Information security – risk management / policies, standards and process templates developed by our team of Certified Information Systems Security professionals! – designed to be integrated easily into any organizations documentation structure.

Imagine having all your information security documentation with full ISO 27002 coverage written to a high standard within the next hour – with Security Bastion you can!

Simply sign up to our service and have instant access to a comprehensive range of security governance documentation templates, including information security policies standards and procedures.

Security Bastion`s security templates have been developed by our team of information security authors who have many years of experience developing and more importantly implementing information security management across a wide range of organizational types.

In addition, all information security templates are constantly reviewed to ensure that they are up-to-date with industry best practices.

Our information security documentation will give you complete regulatory compliance coverage providing statements which can be easily mapped back to any compliance regulation.

Security Bastion services and products combine actionable wisdom and relevant implementation advice embedded in security templates that cover the full range of information security controls….

Security Bastion’s security templates are comprehensive and wide ranging with hundreds of policy and standard statements covering every aspect of information security.

In addition, relax with full coverage of the International Standards Organizations (ISO 27002) standard for information security management.

Organization of Information Security

Internal Organization Management commitment to information security. Below is a brief selection of some of the areas that are covered.

• Information security coordination
• Allocation of information security responsibilities
• Confidentiality agreements
• Contact with authorities
• Independent review of information security

External Parties

Identification of risks related to external parties. Below is a brief selection of some of the areas that are covered.

• Addressing security when dealing with customers
• Addressing security in third-party agreements
• Assessing risk when dealing with third parties
• Review of third-party security

Asset Management

Responsibility for Assets – Inventory of Assets – Ownership of Assets. Below is a brief selection of some of the areas that are covered.

• Acceptable use of assets.
• Acceptable use policy
• Information classification
• Classification guidelines
• Information labeling and handling

Human Resources Security

Prior to employment – Roles and responsibilities – Screening of employees. Below is a brief selection of some of the areas that are covered.

• Terms and conditions of employment
• Management responsibilities during employment
• Information security awareness, education and training
• Termination or change of employment
• Termination responsibilities
• Return of assets
• Removal of access rights

Physical and Environmental Security

Secure areas – Physical security perimeter – Physical entry controls. Below is a brief selection of some of the areas that are covered.

• Securing offices, rooms and facilities
• Protecting against external and environmental attacks
• Public access, delivery and loading areas
• Securing supporting utilities
• Cabling security
• Equipment maintenance
• Security of equipment off-premises
• Secure disposal or re-use of equipment
• Removal of property

Communications and Operations Management

Operational procedures and responsibilities – Documented operating procedures – Change management. Below is a brief selection of some of the areas that are covered.

• Segregation of duties
• Third party service delivery management
• Monitoring and review of third party services
• Managing changes to third party services
• System planning and acceptance
• Capacity management
• Protection against malicious and mobile code
• Information back-up
• Network security management
• Media handling and information handling procedures
• E-commerce services and online transactions
• Monitoring and log management

Access Control

Business requirements for access control – Access control policy – User access management. Below is a brief selection of some of the areas that are covered.

• User registration
• Privilege management
• Password management
• Review of user access rights
• Access control to program source code
• Change control procedures
• Restrictions on changes to software packages
• Technical vulnerability management
• Sensitive system isolation
• Mobile computing and communications

Information Systems Acquisition, Development and Maintenance

Reporting information security events and weaknesses — Reporting information security events –Reporting weaknesses. Below is a brief selection of some of the areas that are covered.

• Input/Output data validation
• Message integrity
• Cryptographic controls
• Key management
• Access control to program source code
• Change control procedures
• Technical review of applications after operating system changes
• Technical Vulnerability Management
• Outsourced software development
• Control of technical vulnerabilities

Information Security Incident Management

Reporting information security events and weaknesses. Below is a brief selection of some of the areas that are covered.

• Management of information security incidents and improvements
• Responsibilities and procedures
• Learning from information security incidents
• Collection of evidence
• Complete incident management process

Business Continuity Management

Information security aspects of business continuity management, including information security in the business continuity management process, business continuity and risk assessment. Below is a brief selection of some of the areas that are covered.

• Developing and implementing continuity plans including information security
• Business continuity planning framework
• Business continuity plan
• Test maintaining and re-assessing business continuity plans

Compliance

Compliance with legal requirements – Identification of applicable legislation and regulation – Intellectual Property Rights (IPR). Below is a brief selection of some of the areas that are covered.

• Protection of organizational records
• Data protection and privacy of personal information
• Prevention of misuse of information processing facilities
• Compliance with security policies and standards, and technical compliance
• Compliance with security policies and standards
• Technical compliance checking
• Information systems audit considerations
• Information systems audit controls
• Protection of information system audit tools

Security Risk Management

Security risk management policy – Identification of security risk via threat and risk analysis process. Below is a brief selection of some of the areas that are covered.

• Risk management responsibilities
• Risk management policy
• Threat and risk analysis tool box
• Threat and risk analysis process
• Risk management guidelines
• Risk register

Don’t make yourself a target – get premium quality information security templates written by CISSP certified security professionals.

Catapult your organization to a high level of security by utilizing CISSP security professionals and the vast working knowledge of the International Standards Organization Code of Practice for Information Security Management (ISO 27002).

Security Bastion`s security templates have been developed by our team of information security authors who have many years of experience developing and more importantly implementing information security management across a wide range of organizational types.

Our templates are not just sample security examples, instead they are high-quality easily deployed information security governance templates, which can be easily customized and implemented.

Implement high-quality ISO 27002 information security policies, standards and processes — In just a few hours you could have a complete information security governance documentation printed and fully customized to your organizations policy structure.

Because Security Bastions information security and risk management templates are developed based on industry standards you’ll be reassured that your information security policies are complete and will (a) meet virtually any industry compliance regulation (b) be credible and easy to communicate to senior management (c) provide instant credibility and reassurance to business partners and clients.

Why do we need security management?

Today’s commercial environment of eCommerce and highly sophisticated business offers many opportunities. The online world is rapidly growing and promoting a real global economy. This inter-networking of computers is creating border-less markets across many industries. To compete effectively within this global economy requires organizations to embrace a level of openness and accessibility. Companies intending to embrace this promising market and leverage the competitive advantages provided by Internet must devise and implement strong information security policies, both to safeguard their own information systems as well as maintain their customer’s confidence and trust.

Let’s face it, developing and implementing information security policies and standards is an essential part of doing good business in today’s highly sophisticated business world. Security Bastion consists of a group of senior security consultants with a mission to give every organization a chance to implement information security policies, standards and processes which are second to none, turning information security officers, managers, and information technology professionals into expert information security authors for their organizations. Sound business practices mandate security-protection for business assets. As business utilization of the Internet grows and many more private networks are linked to the Internet, the requirement for secure communications and networks grow at the same time.

Let Security Bastion do all the policy, standards and process writing and maintenance.

Writing an information security policy can be a difficult and daunting task that usually takes expert information security knowledge and a team of technical writers to complete effectively. Even when your information security policies are complete applicable standards and procedures must be written to communicate and enforce the policy statement requirements. To complete all this it can take many thousands of dollars and months to complete.

Estimated cost for security documentation development

Here we have placed a breakdown of what you would probably expect to pay to develop and maintain an information security policy document yourself. By using our service you save yourself a considerable amount of money and time. In addition, our security experts continually develop and implement information security management so you will be benefiting from our extensive and focused experience.

Typical cost of developing an information security policy

Below we have set out the costs for developing one complete information security policy with a length of 100 pages. Our service provides access to thousands of pages of not only policies but standards, processes and more.

Ideally a technical writer and information security professional would be needed to develop information security documentation. Hourly rates for skilled information security professionals can range from anywhere between $80 to over $300 an hour and a technical writers between $50 and $100 an hour.

Security Policy/Standard/Process Development Cost = Policy Length (pages) x Time x Cost Per Hour

To make our point we will take a very conservative approach and assume that we got a bargain and hired a technical writer and information security consultant for a combined hourly fee of $120 an hour. To develop a draft 100 page ISO 27002 based information security policy it would take around 100+ hours for both a technical writer and information security consultant to complete. Generally speaking the total cost of development would depend on many factors so in this example we have used very conservative numbers.

Total time: 100 pages x 1 hour per page = 100 hours

Total cost: 100 hours x 120 per hour = $12,000.00

If we were to hire an information security consultant from a large consulting firm this number would look more like $20,000 to $30,000 depending on the your organization’s requirements.

Estimated cost for security documentation maintenance

Developing the initial documentation is only part of the overall cost. All security documents must be reviewed and maintained to keep up-to-date. It is advised that the information security documentation be reviewed at least annually. Again here it can take up to a week of work to review all the policy documents for a typical mid-sized organization. If we use the same equation as before at $120 an hour for a technical writer and security consultant we would be looking at the figure below annually.

40 hours at $120 dollars an hour = $4,200.00

Again Security Bastion pays for itself many times over just on saved maintenance costs.

Meet our development manager and co-founder

David Handford originally hails from Northern England and has over 15 years’ experience in Information Security helping organizations in a variety of industries including energy, insurance, telecoms, financial, IT, and public sector.

David has worked extensively in compliance and regulation helping organizations that range from small Internet Payment Service Providers to large multinational companies meet their compliance objectives in both North America and the UK.

His primary focus is Information Security Management; Privacy and works as the product development manager at Security Bastion. In addition to this he also pitches in consulting to companies who need a little extra help employing our information security templates.

David’s security expertise includes helping customers to assemble complete enterprise security architectures that embrace risk management and security management in addition to meeting their compliance obligations. Over the years this has provided him with vast experience in many areas of information security.

David believes that security issues must be addressed inside an incorporated risk management framework that considers all aspects of an organization from people and policies to information technology. He also believes that security is a continuing process, not a one-time effort.

David is an avid Security Professional who is a Certified Information Systems Security Professional (CISSP #40846).

Before his Information Security career David spent six years in the armed forces as an armored reconnaissance soldier with the British Army.

Security Bastion services and products combine actionable wisdom and relevant implementation advice embedded in security templates that cover the full range of information security controls….

Sound business practices mandate security-protection for business assets. As business utilization of the Internet grows and many more private networks are linked to the Internet, the requirement for secure communications grows at the same time.

Information Security Policy Importance

The online world function is to deliver dynamic, flexible and open communications among a huge diversity of entities. However, within this lies its power and peril. The Internet has not been designed to protect confidential or sensitive information. Internet providers and users are not regulated. Anyone can use the Internet or become an Internet provider. Because the Internet is a cooperative, shared participation network, there’s nothing to avoid reading, copying or changing information. Computers linked to the Internet are susceptible to hacking access by anyone. An information security policy is an absolute necessity to organize and manage security across any organization. An information security policy is a statement of the goals, responsibilities and accepted behaviors necessary to maintain a secure environment. Security policies set the direction, gives broad guidance and demonstrate senior managements support for security-related facilities and actions across an organization.