Do you need security policies?

When most folks think about cybersecurity, they think about the tools—firewalls, anti-virus software, web filtering, etc. That’s smart. We always recommend a multi-layered approach to security.

But how do you decide which tools are the most effective for your organization? What roles do users play in security? Most importantly, how does everyone react to a security incident?

Security policies are critical in answering these questions, and for small organizations, a blend between systems and policies is a cost-effective way to manage security.

What’s a Security Policy?

Security policies outline the strategy for how you protect your organization and your customers from cybersecurity threats. These policies 1) set clear expectations for how your users interact with technology and data, 2) outline the systems and processes in place to prevent vulnerabilities, and 3) define how you respond to a security incident in order to reduce impact.

Types of security policies include:

  • Acceptable Use—provides guidelines on how technology is to be used.
  • Access Management—creates standards for creating, managing, and disabling network and application accounts.
  • IT Infrastructure Management—describes processes for how the organization’s technical functions are managed. This applies to the staff (or vendor) responsible for maintaining and supporting the IT infrastructure.
  • Security Incident Response—highlights what to do when a threat is suspected and how to react to an actual security incident.
  • Security Management—defines the processes for managing the activities and tools used to ensure the security of the environment

How do you get started?

  • Define security objectives. For this, we interview your organization’s management team to get their input on what security means to them.
  • Document security-related tools and systems already in place. The policies will reflect what proactive measures your organization already uses.
  • Create the framework. There are lots of templates available online, but take caution as they are typically too general. Your policies should include:
    • Overall objectives defined by the management team.
    • Privacy statement to help prevent the information becoming available to unauthorized parties.
    • Clarity on which employees the policy applies. Is it all offices? All users?
    • Roles and duties of all team members, and possibly vendors.

Tips for making your policy successful:

  • Get alignment from the entire management team. They will be responsible for enforcing the policies, and they will support something they believe in.
  • Training is KEY. Everyone should be aware of the organization’s stance on security. Keep records of annual training.
  • All policies should capture what is currently in place.  It’s easy to start with all the improvements that can be made and forget to capture what you’re already doing.
    • Once your policies are published, you can start to address gaps based on priority. The ultimate goal is to be compliant. If you write your policy based on future goals, you are immediately noncompliant.
  • A short policy is has the best chance for being followed. Be detailed where you must be detailed, but your policy should be as clear and concise as possible.

What if my organization doesn’t have compliance or regulatory requirements?

Security policies are important for all businesses, even those who don't have to have them to meet compliance requirements. Here are just two examples from our own clients:

Our clients are seeing a lot of spoofed emails and phishing attacks. In these scenarios, it is critical to react quickly and thoroughly. A delayed response could cost your organization thousands of dollars, network disruption, and data loss. Even if it doesn’t directly impact your organization, these types of breaches can impact your clients. We’ve unfortunately seen our clients respond to spoofed emails by wiring money to the wrong people. Security policies help your users know what to do.

One of our clients, a recruiting company, wanted to work with a company that had strict compliance requirements. To be a vendor, our client needed to present their policies for auditing. We partnered together to build their security policies within a few weeks.

We want you to be prepared before you need to take action. The hard part is deciding to get started. Let us know, and we can help guide you.

Comments