).
• Comprehensive process surrounding policy development.
• Strategy around effective communication and enforcement of policies.
• Opportunity to work with an analyst to guarantee policy quality.

Short term: Save time and money using the templates provided to create your own customized security policies.

Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures.

This research is designed for a Security leader who is dealing with the following:

• Informal, ad hoc security policies (if any).
• Lack of compliance and accountability with current policies.
• Out-of-date and irrelevant policies.
• Preparing for an audit of security policies.

The blueprint includes best-practice research, case studies, and IT policy templates in Word to help you get your project started. Also included two Excel based tools to prioritize security policies and assess the maturity of your IT policy program.

Executive Summary

This research will help you:

• 1. Identify and develop security policies that are essential to your organization's objectives.

• 2. Verify and optimize proposed policies.

• 3. Integrate security into your corporate culture while maximizing compliance and the effectiveness of the security policies.

• 4. Maintain and update the policies as needed.

Situation:

• Security breaches are inevitable and costly. Standard policies and procedures must be in place to limit the likelihood of occurrences and ensure there are processes to deal with issues efficiently and effectively.

• Time and money are wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy.

Complication:

• Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities and compliance requirements, are rarely comprehensive, and are inefficient to revise and maintain.

• End users do not traditionally comply with security policies. Awareness and understanding of what the security policy's purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.

• Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow.

Resolution:

• Comprehensively developed and effectively deployed security policies enable IT professionals to work proactively rather than reactively, benefitting the entire organization, not only IT. Formally documented and enforced policies are key to demonstrate due diligence, proactive threat reduction, and overall compliance consistency.