By now, I imagine you’ve been facing pressure from either an auditor, regulatory body, or even a customer saying that you need to have a ‘Cybersecurity Policy’ in place. There is very little to counter that argument.
Square, meet Round Hole
There will always be common aspects of a security policy that are necessary to include, but every policy should be customized to your environment. Here are some simple questions that you need to answer:
- Is your business regulated (HIPAA, Dept. of Financial Services, FERPA, etc.)?
- Who is your audience?
- What kind of sensitive data do you deal with and what kind of format is it in (Paper, electronic, both)?
- Do you have systems that need to be updated on a regular basis?
If you don’t know all the answers to the above questions, a Risk Assessment will draw all of this out for you and help you craft a custom policy to your business. There are also occasions when you need to quickly put a policy or procedure in place, but keep in mind you should never implement a policy for the sake of checking a box.
If it is not measurable, it does not exist
The goal of security policies is to define the main security objectives and the security framework for an organization. The existence of current and accurate policies along with a formal process for ensuring they are communicated, reviewed, and updated regularly is crucial to protecting sensitive and regulated information.
Below is a process for implementing policies:
- How are policies and procedures monitored for effectiveness and how frequently?
- How are policies and procedures measured in terms of the results they achieve?
- How are policies and procedures disseminated to all faculty and staff?
- How often are the policies and procedures revised and updated?
- How will important and relevant content be included?
Finally, relax
Overwhelmed yet? Don’t worry, we are here to help. Innovative Solutions can help you determine what policies you should have in place, help you create them, and give you an implementation plan that makes sense for your business. Call 585.292.5070 x278 and speak directly to our Chief Information Security Officers to start the conversation.