Policy Review and Development

IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to create an Information Security Program including policies and procedures designed to protect confidential information, including Non-Public Personal Information (NPPI). Incorporating numerous policies and procedures requires an in-depth level of security compliance expertise and affects significantly the organization’s staff resources.

TraceSecurity offers Policy Reviews and Development Services that assesses an organization’s existing Information Security Policies in order to determine compliance with relevant regulations. TraceSecurity then assists the organization in developing policies that addresses compliance deficiencies. Each organization’s Information Security Policy should be specifically designed to address the risks identified in its Risk Assessment. TraceSecurity’s review of an information security policy will take into account Risk Assessment findings. TraceSecurity will then recommend appropriate policy update/development project plan. TraceSecurity continuously researches and stays aware of new and updated regulations to ensure recommendations are consistent with current regulations.

TraceSecurity Information Security Policy and Standard Procedures Development includes:

• Review of current information security policy author and ownership
• Analysis of current information security policies and standard procedures
• Review information security policy and standard procedures’ adherence to applicable regulator and standards
• Gap analysis of current information security policies and standard procedures for mapping to customer’s security policy requirements
• Documentation of new information security policies and standard procedures
• Review of new information security policies and standard procedures

We create the following information security policies and standard procedures that we have defined as critical for all security programs:

• Change management
• Patch management
• Security monitoring
• Sever hardening
• Desktop and laptop hardening
• Compliance and enforcement (if applicable)
• Data classification
• Remote access
• Risk analysis and assessment
• Backup and restore
• Personnel security
• Data handling, marking, and retention
• Policy, standards, process creation, approval, and maintenance

The policy and standard procedures results are provided in editable documents for the client to make any future changes, revisions, or updates.

Once polices are developed, the ongoing management of the policies can be time consuming and costly. TraceSecurity has developed TracePolicy, a module of TraceCompliance Manager, to facilitate the dissemination and tracking of user acceptance. TracePolicy is sold as a stand-alone solution or as a software complement to the Policy Review and Development service. To learn more about TracePolicy click here.