Although information assets are specific to your business functions and business strategies, they may be contained within broad categories such as contractual and legislative compliance, those needing virus prevention, those critical to business recovery following security compromises, etc.

IBM's Security Policy Definition offering investigates the requirements for information security, the associated priorities and, thereafter, creates a custom security policy to clearly demonstrate management's commitment to an enterprise security program.

IBM Security Consultants will team with your staff to develop a detailed work plan and on a continuing basis to ensure that all work performed is designed to satisfy your organization's needs. To ensure the policy developed during this activity meet your business needs and can be realistically implemented, IBM refers to its own internal corporate security program elements (e.g. corporate instructions and standards) together with "best practices" selected from industry standards for commercial environments in the areas such as: organization, personnel, physical controls, asset classification and control, network and computer management, business continuity, application development, and compliance.

Based on information gathered from interviews with your key business and IT managers, IBM Security Consultants will develop a corporate security policy that will contain, at a minimum:

• a definition of information security with a clear statement of management's intentions
• an explanation of specific security requirements including:
  • compliance with legislative and contractual requirements
  • security education, virus prevention and detection, and business continuity planning
  • a definition of general and specific roles and responsibilities for the various aspects of your information security program
  • an explanation of the requirement and process for reporting suspected security incidents, and
  • the process, including roles and responsibilities, for maintaining the policy document.

Service covers:

• A review of your organization's business strategy and related security requirements
• A review of your organization's IT strategy, current security concerns, and future security requirements
• A review and analysis of your organization's current security policy and standards against the needs of your organization's business and IT strategies
• A customized security policy document which will prescribe management's direction to guide your organization in meeting your corporation's security objectives according to its business needs.

Price
The contract amount for IBM's Security Policy Definition offering typically ranges from $25,000 to $100,000. Taxes and applicable travel and living expenses are extra.