Policy Development Review Services

Being in compliance with the many and growing information privacy and security regulations and standards, means having the proper policies and procedures in place to establish your security management process and provide the structure, to support secure operations within your process.

A complete set of policies and procedures
1) Enables the adoption of good privacy and security practices within your business structure
2) Provides guidance for implementing good practices that are in compliance with applicable regulations and standards.

Proviatek works with clients to review their current policies and compare them to the requirements for applicable regulations and standards through the use of proprietary policy templates and workshops involving knowledgeable client staff. Each of the policy areas is examined and policy deficiencies are noted for remedial action.

Then, based on the analysis, we recommend a structure of needed policies and procedures, and work with the client to develop the policy language to match similar policies that may already be in place. Where appropriate, clients may ask us to assist in their policy adoption process in order to speed adoption of necessary policies.

At the same time, we can work to define the supporting procedures that must be in place to ensure adoption of policy requirements, working with your staff to define and document your systems and processes. For some clients, we input policies, procedures, and documentation of compliance status and compliance activities into a Wiki or other easy-to-use Web-based information sharing tool, so that the information is easy to keep up to date and easy to use.

A complete policy and procedure review is an essential part of any regulatory compliance assessment. Proviatek can help you discover and remedy policy and procedure issues before they become a serious liability.

Risk Analysis
Risk Analysis is the process of identifying the potential areas of risk to information security based on the inventory of information systems and information flows described by the Information Flow Analysis. Risk Analysis provides the big-picture view of your systems and flows and their security.

The analysis involves organizing the systems and flows into categories with similar information security characteristics, and then defining the risk issues that must be dealt with for each category of system or flow. Proprietary and publicly available tools are used to identify threats, vulnerabilities, and controls, and provide the framework for the analysis.

Proviatek provides its clients descriptive summaries of each category of system or flow and its risk issues, as well as a tabular presentation identifying each issue and its policy and technical security requirements for management of risk.

The Risk Analysis identifies the particular systems and flows that need further assessment of risk so that the risks may be better understood and mitigated as necessary. The Risk Analysis results in a report that defines the needs for the ensuing Risk Assessment work as well as recommended policy modifications necessary to ensure good security practices.

Risk Assessment
Following the Risk Analysis performed using the data from the Information Flow Analysis, individual areas of risk identified in the Risk Analysis are assessed as necessary in order to understand the details of any risks and how they may be best mitigated. While the Risk Analysis provides the big-picture view, Risk Assessment zooms in on the individual systems to ensure the details are considered adequately.

In many cases, the Risk Assessment is a heavily technical task, involving reviews of systems, networks, configurations, and procedures. In some situations, clients of Proviatek perform the specific system risk assessments and institute the necessary remediation themselves, or work within an existing technical consultant relationship.

In other cases, Proviatek provides the technical services necessary to complete the Risk Assessment. We are happy to provide technical experts or work with your existing technical personnel, whichever is your preference.

The results of the Risk Assessment serve to direct your steps toward compliance and become part of the foundation of documentation that ensures you’re having a complete Integrated Information Security Management Process and good compliance with applicable regulations and standards.

Risk Analysis and Risk Assessment provide key information as part of a complete Compliance Assessment, as well as provide input to your Policy Review and Development process.

Compliance Assessment
A Compliance Assessment includes a complete review of privacy and security policies and procedures and any actions taken in support of those policies, as well as a review of information flows and risk analyses and assessments to determine the thoroughness of preparations for compliance.

If Information Flow Analysis, Risk Analysis and Risk Assessment information is not readily available, analyses can be performed as part of the compliance assessment. Detailed assessments include a thorough physical site examination and interviews with knowledgeable personnel, as well as reviews of documentation and any prior assessments.

Based on the information gathered, each requirement of applicable regulations is examined to determine the adequacy of the policies, procedures, and practices established in meeting the requirements.

The result of a complete Compliance Assessment performed by Proviatek is a report including descriptions of reviews undertaken and a listing of issues that should be addressed to improve compliance. In addition, any actions taken to support the assessment, such as Information Flow Analysis or Risk Analysis, are fully documented.

The result is a report that will not only help ensure your compliance today but also provide a good foundation of documentation for future assessments performed as part of your continuing Integrated Information Security Management Process.

The final step in a complete assessment is for Proviatek to conduct a risk determination and planning meeting, wherein stake holders meet to discuss the issues described in the compliance assessment report, make informed decisions about risks, and set priorities for management and mitigation of risks to information security. Such a meeting is an effective first step in implementing an Integrated Information Security Management Process for organizations lacking an existing process.
Integrated Information Security Management Process
With the increasing proliferation of information handling regulations and requirements that businesses, colleges, financial institutions, and health care providers of all kinds must operate under, it is no longer an option to examine information security and compliance for each regulation or requirement individually.

For all the variety in regulations, there are several core principles around which compliance can be established for all of the requirements. The best way to meet information security and regulatory needs is to have an Integrated Information Security Management Process in place that considers all of the relevant requirements and establishes the policies, procedures, and practices that can work together to meet all of the needs.

To maintain information privacy and security and regulatory compliance, you need to have a continuous process established to:

Conduct an Information Inventory and Flow Analysis
Implement Access and Configuration Control
Know who and what’s been going on in your networks and systems

Respond to and learn from Incidents
Audit and review regularly, and when operations or environment change
Improve your operations based on reduction of risk

You’ll need to review your policies, procedures, and practices to ensure all applicable requirements and essential practices are met. Properly organized, your basic security policies need not be a chaotic jumble of specifications for individual regulations and requirements. Where possible, your policies can be organized under four fundamental security policies:

Information Security Management Policy – wherein the process itself is established, including requirements to perform the steps listed above
Access Control Policy – which covers the mechanics of allowing and preventing access as appropriate, through means such as administrative processes and technical measures (authentication, encryption, perimeter controls, etc.)

Contingency Policy – covering the essentials of data preservation, data destruction, and disaster recovery
User Policy – detailing the requirements of how individual users should and should not use their information devices and the organization’s data

Proviatek can help you establish your Integrated Information Security Management Process and all its underlying policies, procedures, documentation and training activities, so that you can be in compliance with HIPAA Privacy, HIPAA Security, PCI, and any other regulations that affect information security and data management.

We can provide the Policy Review and Development Services, Risk Analysis, Risk Assessment, and Compliance Assessment Services to jump-start your process and help move you to compliance quickly, safely, and economically. Contact us today if you have any questions or would like any additional information.