Information security policies, standards and procedures typically fall to the bottom of many companies’ to-do lists. Nobody gets excited about the tedious process of creating these kinds of documents. But it's worth making the effort to create and maintain these key documents. Investing some time now will make your organization far more secure and efficient in the months and years ahead.
First, let’s break down what goes into each of these governance documents.
Policies are the high-level statements that communicate your objectives. Think about the information security policies as the vision statement that clearly states your values in this area and what you intend to put into action. Your organizational culture will drive how you set policies, as they reflect how you view risk, what role you expect end users to play in security and more.
Standards go more in-depth and elaborate on the policies. Standards will specify details such as:
Standards lay out specifics of how each control area fits into the overall information security program. For example, if a control framework you’re following requires specific steps around firewall settings or encryption measures, your standards will explain what you’re doing about those things. When you're trying to satisfy most compliance requirements and frameworks, you’ll hear a lot about your “policies.” But standards are typically what they're looking for.
Procedures are the step-by-step instructions for fulfilling the policies and standards. For every control area your policy covers, you should have corresponding procedures explaining how the organization will carry out that policy. Procedures turn policies and standards into tangible action steps. In procedures, the business should call out specific employees and technologies that carry out each procedure.
1. You experience a breach – Your Incident Response plan and Business Continuity/Disaster Recovery plans will help limit the damage and restore your operations as quickly as possible.
2. You have to discipline/dismiss an employee for inappropriate use of technology – Your Acceptable Use Policy, which you had each employee sign on their first day, lets you enforce the rules.
3. Vendors demand evidence of your security program – You can share a wide variety of documents to show that you take security seriously at all levels of the organization.
4. A user accidentally gives their credentials to a hacker – A solid Access Authorization/Identity Access Management policy limits each user’s data access, limiting how much a hacker can pivot within the system.
5. An entry-level employee makes a bad choice on a firewall setting – Your Change Management policy builds in reviews to catch unintended consequences in time.
Now let’s explore why these three types of documents are important for your business.
It’s just good business to have solid policies/standards/procedures. But it usually takes outside pressure to make most organizations get serious about their policies and standards. In today’s tougher cyber insurance marketplace, for example, you may not even be able to renew a policy without having basic policies/standards in place. At minimum, creating these documents helps you get much better rates on insurance. Many large companies are also taking a harder look at the cybersecurity practices of all their vendors. So your company’s contracts may soon rely on you creating the policies/standards/procedures that prove you have a mature security posture.
It's crucial that you show your employees exactly what is expected of them. A murky vision inevitably raises questions. Creating a universal guide for everyone will unify and direct the team in times of crisis or confusion.
A written governance program gives leaders a way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy-to-find policies, standards and procedures, you can hold everyone accountable for abiding by them. Your employee onboarding process should build cybersecurity awareness into every employee’s first day on the job. One of their first tasks should be reading applicable policies and signing a statement that they have read the documents and agree to comply with them.
Executives should be involved in creating the policies, standards and procedures and should play a role in socializing them throughout the organization. If an executive is involved in the creation of these documents, they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the executives.
Your organizational size and industry niche will mandate some of the governance documents you need. A large business with numerous employees typically requires a more detailed plan than a small organization.
You need to address how to get the governance program in place. Talk with your IT operations team to make sure they’re ready to follow the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key.
Understand that once you have your policies, standards and procedures in place, you still have work to do. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to review all these important documents annually to proactively evaluate the security controls related to the confidentiality, integrity and availability of your business’ sensitive information.
Several policies and procedures require regular testing to confirm that everyone understands them, that they’re still current and that somebody actually knows how to do each step in the procedures. Incident response plans, in particular, require regular testing via tabletop exercises and other evaluations. During testing, many organizations realize that “restore data from backup,” for example, isn’t quite as straightforward as it sounds. That prompts them to update the plan to cover every detail in a way that makes them truly ready for quick deployment.
If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.
Russia’s attack on Ukraine clearly isn’t limited to tanks, planes and missiles. Russia has already and will continue to deploy cybersecurity attacks as part of a strategy to destabilize or outright shut down its opponents. Most of us don’t play a role in battling nation-state cyber warfare. But this blog covers what organizations of all sizes should know about the potential impact of these global events and how you can take common-sense steps to protect your operations and data.
Russian hacking isn’t a new threat, so you’ve probably been battling it for years without realizing it. President Biden addressed Russia’s harboring of hackers at a meeting with Vladimir Putin in June 2021, and government and private security professionals have been fighting Russian interference for at least a decade. In January 2022, CISA issued an alert focused specifically on understanding and mitigating Russian state-sponsored threats to U.S. infrastructure.
But Russia’s attack on Ukraine brings new urgency, as Russia has already sought to bring down Ukraine’s government and critical infrastructure, mainly via denial of service attacks and malware deployments. Thus far, the U.S. Cybersecurity and Infrastructure Agency (CISA) has said in a statement that there are no specific or credible threats to the U.S. homeland at this point. But as sanctions begin to take effect, attacks may ramp up.
Few organizations face a real possibility of direct attack by nation states. But impacts could still be widespread if threat actors manage to compromise supply chains or critical infrastructure. Recent breaches involving Kaseya and Log4j have shown how quickly attacks can cascade throughout a software ecosystem. Russia’s attack on Ukraine may be your wakeup call, but regardless of the current headlines, you should incorporate the following best practices to protect your environment.
If you do suffer a breach, a calm, organized, well-planned response can greatly limit the damage and speed up your recovery time. Now is the time to pull out your incident response plan and make sure that it accurately reflects who is on your team, the tools you have in place, etc. The same goes for your business continuity/disaster recovery (BC/DR) plan, which describes how you’ll keep operations going if a crisis occurs.
Set up a tabletop exercise to walk through a simulated breach and identify any missing or unclear steps in your plan. Many organizations have only vague notes, for example, about how they would restore data from backups. Take time now to investigate how your backups work and the exact steps and timeframe it would take to restore your critical data.
Cloud-based services could be high-value targets for foreign attackers. So your IR plan should address how you’ll maintain operations if you lose access for a time to your customer relationship management (CRM) platform, document exchange service, Microsoft Office 365, etc.
Again, this is something that should be part of your normal practice, especially after the Log4j breach showed how rapidly compromised source code can wreak widespread damage. Many software developers have relied heavily on outsourcing work to programmers in Russia and eastern Europe in recent years. It will be a massive task to comb through all of your code for elements with Russian origins. But this process may become necessary to ensure that no allies-turned-adversaries left a pathway into your system for Russia to potentially exploit.
U.S. authorities count on reports from private organizations to help them maintain an accurate picture of current threats. If you experienced an incident or spot anomalous activity, report it to:
If you experience a breach and need immediate assistance with assessing the situation and getting back online, call Pratum’s Breach Line 24x7 at 515-212-6634.
If you need advice on getting your policies and plans in place, contact us today.
Every year, Pratum consultants review information security policies for dozens of organizations as part of regular risk assessments. And while no two organizations are exactly alike, we do find one consistent theme: Most clients need to do some serious work on their information security policies. The policies are often incomplete, badly outdated or missing altogether. That means that strengthening your security posture should start by checking whether you have the following essential policies, which our consultants have ranked in rough priority order. (And, of course, you need to actually follow the policies you have in place.)
Start with this foundational document. It provides an overview of the topics that you can develop further in the specific documents listed below as your program matures. Your Information Security Policy covers the top-line aspects of areas such as acceptable use, password management, access control, encryption, etc.
These are the basic rules for everyone in your organization. Make sure the policy is clear and concise and that every employee reads it and signs it on their first day of work. Writing this policy and sharing it with each employee ensures that you can enforce critical security rules in the future.
Don’t start thinking about how to handle a data breach on the day you discover one. A written IR plan helps you anticipate potential issues and create a detailed checklist that tells everyone what to do when stress is running high. A recent IBM study found that organizations with a written IR plan reduced the cost of a breach by 55%. A good plan identifies your response team in advance and clearly describes each person’s duties, along with how the team will coordinate efforts. Use this guide to start creating your plan.
Hackers always hope that compromising one set of credentials will give them access to your entire environment. You prevent that by limiting each user’s access to no more than the data they need to do their job. Write a policy for determining what access every user gets, and be sure to include a plan for regularly updating access when people switch jobs, leave the organization, etc.
Closely related to the IR plan is this policy that anticipates how you’ll avoid serious operational interruptions in a variety of scenarios. Your BC/DR plan lays out the business impact of various threats and describes how you’ll pivot to restore critical operations as quickly as possible. Be sure to plan for testing to confirm that your plans hold up in real life.
This document explains your organization’s overall approach to evaluating and remediating risks. The policy will explain how you identify risks, measure their likelihood and impact, set strategies for handling them, etc.
The security of your key suppliers and partners is your problem, too. If a key supplier suffers a breach, you may lose access to essential supplies and services. If one of your software suppliers gets breached, your own system could be infected with malware unwittingly delivered by someone you trust. You need a policy for reviewing the security posture of all third parties, whether that’s following your own security questionnaire or requiring something like a SOC 2 report.
Who has authority to change IT elements such as firewall settings or approve a new piece of software? Your policy should ensure that only qualified people have that authority, and that proposed changes are reviewed by the appropriate stakeholders to avoid unintended consequences.
You can choose to view your end users either as the biggest threat to your security or as your biggest team of frontline defenders. That means you need a plan for purposefully educating each employee on critical security issues, with an emphasis on the “why” so everyone knows how it affects them.
Your end users interact with this policy multiple times a day as they log into their systems. Yet password policies are still widely overlooked. Compromised credentials remain one of the top ways hackers get into a system. And if you’re wondering how robust most password policies are, consider that the most popular password in 2021 was “123456.” The second most popular was “password.” Make time to update your policy to require strong passwords.
If you need expert help in reviewing your existing policies or writing new ones, contact us today to talk to a Pratum cybersecurity consultant.
Get our blog articles delivered
to your inbox: