Home Company Security Assessment Training News & Events SC Labs Contact
Learn about our security assessment services
Learn about our
industry-leading application security training
Access our articles and white papers on application security topics

Policy Assessment

The goal of every information security program is to maintain the confidentiality, integrity, and availability (CIA) of data. Policy gap analysis is a method of evaluating current information security controls, and ensuring information processing and handling sites follow the controls defined in your corporate security policies and procedures.

Key Business Benefits

  • Security Compass understands that reducing risk involves technical and non-technical solutions. Based on our experience with penetration testing and vulnerability assessment, we know how regulations and policies drive and affect security.
  • Improved compliance with regulations and control frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), COBIT, ISO 27001 (formerly 17799), GLBA, etc.

Our Approach

Security Compass will begin a Policy Gap Analysis by evaluating the client's existing information security controls. Our consultants will collect and review relevant documentation from the client. Next, we interview key staff (users, administrators, and management) to identify undocumented practices and gain feedback. Security Compass will then compare the policies to industry best practices. We will also assess adherence to the overall principles and goals of information security:

  • Principle of Least Privilege
  • Defense in Depth
  • Secure Failures
  • Secure Weak Links
  • Default Deny

As part of the policy gap analysis, Security Compass will also develop a set of recommendations regarding the next steps the vendor should take in revising or extending the current security policy material. These recommendations consider both the results of the gap analysis and the major threat areas facing the organization.

In addition to the security policy gap analysis, Security Compass will also assemble recommendations for developing a data classification and ownership policy. This may include role-based, process-based, or asset-based classification schemes as appropriate. Factors to consider in any data classification effort include data value, confidentiality, risk, business and regulatory requirements, and retention. Security Compass uses the interviews conducted during the security policy review to develop a better understanding of:

  • The different types of data that currently exist within the organization
  • Requirements that could impact data creation, handling, processing or destruction
  • Data owner responsibilities and how they vary according to the data's classification or use

Deliverables

Security Compass will generate a report based on the result of the assessment. For each element that is deemed to be in non-compliance or partial compliance, Security Compass will offer policy recommendations to achieve compliance.

Security Compass will consolidate the deliverables from its security policy gap analysis engagements along with the other components reviewed. The report will summarize the project's scope, approach, findings, and recommendations.

Contact Us for More Information