Security Policies, Processes, & Procedures
Policies, processes, and procedures are essential for setting expectations and developing strategies for achieving security. Knighthood assists customers in selecting the level that best fits their needs.
Enhanced
- As part of your continuous improvement programme for security, your people and relevant service providers actively contribute to optimising processes and procedures. You have tools in place to facilitate this.
- Issues and emerging risks relating to contracting and contract management processes are analysed and mitigations strategies are put in place to improve existing and future contracts.
Managed
- You have security policies, processes, and procedures in place to protect people, information, and assets.
- Policies and procedures are easy to access and understood.
- You review security policies at least every two years, and periodically review processes and procedures to ensure they remain appropriate.
- Security management processes are embedded, consistently followed, and deliver the outcomes you expect.
- Your procurement contracts include standard terms and conditions relating to security.
- Your policies and procedures include aspects on working with external suppliers where relevant.
- People from across your organisation contribute to designing security management policies, processes, and procedures.
- You proactively scan your environment for relevant changes and emerging threats, amending security policies, processes, and procedures when appropriate.
- You set and apply evidence-based performance measures for your security management processes, and performance targets are consistently met.
- Your security management processes and procedures are supported by automation when that makes them more effective and efficient.
- You have documented and effective procedures in place to ensure that proposed changes to processes, or new processes, are assessed for their impact on security management requirements.
Basic
- You have elements of protective security policy in place, but they’re not yet sufficiently supported by documented processes and procedures.
- Where security management processes do exist, they usually perform as expected. However, process discipline may be lax.
- You occasionally review security policies, usually in response to an incident or prompt.
- When applicable, your procurement contracts identify requirements for protecting people, information, and assets.
- Levels of due diligence on the security policies and measures of external suppliers vary across your organisation.
- You have a limited or inconsistent process in place for considering how new processes, or changes to existing ones, will affect security management.
Informal
- You have no documented protective security management policies, processes, or procedures in place.
- Undocumented processes tend to change depending on the situation at the time or who is following them; and the purpose and value of these informal processes may be unclear.
- Protective security needs may be considered when business processes are developed or reviewed, but you can’t be confident this happens.
- You don’t ask external suppliers for information about their security policies and measures before you share sensitive information with them.
- Security is not considered in procurement decisions or factored into supply contracts for products or services.