Policy Development: The security objective and core principles provide a framework for the first critical step for any organization – developing a security policy.
Roles and Responsibilities: For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all.
Design: Once a policy has been approved by the governing body of the organization and related roles and responsibilities assigned, it is necessary to develop a security and control framework that consists of standards, measures, practices, and procedures.
Implementation: Once the design of the security standards, measures, practices, and procedures has been approved, the solution should be implemented on a timely basis, and then maintained.
Monitoring: Monitoring measures need to be established to detect and ensure correction of security breaches, such that all actual and suspected breaches are promptly identified, investigated, and acted upon, and to ensure ongoing compliance with policy, standards, and minimum acceptable security practices.
Awareness, Training, and Education: Awareness of the need to protect information, training in the skills needed to operate information systems securely, and education in security measures and practices are of critical importance for the success of an organization's security program.
SACfIS Unique Approach
Our approach is driven by an organisation's unique business objectives - not technology or symptom-driven objectives - which helps to ensure security controls are only implemented in response to validated needs. In addition, repeatable processes collect data in a structured manner to provide quantitative results that can display performance trends over time.
Based on international best practice security standards, our approach builds trust among external and internal stakeholders, positioning the organization as a responsible corporate citizen in terms of information security governance and compliance.