Two weeks ago, we discussed implementing security policies. A quick review – you should ask yourself these things:
- What are the threats to your business?
- What are your vulnerabilities?
- Who is it applicable to? Short answer is everyone.
- What do you want to address? Define the policy and the actions.
- What is the standard and your expectations?
- What do you do when an incident happens? And when do you rehearse?
- How often will you review and update them?
We have previously talked about threats and vulnerabilities so I want to skip ahead to bullets 3 – who is it applicable to; and 4 – what do you want to address. These are critical because it helps set the tone for your business and where you want to prioritize security.
Who is it applicable to. I say the short answer is everyone because we want to first establish institutional/foundational level security. If you don’t have one or aren’t aware of one (an indicator that you probably don’t have one) then that needs to be addressed first. You need to develop basic policies for everyone. Ultimately and depending on your size and type, you may have certain security policies that are only applicable to managers or Information Security Officers, and some that are only applicable for certain functions.
What do you want to address. Primarily, we want to focus on security that is applicable to everyone in the organization:
- What is the organizational view on security?
- What is your Users Agreement?
- What is your incident response plan?
- What is your plan for backing up data?
- How will you train to ensure you have alert and aware employees?
- Do you want to establish a BYOD policy? Are cell phones even allowed? This is probably a topic for another blog but security is a discipline and it may not be in your best interest to allow BYOD. Either way, you should address it in a policy.
- What happens if you identify an issue? How do you report the issue?
- Do you have or need an Insider Threat Program?
- What is your policy on removable media? Are USBs allowed? Can you burn files?
- Do you have restricted areas and what are the processes for these areas?
These are all areas that should apply to all people in your organization. For some businesses or sole proprietorship businesses all of these may not be necessary, but doesn’t it at least warrant consideration and writing down a process.
Need more help, contact us and we can help you walk through the process and provide templates and designs to address the main points.