1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2015 Info-Tech Research Group Inc. Develop and Deploy Security Policies Enhance your overall security posture while using time, money, and resources effectively. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2015 Info-Tech Research Group

2. Info-Tech Research Group2 2 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: This Research Will Also Assist:This Research Will Help Them: Our Understanding of the Problem A CISO who is dealing with the following: Informal, ad hoc security policies (if any). Lack of compliance and accountability with current policies. Out-of-date and irrelevant policies. Preparing for an audit of security policies. Identify and develop security policies that are essential to your organization’s objectives. Verify and optimize proposed policies. Integrate security into your corporate culture while maximizing compliance and effectiveness of the security policies. Maintain and update the policies as needed. Business stakeholders who are responsible for the following: Ensuring efficiency and productivity are not affected by integrating additional security policies into the daily routine of employees End users acquiring awareness and training on security policies in order to protect corporate assets. Save time and money in developing and deploying an effective security policy by using templates to minimize security risks. Effectively communicate and train users on complying with new security policies.

3. Info-Tech Research Group3 3 Small digital marketing company needed to learn value of full- circle policy development and enforcement Organization began its policy strategy by acknowledging the need to formalize. Challenges “You don’t know what you don’t know.” The director of infrastructure was unsure of where to start with developing the organization’s formal information security policies, what the current state of policies was, or which kind of gaps needed to be filled in with policies. The organization also needed to be able to demonstrate to customers that it had proper security procedures in place to protect their data. Next Steps: Determine what policies the organization has and what gaps need to be filled. Understand how to improve overall security policy strategy, with accompanying processes, to come full circle with implementing better security practices in general. Follow this case study throughout the deck to see this organization’s results

4. Info-Tech Research Group4 4 Security breaches are inevitable and costly for every organization Targeted attacks cost $92,000 for small/medium businesses and $2.4 million for large businesses. Security policies can help reduce security breaches and data loss by helping employees adhere to safe and secure processes. Serious security incidents cost $50,000 for small/medium businesses and $649,000 for large businesses. 2013: 91% of the companies had at least one external IT security incident and 85% had internal incidents. Policy People Process Technology Security breaches exploit people, process, and technology. Security measures help lessen the impact. Their common thread? Policies. Kaspersky, Global Corporate IT Security Risks, 2013

5. Info-Tech Research Group5 5 The real challenge with respect to security policies isn’t development – rather it’s the communication, enforcement, and maintenance of them. Many companies have security policies, but drop the ball at later stages of the process Only 40% of non-IT employees are aware of these policies. 46% of companies reported insufficient time and resources to update or implement policies. 77% of IT professionals believe their policies need improvement and updating. But… A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets. The policy allows employees to know what is required of them and allows management to monitor and audit their security practices against a standard policy. Formally documented policies are often required for compliance with regulations. The development of the policy documents is an ambitious task, but the real challenge comes later in the process. Unless the policies are effectively communicated, enforced, and updated, employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless. Kaspersky, Global Corporate IT Security Risks, 2013 86% of companies have security policies

6. Info-Tech Research Group6 6 Security policies are the foundation of any comprehensive security strategy As part of an organization’s overall governance program, security policies add legitimacy to security technology and processes, provide clear accountability, and ownership and transparency for audit purposes. Security Analytics Security Governance Services Security Policies, Info. Risk Mgmt., InfoSec Compliance, Incident Response Staffing, training, organization, policy, architecture Network Security Services NGFW IDPS Net DLP NAC Etc. Identity Security Services IdM SSO MFA UP/DP Etc. Asset Security Services Data Endpoints Apps Mega Trend Mappings Cloud, mobility, big data, consumerization/BYOX Advanced Persistent Threat Protection

7. Info-Tech Research Group7 7 Resolution Situation ! Complication ? Info-Tech Insight Executive Summary Security breaches are inevitable and costly. Standard policies and procedures must be in place to limit the likelihood of occurrences and to ensure there are processes to deal with issues efficiently and effectively. Time and money are wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy. Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities and compliance requirements, are rarely comprehensive, and are inefficient to revise and maintain. End users do not traditionally comply with security policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed. Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. Comprehensively developed and effectively deployed security policies enable IT professionals to work pro-actively rather than reactively, benefitting the entire organization, not only IT. Formally documented and enforced policies are key to demonstrating due diligence, proactive threat reduction, and overall compliance consistency. Security policies and procedures must be integrated into the job descriptions and employee routines. Security is often viewed as a lower priority to employees than short-term productivity and revenue generation. Security policies are living documents that require reviews and updates to maintain relevance. If policies do not work, they have to change or the behavior has to change. Communication and enforcement of policies are often greater challenges. Developing policies can be standardized, but the human aspects of compliance with policies are more difficult to predict and control.

8. Info-Tech Research Group8 8 Day 1Day 2Day 3Day 4Day 5 PreparationWorkshop Day Working Session Workshop Preparation Analyst day to prepare material. Conduct interviews. Discover specific pain points with respect to security policies where Info-Tech can assist. Review existing security policies. Map existing policies to our framework. Morning Itinerary Define the need for policies. Discuss methods for acquiring buy-in; customize template. Identify the target goals of security policies based on business requirements. Afternoon Itinerary Identify the current maturity of your security policies. Discuss recommended actions to reach the target state. Prioritize your policy implementation. Morning Itinerary Understand the hierarchy of the policy suite. Develop the governing Information Security Policy Charter. Afternoon Itinerary Develop the relevant security policies. Discuss purpose and tips for developing a test group. Morning Itinerary Understand the need for the awareness and training of policies. Discuss communication best practices. Review the training and awareness template deck. Afternoon Itinerary Understand the need for enforcement. Discuss enforcement best practices. Set goals and determine success metrics for enforcement. Understand the review and update process. Workshop Debrief Review the customized policy templates. Send along any relevant documentation to relevant parties. Next Steps Schedule review call. Schedule follow-up call with analysts to discuss progress two months out. Workshop Overview This workshop can be deployed as either a four or five day engagement depending on the level of preparation completed by the client prior to the facilitator arriving onsite. The light blue slides at the end of each section highlight the key activities and exercises that will be completed during the engagement with our analyst team. Contact your account representative or email Workshops@InfoTech.com for more informationWorkshops@InfoTech.com

9. Info-Tech Research Group9 9 The value of security policies can be found beyond just increasing security Enhanced overall security posture: fewer security incidents and more uptime of applications, as issues are pre- emptively avoided. Better prepared for auditing and compliance requirements. Increased operational efficiency. Increased accountability. This blueprint applies to you whether your needs are developing policies from scratch or optimizing and updating your security posture. Value of developing security policies: Short term: Save time and money using the templates provided to create your own customized security policies. Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures. Impact Value of Info-Tech’s security policy blueprint: Pre-made templates (based on best practices and our experience). Comprehensive process surrounding policy development. Strategy around effective communication and enforcement of policies. Opportunity to work with an analyst to guarantee policy quality.

10. Info-Tech Research Group10Info-Tech Research Group10 Your policy requirements may differ, but the general drive is more security. Security policies are essential to every sized organization Security policies are applicable to all verticals. The following industries are notable examples: Finance Insurance Health care Public administration Education services Professional services Scientific and technical services Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations but compliance is applicable to all organizations and vulnerabilities affect all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers. Info-Tech Insight Compliance Standard Examples Description PCI DSSImplement strong access control measures. Regularly monitor and test networks. Gramm-Leach-Bliley Act (GLBA) Financial institutions must provide customers with notice of their privacy policies. Financial institutions must safeguard the security and confidentiality of customer information. HIPAAProtects the privacy of individually identifiable health information. Sets standards for the security of electronic protected health information. If your organization has any compliance requirements, security policies can be mandatory.

11. Info-Tech Research Group11Info-Tech Research Group11 Best-Practice Toolkit 1.Acquire key stakeholder support. 2.Identify the target state of your security policies to meet bus. requirements, and the current state of security policies. 3.Perform gap analysis. 4.Prioritize implementation. 5.Map your existing policies to our policy framework. 1.Understand hierarchy of the policy suite. 2.Develop the Governing Information Security Charter. 3.Develop the relevant security policies. 4.Gather feedback from users to assess the feasibility of the new policies. 1.Understand the need for a security policies communication program. 2.Leverage best practices. 3.Communicate both awareness and training of new policies to employees. 4.Understand need for policy enforcement. 5.Set goals and determine success metrics. 1.Understand need for regular review and update. 2.Measure the effectiveness of security policies within your organization. 3.Develop an action plan to update the existing policy suite and implementation process. Guided Implementations Project kick-off and acquire stakeholder buy-in. Establish business requirements and conduct gap analysis. Prioritize the implementation of the policies. Develop the governing Information Security Policy Charter. Develop the relevant security policies and gather feedback. Communicate awareness and training of new policies. Set goals and determine success metrics. Measure the effectiveness of the policies. Develop an action plan for updates. Onsite Workshop Module 1: Workshop pre-work Potential policy review (if there is an existing set). Potential policy mapping. Module 2: Assess & prioritize If starting from scratch, we’ll work though requirements. Existing policies – will perform gap analysis. Identify policy gaps. Module 3: Develop policies Spend time customizing required policies. Module 4: Communicate, enforce, & review Establish plan for communication/enforcement based on best practices. Discuss how to review your policies effectively. Phase 1 Results: Secure stakeholder support. Identify target state of policies based on bus. requirements. Prioritize recommendations of policies to implement. Phase 2 Results: Complete governing security charter and policies. Phase 3 Results: Foster security awareness, understanding, and training within the organization. Achieve compliance with policies. Phase 4 Results: Measure the effectiveness of new policies. Assess & Prioritize Policies Develop Policies Communicate & Enforce Policies Review & Update Policies Security Policies – Project Overview

12. Info-Tech Research Group12Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889