The objective of this review is to assess the effectiveness of the security policies in delivering the targeted business priorities. Our review process is based on the recognised ISO 27000 series international security standards.
For example, a common challenge is in balancing the objective of strong authentication against an acceptable user experience. Most users struggle with complex password rules (e.g. password must contain letters, numbers and special characters with minimum length). This encourages insecure practices such as using same password across multiple systems or simply rotating a number or alphabet in the password when prompted to change.
Our review starts by identifying the targeted business priorities such as authentication strength, ease of use, access technology and solution cost. Where possible, some form of financial dimension is assigned to these priorities. Such analysis provides a framework for assessing policy elements such as bio-metric controls, security analytics and the use of threat intelligence which can have significant privacy and cost implications.
For example, acquiring a smart phone with bio-metric technologies like finger print or face recognition might cost a bit more but it could reduce the total solution cost by reducing the fraud rate. Another example is the use of authenticated smart phone apps as a second authentication factor instead of relying on SMS messaging. SMS is insecure which has been extensively exploited for online banking fraud. Our review helps to put such technology decision into perspective.