Protect your information assets.  Reduce your Information Security Program development time by months with this collection of supporting documents. Company tested in real-world environments.

Note: We are a Canadian company that provides a complete set of documents to support your information security program; all prices are in US dollars ($US).

An organization utilizes four major asset types: people, information, infrastructure, and money. To survive in today's world an organization must properly manage all of its assets, and "to manage" something implies the need "to secure" it.  The set of documents available here are designed to help an organization quickly put together the policy, standards, and guidelines needed to implement an Information Security (IS) program.

Large "P" policy vs small "p" polices ... in many cases the word "policy" is overused in information security to refer to not only what should truly be a high-level statement but also to what are actually standards and guidelines. So, if you're looking for an information classification policy, or an information asset profiling policy refer to our standards section. If you want an information security labelling and handling policy or a threat risk assessment policy refer to our guidelines section. In many cases you will find that one of our standards or guidelines covers what, from other suppliers, are a whole list of "policies".

An IS program cannot concentrate only on information as stored on electronic technology, it must include paper, microform documents, and the spoken word.  To protect your information assets you must determine both its sensitivity and criticality. Sensitivity, in a sense, refers to confidentiality whereas criticality refers to both integrity and availability (this is called the CIA triad). The protection of information should also be guided by a "need to know"; this, along with the CIA triad ensures that the "right" people get the "right" information at the "right" time for the "right" reason.  A breach of information security would result in the disclosure, modification, destruction, or mis-use of an information asset.

Our IS documents are created in an hierarchy; they flow from most authoritative (the policy) to those of most practical value (the procedures). This structure is dictated by the use of the documents and by the level at which they must be authorized: for example, the CEO and Board usually authorize the policy which then gives authority to the CISO to develop all remaining materials.

• Policies: Policies are high-level statements that provide a framework of expected and mandated behaviour of workers, management, technology, and processes. They include instructions, procedures, courses of action, and principles that are mandatory within the organization.
• Standards: Standards outline specific processes and technologies within an organization that must be followed for consistency, such as classification and labelling conventions, implementation steps, systems design, operating systems, applications, interfaces and algorithms.
• Guidelines: Guidelines direct the recommended or expected behaviour of workers, management, technology, and processes; for example: how to conduct an information asset threat risk assessment. Personnel may deviate from the guideline if the same business objective is reached. The difference between many policies and their supporting guidelines is the use of words such as "shall" or "must" being replaced with "should".
• Procedures: Procedures are a list of detailed and outlined steps of a process that individuals would employ while carrying out their job assignments. They provide step-by-step guides for accomplishing a task (for example: how to add sensitivity labelling to electronic documents).

Additional Documentation

Other documents that are used to support an IS program are:

• Strategy - contains the plans required to implement Information Security in an organization; that is, the pragmatics for getting your security needs met;
• Metrics - a list of the objectives along with the measurements necessary to ensure success;
• Governance - specifies resource ownership and identifies who has what security responsibility.

If you require help in this area please contact us at: support@maseconsulting.com, or check out our Support page.