IT Governance
Effective information security is not just a technical issue and requires an enterprise-wide approach. The main reasons for this are that the scope should not be limited to just electronic information, and that security should really be driven by an organisation's business objectives. Also, security should be strongly supported at the top management level.Apart from these considerations, regulatory aspects such as corporate governance codes (e.g. Sarbanes-Oxley) and privacy protection laws (e.g. the EU data protection directive and the resulting national legislations) contribute to a growing need for management-level security.
To assist you with these topics, Scanit offers dedicated consultancy related to the ISO/IEC 27001 standard, and to security policies.
ISO 27001 Consultancy
The growing need for management-level security identified in the introduction is consolidated amongst others in the international standard ISO/IEC 27001:2005.This standard defines a management system for information security, the objective of which is to provide a process for continuous monitoring and improvement of an organisation's security. This objective is similar to what the ISO/IEC 9000 standards try to accomplish for quality management. An organisation can also be certified as conformant to this standard, which may be used as proof to other parties of the organisation's commitment to information security.
Scanit can assist you in the establishment and maintenance of such an information security management system.
In the establishment phase, this assistance can range from helping you set up an adequate organisational infrastructure, to aiding you in the development of a risk assessment framework. Also, we can help you with the creation of policies, and with ensuring that the documentation mandated by the standard is present.
Consultancy after the establishment phase usually relates to the audit process required by the standard. Scanit can provide the necessary know-how and guidance in setting up and in executing the audits and your audit plan.
Policy Creation
Well-managed information security starts with basic security policies. These provide visible evidence of the organisation's management commitment. Furthermore, they also define a baseline for acceptable behaviour, and minimum security levels which need to be respected.Creation of such a policy can at first seem a daunting task. Scanit can ease this process through our information security know-how and our experience with best-practice guides such as ISF's Standard for Good Practice in Information Security, ISO/IEC 17799 and ISO/IEC 27001.
Through a number of workshop sessions we will help you in creating a policy which is implementable, and which takes into account your specific threat environment and corporate culture, and current best practices. Also, specific regulatory aspects such as requirements imposed by the Belgian CAO 81 will be taken into account.
Policy Check-up
A security policy is a living document. Not only does it need to be kept up-to-date, but it also needs to be implemented and enforced throughout the organisation.For existing policies, Scanit can offer a policy check-up audit. Such a project typically consists of three phases.
The first phase starts with the creation of an inventory of the existing policies. Next, an analysis is made of how these policies relate to each other, to your organisation, and to various security domains. A "sanity check" is then performed to identify conflicting areas, or areas which may be insufficiently covered.
In the second phase, security controls which enforce the different policy items are identified. A verification is then performed to identify policy areas which may not be covered by actual security controls, and to identify controls which may not relate to any policy.
Lastly, the security controls are verified on a sample basis (with priority being given to high-risk areas) to check if they are effective and correctly implemented.