-
Select Monthly Archives
- September 2019
- August 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- August 2018
- July 2018
- May 2018
- March 2018
- February 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- December 2013
- September 2012
Blog
Filed In: ISO 27001, SOC 1/2, GDPR and Privacy, PCI DSS, Risk and Compliance
Information Technology Policies and Procedures: Are We Ready for Our Audit?
Views: 1233
Written By: Keith Parkman November 09, 2018
Every company should have documented Information Technology policies and procedures to prepare them for regulatory requirements. However most organizations, particularly startup companies, do not have the time or expertise in drafting these very important documents. They also are reluctant to write down their processes in fear of that they are not following best practices.
Having well documented policies and procedures will let an organization know exactly where they are now in respect to security, regulatory compliance, and risks to their organization. Policies and procedures help create budgets and assist in responding to security incidents and when there is a “glitch” in a system.
Policies and procedures also aid the organization in identifying Information Security Controls. Controls are used to meet objectives set by various regulations and certifications. Documented policies and procedures aid the organization in identifying these controls. Having identified controls give auditors a guideline to adhere to when they are on site reviewing your systems. When there are no controls to be reviewed auditors have a tendency to determine their own controls for a particular requirement and do not consider an organization’s custom environment and processes. Documented policies and procedures should be customized to your organization.
Once you have decided to develop policies and procedures the next step is implementing them. It is very important to draft these documents and ensure they are being executed. Organizations should take care in documenting what they are actually doing. There are many templates available on the internet for Information Security policies and procedures. However these templates should be tailored to the specific organization. For example, the template may say that you review privileged accounts on a quarterly basis, but in reality you have only a few privileged users and therefore only need to review semi-annually. This is very crucial in an audit because auditors will test you on what is documented, not on what you actually do. Your organization’s policies and procedures should be reviewed annually to ensure accuracy and account for any changes. Information Security Policies should be reviewed by senior management. Procedures should be reviewed by subject matter experts so that they can update the process described in the procedures if there are tool or technology changes.
Does your organization view mature policies and procedures as a necessary evil? What obstacles has your organization found when developing or implementing policies and procedures? How have you built in the time to commit to enforcing policies and procedures?
The International Organization of Standardization (ISO) 27001, Information Security certification and the corresponding Information Security Management System (ISMS) is a great place to start your policy and procedure documentation. It will aid in increasing efficiency, minimizing risk, and preparing for regulatory and government requirements like GDPR, PCI, SOX, etc. One of AppSec Consulting’s specialties is customizing policies and procedures for organizations that are trying to implement a security framework like ISO 27001.
