Staying true to your policies and standards
Most organisations have a set of policies and standards that govern how they respond to security incidents and threats. It’s all well and good having them in place but ensuring you use them is what’s important.
Policies state the intended way to do things within your business, whereas standards set out the requirements that should be followed in order to support defined policies.
We often see clients with the correct documentation. Particularly if they have ISO 27001, this is true, and it is efficiently maintained by annual audit checks. However, there are also clients with documentation, but little or no adoption of them throughout their business.
Here are a handful of tips for making policies and standards work more effectively in your business:
Keep standards and policies relevant to your business
It’s easy to adopt policies and standards unnecessarily, so be cautious of this. If you go online and search for types of policies and standards to implement, you’ll find lots - but they will probably be a waste of time, and unlikely to be very helpful for the people who need to use them.
It goes back to knowing the basics and asking “What are we defending?”. If you know the answer to that, it makes life much simpler for everyone. You can focus your efforts on protecting the right things.
Organisations grow in different ways - organically, or through mergers and acquisitions. Either way, it’s crucial to review policies and standards you have. With organic growth, you want to check that the content is still relevant. If you grow through mergers and acquisitions, you may need to integrate different cyber security approaches from the businesses being merged. So, again it’s crucial to review what you need to protect and align your approach appropriately.
The startup landscape is another area where it’s important to ensure you’re adopting the right policies and standards. As outlined in startup cyber security requirements, the approach is much different than the sort you’d use in a larger organisation, so it’s important to start by developing your basic policies first.
Using a framework as a baseline can help
A cyber security framework, such as NIST Cybersecurity Framework (CSF) could help you to gauge whether you’re covering the right bases. For example, looking at the “response” NIST CSF function, you can interpret what should be included in an incident response plan. The framework subsets can help you determine how your plan needs to cover content around communications during incidents, procedures of analysing and containing incidents, and lessons learnt.
Frameworks may not always be suitable to determine if you’re doing the right thing in regards to your approach in policies and standards, but it’s a good place to start.
It’s not about checking things off lists
Implementing policies and standards are almost becoming checklist exercises. But they shouldn’t be – they’re not just to refer to when needed, they should be used to guide your company to ensure the right practices are being followed.
Once they are established, they’re not always kept up-to-date either. It’s important for such documents to be maintained as the threat landscape expands with the emergence of new technologies. Hence, your policies and standards should adapt too, ensuring that you are implementing the right safeguards within your business to stay on top of any new potential cyber risks you may encounter.
What can you do to ensure your business adopts the policies and standards?
Policies and standards should be everyone’s go-to source for how things are done in your business.
Help your people understand what’s relevant to them
As part of your onboarding process, newcomers should be aware of the basic policies and standards that are relevant to them. And you need to consider the needs of existing colleagues too - everyone should have easy access to policies and standards that they might need to refer to frequently. They shouldn’t be difficult to locate, the documents should be in a known or centralised location, such as a shared drive or intranet.
Keep testing your policies and standards
Testing them, where it’s possible, is a good indication. Obviously that’s easier for some than others. You should test your incident response plan for example. It’s no good being faced with an incident, and only then finding out your response plan doesn’t suit your business or that you can’t actually restore your data through your backup. Tests may be time or resource consuming but it is necessary to understand whether your approach is true to your business.
Communicate about changes
Policies and standards are not only to help inform users in the business, but to keep your business to what you deem a secure way or approach of doing things. So, it’s also important to make users aware of any changes or updates to them, particularly if this significantly affects the way in which they work.
Making policies useful
This list isn’t exhaustive, but it’s a good starting point - it’s all about ensuring your policies and standards remain useful to your team, without burdening them with bureaucracy.