Policies and Compliance

A security policy is an enterprise-wide set of rules of operation to establish measures to protect an organization’s information assets. It defines authorization levels; more importantly, it sets out the limits for normal operations. All information, regardless of the industry or size of the company, must be protected and addressed in a security policy. Without these boundaries, there can be no security within an organization.

DigitalDefence provides the strategic and technical support needed to evaluate and implement your security policies, processes, and controls. We understand the tradeoffs between cost and security, and can bring an objective view to the policy authoring process, help you to identify any gaps, and support you in creating an Information Security policy that reflects the most effective industry practices and the legal and regulatory requirements.

Using our proprietary process which maps the standards directly to existing and planned business processes, we can highlight the benefits of compliance and facilitate its acceptance across an organization. In addition, we ensure that your Information Security policy and its supporting documents are fully compliant with all required Canadian and International laws and regulations.

The Policies and Compliance service is recommended for clients when:

• No policies are presently in place; policies and procedures are created, used and distributed in an ad hoc fashion
• Policies have not been reviewed to ensure alignment with strategy, business practices, new technologies, or new business situations (e.g. merger or acquisition)
• Protection of business information is critical to success
• Ongoing need for employees (internal and external), contractors and vendors to have broad access to sensitive information
• Potential for monetary loss or embarrassment due to security problems
• Policies have been in place for a long time, and need review to ensure they meet changes in technology and most effective practices

Our Policies and Compliance service is built on the following services:

Risk Assessment – DigitalDefence conducts risk assessments manages the identified risks using different methodologies, dependent on the final goal of the process:

Threat Risk Assessment, TRA – The Harmonized TRA Methodology, recommended for use by the Canadian Federal Government, is a quantitative risk assessment of a particular line of business or a specific project. It provides a specific risk value, facilitating the cost-driven implementation of controls

Facilitated Risk Assessment Process, FRAP – A FRAP takes a semi-quantitative approach to risk assessment. It relies on the deep knowledge of your own experts to identify risks and assess their importance to the organization. It provides a faster and more cost-effective approach to risk assessment than a formal quantitative approach such as a TRA

Policies and Practices – Your Information Security Policy is the single document that translates corporate strategic decisions into your organization’s security posture. DigitalDefence can help you with:

• Defining your organization’s information security strategy and goals to support business objectives
• Reviewing your internal governance structure and roles that support security and privacy management
• Developing new Information Security Policies, identifying gaps in your existing policies, or providing an objective review of policies to ensure they support business objectives in an increasingly hostile digital world
• Developing the practices, standards, and guidelines that support the Information Security Policy
• Managing security programs, including project planning and project management
• Developing and implementing a program to ensure corporate awareness of the Information Security Policy and supporting practices

Regulatory Compliance – DigitalDefence has a strong focus on the domestic and international standards that govern data privacy and security.

Our proprietary methodology is based on a scorecard approach that is designed to be rapid, accurate, and repeatable. It supports gathering the metrics that allow you to measure improvements to your organization’s privacy and security. These metrics allow you to measure your progress towards full compliance. Our clients benefit from:

• Fast and cost-effective move to compliance achievement strategy
• Provides access to industry-leading knowledge about regulatory standards and best practices
• Raises the internal awareness of information security risks and regulations; serves as the foundation for internal security awareness

DigitalDefence supports the following security and privacy regulations, frameworks, and standards:

Canadian

PIPEDA
Canadian Federal Government Security Policy
Province of British Columbia Information Security Policy
Province of Ontario Information and Technology Standards, especially GO-ITS 25

United States of America

California Senate Bill 1386 (the “Breach Act”) and similar Acts by other USA states
Gramm-Leach Bliley Act, GLBA
Health Insurance Portability and Accountability Act of 1996, HIPAA
National Institute of Standards and Technology (NIST) standards
Sarbanes-Oxley Act, SoX

International

Control Objectives for Information and Related Technology, CobiT
ISO 27001:2005, Information Security Management System standard
IT Infrastructure Library, ITIL
Open Web Application Security Project, OWASP
PCI Data Security Standard, PCI-DSS
Standard of Good Practice for Information Security, Information Security Forum