Security Strategy and Policy (SSP)

Security is becoming an important function of an organization and success of the business critically depends on it. The reactive approach towards managing security is gradually being replaced by a proactive approach. IT infrastructure is increasingly becoming more complex and diverse, while the exposure of an organization to the security threats is expanding. This necessitates planning and deployment of security countermeasures across all layers of the infrastructure, including network, server systems, endpoints, application infrastructure, messaging, database, etc. The capability of the countermeasures depends on various factors such as the architectural positioning in the IT ecosystem and manageability of solutions. Maturity of the security operations around these countermeasures, monitoring and testing efforts deployed for assessing their capabilities and their integration with the incident management mechanism contribute to the overall effectiveness of the countermeasures. Moreover, the governance culture of an organization becomes an important element to ensure that an individual countermeasure is derived from a well devised plan; the operations around it are executed as per the intended purpose and the performance of the countermeasure is continuously monitored. The strategy for security is a proactive initiative to devise a defense plan of an organization against the evolving security threats, which addresses multiple dimensions for structured, effective and efficient defense.


Security strategy brings a structure to security initiatives that strive to position the countermeasures for effective protection. It establishes a structured process to understand the threat landscape of an organization and solve the complexity of IT infrastructure to provide better options to improve the security posture. It provides different ways for better deployment and management of the security countermeasures; it allows building the operational strategies for optimizing the resources and efforts. Security architecture remains an important instrument to fulfill the strategic objectives of an organization. Architectural treatment to security introduces a proactive approach. It aligns different solutions and countermeasures towards the overall goals and provides effective linkages to the enterprise security architecture. It specifies how an organization is dealing with the perennial threats and how it is prepared to deal with the evolving threats. However, the ground operations of the security countermeasures need to be performed in a predetermined manner; these countermeasures should be able to respond to the operational situations in a calculated way. This requires an organization to define business rules to guide and mandate the operations for delivering the intended outcome. A compilation of these rules in a set of statements is referred as security policy of an organization. The security policy should be an aggregated reflection of the policy Security Strategy and Policy (SSP) requirements that are necessary for assured and intended functioning of the countermeasures. Security policy is also an instrument for the executive management to articulate their commitment and intent for protecting the information assets. It serves as a tool to ensure compliance, provide assurance to stakeholders, and provide direction to the security initiatives of an organization. DSCI believes that SSP is a foundational discipline of security, which not only lends its support for structured security initiatives, but also offers a capability to bring effectiveness and efficiency in the security management processes.

  • Create an inventory of IT solutions that are deployed at different layers such as network, server systems, endpoints, application infrastructure, messaging systems, databases and unstructured data
  • Create a map of the security countermeasures deployed at each of these layers
  • Evaluate the positioning of the security countermeasures in an organization’s IT ecosystem
  • Evaluate the security posture of an organization
  • Identify the business functions, services and processes of an organization; evaluate their sensitivity and criticality:
  • Evaluate the capability of the security architecture to address all possible security threats
  • Evaluate the process for security architecture development:
  • Evaluate the direction of the security architecture such as: Perimeterization versus deperimeterization and Centralization versus decentralization
  • Evaluate the strength of the security countermeasures.
  • Identify the components of the security strategy of an organization. The components
    of the security strategy could be: a. Protection, b. Architecture c. Management d. Operations e. Monitoring and testing, f. Incident Management, g. Security Governance
  • Evaluate how an organization performs the strategy assessment exercises that include a. Frequency of security gap assessment, b. Scope of gap assessment, c. Skills and resources assigned to gap assessment
  • Identify all activities, capabilities, functions, and operations of an organization that can be attributed to security
  • Evaluate the operational strategies of an organization
  • Identify and create an inventory of the policy items.
  • Validate the policy requirements of the organization with the existing security policy
  • Evaluate how the security policy is derived in the organization
  • Identify the external sources that have been taken into consideration for deriving the security policy and architecture
  • Evaluate how the security policy is enforced.
  • Evaluate how the compliance requirements drive an organization’s security policy.
  • Create a map of policy items to the respective compliance requirements
  • Create a catalogue of security processes. For each process, create a map of its objectives, inputs required, expected outcome, frequency of process transactions and artefacts created
  • For each process, evaluate the involved entities and their relationships, flow of transaction, resources and efforts consumed, and their dependencies
  • Identify and map the standards and guidelines defined by the organization within each security discipline
  • Evaluate how the policy is communicated to the end users, including employees, visitors and employees of vendors and service providers
  • Evaluate how the organization deals with non-conformance to the security policy
  • Evaluate how the organization reviews the performance of policy implementation
  • Ensure that an organization has complete and dynamic visibility over all activities, functions, processes and mechanisms that require attention of the security initiatives
  • Ensure that there exists a close relation between the security objective and respective countermeasures
  • Ensure that there exists a mechanism to evaluate sensitivity and criticality of business functions, services and processes
  • Ensure that the organization has a complete visibility and understanding of its security posture and there exists a program for assessing the security posture from time to time. Ensure that the security preparedness of the organization is continuously evaluated to provide inputs to the strategic initiative for security
  • Ensure that there exists a process in the organization to define and manage the security strategy
  • Ensure that the organization’s units, their activities and operations are in line with the strategic goals of security
  • Ensure that all the security solutions are derived from well devised security architecture of the organization.
  • Ensure that there exists a mechanism for security architecture development. The components of this mechanism could be:
  • Ensure that the strategy initiative focuses on all the aspects of security management.
  • Ensure that a significant level of efforts is dedicated to develop security intelligence that collaborates with the external and internal information sources for refining the security strategy
  • Ensure that a significant level of efforts is dedicated to understand and evaluate the security tools and solutions that are evolving in the market
  • Ensure that the security strategy and architectural initiative are an integral part of an organization’s IT strategy
  • Ensure that the enterprise security policy is an aggregation of the policy elements required to manage security threats rather than an isolated group of statements that do not address the real security issues an organization is facing
  • Establish the security policy that articulates organization’s intent, purpose and objectives for security.
  • Ensure that the security policy is deployed across all business processes, enterprise functions, projects and operations of the organization.
  • Ensure that the management’s commitment towards the policy is frequently communicated to the employees, partners and service providers and is also reflected in their actions
  • Ensure that the responsibility and accountability for security policy definition, implementation and enforcement is adequately defined and established
  • Extend the coverage of the policy to partners, vendors and other third party service providers
  • Ensure that the security policy is readily available to all organizational units and all communication and collaboration channels are leveraged to publish or create awareness about the policy items. Extend the message to external customers and clients
  • Ensure that the security processes in the organization are managed effectively.
  • Ensure that there exists a mechanism that monitors compliance to the policy and assesses the effectiveness of the policy implementation
  • Ensure that the non-compliances to the policy are identified and addressed in a timely manner, and everyone clearly understands the consequences for non compliance
  • Ensure that there exists a mechanism to review and periodically update the security policy. The inputs such as change in the compliance requirements, change in privacy perceptions of the end-customers, security baseline assessment, security process maturity and non-compliance incidents are taken into consideration during the review of the policy
  • Ensure that there exists a significant collaboration between an organization’s functions and units to implement and enforce policies
  • Visibility over the activities, functions and processes requiring attention of security initiatives reflects the intent of an organization to address each element that is important from security perspective
  • Comprehensive and current understanding of the security posture reflects the granular level of organizational understanding of the security posture and ability to keep this understanding updated
  • Security strategy alignment to business objectives reflects the alignment between strategic initiatives to the business requirements and goals
  • Structural effort for the security strategy reflects the maturity of security strategy function and ts processes
  • Coverage and extent of the security strategy reflects the ability to address the diverse dimensions of the security requirements and extend the scope to all required elements
  • Architectural treatment to security initiatives reflects how structurally the security countermeasures are planned and deployed
  • Security intelligence and its relation with strategy reflects how security strategy initiatives collaborate with the external and internal knowledge sources for refinement of the strategy
  • Comprehensiveness of the security policy reflects the ability of enterprise security policy to represent policy requirements of diverse, and complex IT infrastructure elements
  • Commitment and involvement of executive management and business units reflects the security culture, management intent and action, and participation of business units in the ongoing security initiatives
  • Alignment of the security policy to the real risks reflects how well the enterprise security policy is aligned to address real security risks and threats
  • Enforceability of the security policy reflects the ability to deploy different sets of instruments to enforce the policy
  • Policy articulation and awareness reflects the ability to communicate the security messages and ensure employee awareness

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework