Information Security Policy & Standards Design
A cyber or information security management system has to be
able to identify and to specify what is necessary for the security of the
organization, who is responsible for doing the relevant things, how they can
go about finding out what has to be done, and how "doing what's necessary"
will be measured and enforced.
Benefits of Appropriate Security Policies & Standards
-
Encompassing your legal & regulatory requirement
-
Customized to your risk tolerance
-
Efficiency: A clear baseline that's aligned to your business
practices and capabilities
TelaFortis's Experience
-
Standards-based policy design
Developed enterprise IT security policy
frameworks, including for a Fortune 100 multinational corporation -- based on ISO 27002 and integrated with corporate operational,
architectural, process control, continuity and physical security
standards.
Familiar with aligning security policy and governance
frameworks with international standards, e.g. ISO 27002, NERC CIP1-9, PCI-DSS,
COBiT
Cross-organization policy consultation &
alignment
Familiar with policy and standards cross-alignment
for the objectives of IT security, physical security and
crisis & continuity management; enterprise regulatory
environment; and the enterprise risk management frameworks,
including alignment with Sarbanes-Oxley, PCI-DSS and NERC CIP
requirements.
Scott MacMillan has authored core IT security policies
addressing governance and compliance including enterprise baseline
IT security operating practices, corporate acceptable use practices, and enterprise
information classification and handling standards.
Policy compliance & governance
As IT Security Policy &
Standards Manager for a fortune 100 multi-national, Scott MacMillan was
accountable for:
-
Establishing and maintaining the corporate portal
for IT applications and systems security risk management, security
policy management and compliance.
-
Liaison to the corporate IT internal control and
compliance office for alignment and integration of IT security policy
and controls with SOX and PCI-DSS requirements.
-
Liaison to corporate management system
architecture group for alignment of business unit operating standards
with enterprise IT and physical security, crisis and continuity, and
information & records management requirements.
-
Accountable for consultation and
coordination with technical and non-technical corporate functions
(IT/HR/Legal/Compliance & Ethics) to ensure mutual understanding and
agreement to security requirements, and non-security requirements and
limitations.
|
