Strasan consulting typically recommends and uses a four-phase approach to implementing a comprehensive, enterprise-wide security management program.

The first phase identifies the critical information assets in order to understand the nature and severity of security risks and exposures to those assets.

Types of exposures include:

• Confidentiality: the exposure if information gets into the wrong hands
• Integrity :the exposure if the wrong information is used to make decisions
• Availability: the exposure if information is not available for use when needed.

This "Business Value Assessment" identifies owners for critical information assets, evaluates security classification levels, and documents the usage and residence of critical information.  The deliverable, an Information Asset Profile, provides a "control book" that highlights which information requires protection, what kind of security is important for the business use of that information, who has ownership responsibility, and how and where the information is primarily used.  This enables an information security program to be tailored in the next three phases to provide the right types of controls and mechanisms for the most critical information to the business.

The second phase determines how information assets should be protected.  In this phase, the management philosophy and results of the Business Value Assessment are used as guides in defining the guiding security principles for the organisation.  Where needed, existing security policies and standards are updated and new ones are developed.  In conjunction with a standard of best practices for security management (We recommend ISO 2700x), all relevant aspects are addressed to produce a customised security architecture that effectively aligns to strategic IT and business needs.

When the third phase can use a client's specific security architecture as a model, consultants map current processes to the defined security processes in the client's security architecture and identify gaps.  Strasan uses the International ISO 2700x Standards as the model in lieu of one provided by the client if an existing standard is not available.  Our security assessment activities include a comprehensive review of an organisation’s policies, procedures, and information protection mechanisms.  Recommendations are developed that specify actions to close the gaps with an implementation strategy based on a client's unique business needs.

In the final phase, recommendations are implemented. Strasan can assist with implementation by providing overall project and transition management, evaluating and recommending products and tools, conducting employee awareness training, or assisting with migrations and conversions.  Properly implemented process feedback mechanisms will ensure continuous improvement in security management quality.