Policy FAQs

What is the difference between policies, procedures, and standards?

Policies are high-level statements of management intent. Basically, who must do what?

Procedures provide the steps that you need to follow to put policies into effect. Not every policy needs a procedure, but every procedure has a policy behind it.

Standards provide (often technical) details to support policies and procedures. But they don’t include steps or they would be procedures.

We keep policies, procedures, and standards separate because they are used (and maintained) differently.

What policies are included in Virtual Security Team?

We create a full set of information security policies. The policies are designed to address regulatory and standards-based requirements such as HIPAA and PCI DSS. However, our framework is broadly organized using ISO 27001 domains since the ISO 27001 standard is oriented towards defining an information security program (i.e., an information security management system).

Thus, the policies cover program implementation, the information security organization, HR security, asset management, access control, cryptography, physical security, operations security, communications security, acquisition and development, vendor security, incident management, information security aspects of business continuity, and compliance. The structure and presentation of policies varies by client – so the number and length of policies documents varies as well. We generally estimate that clients will have between 250-300 discrete policy “statements” – although we can present these so that workforce members read only the security expectations that apply to each.

What else is included with the policies?

You might not know what else you need to get security policies going, but Loptr does.

We create a glossary that consolidates terms from various sources like the HIPAA Omnibus Rule and NISTIR 7298. We provide a role matrix template that you will use to map your workforce to corresponding policy roles, plus an exception template you’ll use to track cases where you grant exceptions to a policy.

What procedures are included in Virtual Security Team?

These procedures are typically included in Virtual Security Team: Network Configuration and Testing, Firewall and Router Change Management, Maintaining Network Documentation and Diagrams, Maintaining Data Flow Diagrams, Firewall and Router Review, System Configuration, Mobile Device Configuration, Wireless Network Configuration, Maintaining Configuration Standards, Maintaining Asset Inventory, Documentation Disposal, Media Disposal, Information System Disposal, Sensitive Data Storage Review, Periodic Malware Threat Evaluation, Malware Configuration Review, Patching Configuration Review, Patch Management, Software Release Management, Software Change Management, Software Code Review, Planning Secure Development Training, Application Security Testing, Workforce Clearance, New Hire Checklist, Termination Checklist, Periodic Access Review, Authentication Reset, Off-site Storage Security Review, Card Processing Device Inspection, Recording Physical Security Maintenance, Critical Log Review, Periodic Log Review, Vulnerability Scanning, Penetration Testing, Host Configuration Testing, Investigating File Integrity Alerts, Security Evaluation Preparation, Planning and Performing a Security Evaluation, Post-evaluation Analysis and Improvement, Policy Review and Update, Risk Assessment, Periodic Security Systems and Products Review, Security System/Product Selection, Security Service Selection, Vendor Security Evaluation, Vendor Onboarding, Vendor Offboarding, Incident Response, Post-incident Analysis and Improvement, Periodic Incident Reporting Review, Communicating the Results of Audits and Evaluations, Planning Specialized Security Training, Planning Participation in Security Forums, Creating Security Awareness Reminders, and Periodic Training Review.

Your procedure collection may vary based on scope and compliance requirements. We also work with you to create up to 5 additional information security procedures – if you have a process beyond what we cover, we’ll help you write a procedure for that, too.

Do you really provide all of those procedures in VST?


What does a procedure look like?

We strongly encourage clients to use procedures in checklist format. An auditor’s first question might be, “Do you have a procedure for that?” but the follow-up will be, “Can you prove that you followed the procedure?” We design our procedures to be followed and we use a checklist format that makes record-keeping easy.

Procedures are typically each 1-3 pages in length. They include brief steps, guidance, and space for comments or details needed to fully document each process.

What else is included with the procedures?

We provide a procedure index that cross-references each procedure to regulatory requirements like the HIPAA Omnibus Rule and PCI DSS. We also provide a scheduling tool to help you get your procedures up and running. Since you already have software you use for calendaring in your organization, the scheduling tool gives you the input you need to set up recurring events for any time-triggered procedures.

What standards are included in VST?

Along with policies and procedures, you need some more technical standards. We provide standards covering data classification, encryption, media destruction, passwords, and remote access and teleworking. We’ll also provide a secure system configuration template that makes it a lot easier to document expected security settings for your operating systems and devices.