Are your policies and procedures something that sit on a shelf until the auditors and/or regulators ask to see them? Have they become akin to "Shelfware"? As I write this, my colleagues and I are very busy assisting companies with assessing risks, recommending security posture and well yeah, auditing IT controls too.
So what about policies and procedures? Where do they fit? Are they anything more than the product of “give the auditors what they want”? When was the last time or better yet, have you ever had meaningful dialogue around policies and procedures? Just in case you’ve forgotten, policies and procedures provide the framework within which your company operates.
Unfortunately far too many organizations "don 't know what they don 't know". There 's a presumption that the policy and procedure documentation will ultimately find its way back on the shelf unchanged (with the exception of a new signature) until the next time an auditor asks for it. So, why invest time and energy...and yes, money, into creating and re-engineering policy and procedure documentation? Below I have, at a high level, given a few of the primary reasons why creating or re-engineering policy and procedure documentation is critical to your business. We all have very busy professional lives so this is not intended to be a heavy technical read. Keep it simple right?! Please feel free to private message me with any comments or inquiries. I 'd be glad to discuss matters at a much deeper level if interested. Matters of Compliance - Whether your organization is interested in adopting or certifying to management and regulators to standards and guidelines such as ISO 270001, HIPAA, HITRUST CSF (Common Security Framework), PCI, COBIT or any other in a long list of compliance requirements, policies that reach across the entire organization such as an Information Security Policy, Access Control and Business Continuity, will be required (as an aside - COSO defines control activities as “the policies and procedures that help ensure management directives are carried out"). …show more content…
Many other policies while not required, do help establish a more robust control framework. Simply put, one 's organization can 't afford to be out of compliance. Policy and procedure documentation is often the first item requested (albeit sometimes not the first to be updated), and viewed as the foundation to a well-controlled organization. Tone at the Top - Cyber-security is a hot button topic...as it should be...but how much time is spent, after all the penetration tests, vulnerability scans, IDS …show more content…
It 's been my experience that many organizations underestimate the importance of well-planned and well written policies and procedures in their push towards confidentiality, integrity and availability...the ultimate goals of a sound information security framework. Policies and procedures are the critical underpinnings to a sustainable security posture. Specifically, the Information Security Policy, when well defined, is a set of instructions to help guide IT professionals define and enact security controls -including access and authentication methods. It will establish what the organization considers acceptable versus unacceptable behavior. Ultimately, when performed correctly, the exercise of creating the policy and procedure taxonomy, will communicate the tone at that the top to the rest of the organization. This communication will describe the cohesive strategy adopted, between IT and the rest of the organization...also known as aligning IT and the
So what about policies and procedures? Where do they fit? Are they anything more than the product of “give the auditors what they want”? When was the last time or better yet, have you ever had meaningful dialogue around policies and procedures? Just in case you’ve forgotten, policies and procedures provide the framework within which your company operates.
Unfortunately far too many organizations "don 't know what they don 't know". There 's a presumption that the policy and procedure documentation will ultimately find its way back on the shelf unchanged (with the exception of a new signature) until the next time an auditor asks for it. So, why invest time and energy...and yes, money, into creating and re-engineering policy and procedure documentation? Below I have, at a high level, given a few of the primary reasons why creating or re-engineering policy and procedure documentation is critical to your business. We all have very busy professional lives so this is not intended to be a heavy technical read. Keep it simple right?! Please feel free to private message me with any comments or inquiries. I 'd be glad to discuss matters at a much deeper level if interested. Matters of Compliance - Whether your organization is interested in adopting or certifying to management and regulators to standards and guidelines such as ISO 270001, HIPAA, HITRUST CSF (Common Security Framework), PCI, COBIT or any other in a long list of compliance requirements, policies that reach across the entire organization such as an Information Security Policy, Access Control and Business Continuity, will be required (as an aside - COSO defines control activities as “the policies and procedures that help ensure management directives are carried out"). …show more content…
Many other policies while not required, do help establish a more robust control framework. Simply put, one 's organization can 't afford to be out of compliance. Policy and procedure documentation is often the first item requested (albeit sometimes not the first to be updated), and viewed as the foundation to a well-controlled organization. Tone at the Top - Cyber-security is a hot button topic...as it should be...but how much time is spent, after all the penetration tests, vulnerability scans, IDS …show more content…
It 's been my experience that many organizations underestimate the importance of well-planned and well written policies and procedures in their push towards confidentiality, integrity and availability...the ultimate goals of a sound information security framework. Policies and procedures are the critical underpinnings to a sustainable security posture. Specifically, the Information Security Policy, when well defined, is a set of instructions to help guide IT professionals define and enact security controls -including access and authentication methods. It will establish what the organization considers acceptable versus unacceptable behavior. Ultimately, when performed correctly, the exercise of creating the policy and procedure taxonomy, will communicate the tone at that the top to the rest of the organization. This communication will describe the cohesive strategy adopted, between IT and the rest of the organization...also known as aligning IT and the