share

Every company should have documented Information Technology policies and procedures to prepare them for regulatory requirements. However most organizations, particularly startup companies, do not have the time or expertise in drafting these very important documents. They also are reluctant to write down their processes in fear of that they are not following best practices.

Having well documented policies and procedures will let an organization know exactly where they are now in respect to security, regulatory compliance, and risks to their organization. Policies and procedures help create budgets and assist in responding to security incidents and when there is a “glitch” in a system.

Policies and procedures also aid the organization in identifying Information Security Controls. Controls are used to meet objectives set by various regulations and certifications. Documented policies and procedures aid the organization in identifying these controls. Having identified controls give auditors a guideline to adhere to when they are on site reviewing your systems. When there are no controls to be reviewed auditors have a tendency to determine their own controls for a particular requirement and do not consider an organization’s custom environment and processes. Documented policies and procedures should be customized to your organization.

Once you have decided to develop policies and procedures the next step is implementing them. It is very important to draft these documents and ensure they are being executed. Organizations should take care in documenting what they are actually doing. There are many templates available on the internet for Information Security policies and procedures. However these templates should be tailored to the specific organization. For example, the template may say that you review privileged accounts on a quarterly basis, but in reality you have only a few privileged users and therefore only need to review semi-annually. This is very crucial in an audit because auditors will test you on what is documented, not on what you actually do. Your organization’s policies and procedures should be reviewed annually to ensure accuracy and account for any changes. Information Security Policies should be reviewed by senior management. Procedures should be reviewed by subject matter experts so that they can update the process described in the procedures if there are tool or technology changes.  

Does your organization view mature policies and procedures as a necessary evil?  What obstacles has your organization found when developing or implementing policies and procedures? How have you built in the time to commit to enforcing policies and procedures?

The International Organization of Standardization (ISO) 27001, Information Security certification and the corresponding Information Security Management System (ISMS) is a great place to start your policy and procedure documentation. It will aid in increasing efficiency, minimizing risk, and preparing for regulatory and government requirements like GDPR, PCI, SOX, etc. One of AppSec Consulting’s specialties is customizing policies and procedures for organizations that are trying to implement a security framework like ISO 27001.