Policy Development (Higher Education)

Policies and supporting documentation are the primary governance structure for a cybersecurity program. Security policies protect people and information, define expected personnel behaviors, define the organization's position on security, minimize risk and track compliance with regulations and legislation. Information security policies also provide a framework for best practices to align the business, from the top down, on its information security direction and expectations. 

DeepSeas Policy Development service provides the documentation framework and expertise necessary to develop meaningful and effective cybersecurity policies, standards, plans, procedures, and supporting documentation.  

This Statement of Work identifies the objectives, scope, methodology, deliverables, client requirements, and assumptions for all work to be completed by DeepSeas. 

The objectives of this initiative are as follows: 

1. Establish and define a legally defensible position for the organization's cybersecurity program. 
2. Develop information security policies, plans, procedures, and supporting documentation that align with business strategy and operations. 
3. Identify and track gaps in the program documentation. 
4. Help establish the policy management process. 

The methodology consists of the following activities: 

1. INITIALIZATION PRESENTATION 
   1. Provide project stakeholders and participants a brief overview of how the project will be conducted, including tools, resources, critical stakeholders, and process. 
2. EXISTING DOCUMENTATION REVIEW 
   1. DeepSeas will review existing client documentation that is aligned with in-scope documents and integrate it into the new documentation set. 
3. INITIAL DOCUMENTATION DEVELOPMENT 
   1. DeepSeas to prepare all in-scope documentation with: 
   2. Client branding 
   3. Client-specific details 
   4. Client to provide branding to DeepSeas
   5. Client to approve document branding prior to documentation development. 
4. DOCUMENTATION DEVELOPMENT
   1. Conduct working sessions: 
      1. DeepSeas will conduct working sessions for the duration and frequency defined in the scope. 
   2. Produce final documentation drafts: 
      1. DeepSeas will develop information security standards with clients during working sessions, as defined in scope. DeepSeas will collaborate with client to understand if drafted standards are currently in place and will collaborate with client to develop necessary corrective action plan(s), aligned with this priority. 
      2. The client will provide redlines to draft documents produced by DeepSeas in advance of planned working sessions. 
      3. DeepSeas to address client redlines in interactive working sessions with the Client. 

DeepSeas will produce the following deliverables: 

1. PROGRAM DOCUMENTS - DeepSeas will provide final drafts of documents, including policies, standards, procedures, and references, in alignment with the Scope and as applicable to the Client environment.  
2. MEETING MINUTES - DeepSeas will provide meeting minutes post-working sessions detailing action items and next steps. 
3. LIST OF GAPS (RISK REGISTER) - DeepSeas will document gaps identified during the engagement in a Risk Register that can then be used by the Client to conduct risk management. The Risk Register is not managed by DeepSeas as part of this project. 

PROJECT-SPECIFIC ASSUMPTIONS 

1. Each in-scope document is to go through no more than two (2) development iterations by DeepSeas.
2. Policy Development will be led by client's vCISO if vCISO Strategy & Governance is purchased.

The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan. 

1. Client to assign a point of contact (POC) responsible for client coordination and logistics. 
2. The client is responsible for scheduling and coordination of internal client resources for all project work.  
3. The client is responsible for the approval and implementation of draft documents within their organization. 
4. Client to provide legacy documentation to align branding on deliverables.