The primary goal of security policy is to provide the “how” when it comes to implementing security controls. If you don’t have security policy in place, your employees have no standard to follow and will therefore carry out their everyday tasks inconsistently at best. Policy not only helps define the “how” but also the “why”. Policies provide guidance and direction to individuals within an organization.

Lack of policy or poorly written policy is an oversight we find in organizations in almost any security assessment we perform. The fact is that technology changes so rapidly, the policy you may have run your organization on just a year ago may no longer be relevant.

Incident Response Plan

As of 2018, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands require private and government entities to notify individuals whose information was involved in a security breach. Due to these breach notification laws, it’s imperative that your organization has an incident response plan in place. It is this plan that will help your organization:

  • Guide responses to cybersecurity breaches.
  • Help the organization plan mitigation and containment more effectively.
  • Reduce costs from mistakes associated with reacting to a breach under pressure.

Partner’s in Regulatory Compliance (PIRC) incident response plan service follows the NIST SP800-61 standard for computer security incident handling. The plan will be custom-designed around your people, processes, and technical environment and will include the following key elements.

  • Statement of management commitment
  • Purpose and objectives of the policy
  • Scope of the policy (to whom it and to what it applies and under what circumstances)
  • Definition of computer security incidents and related terms
  • Organizational structure and definition of roles, responsibilities, and levels of authority, including the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity
  • The requirements for reporting certain types of incidents
  • The requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels)
  • The handoff and escalation points in the incident management process
  • Prioritization (severity) rating of incidents
  • Performance measures
  • Reporting and contact forms

Acceptable Use Policy

All organizations should be concerned with how their employees interact with corporate resources and potentially sensitive data. By establishing and enforcing clear rules and guidelines, companies have a leg to stand on if a careless or malicious employee harms the network or the data contained in your environment.

An acceptable use policy is a document that sets ground rules for your employees factoring in your unique mission, vision, risk appetite, workflows, and technical assets. The importance of building a custom acceptable use policy that can be easily disseminated, understood, and followed cannot be understated. Your organization needs an acceptable use policy for these reasons:

  • To establish a protocol to guide employee behavior when handling your network assets and potentially sensitive data.
  • To help organizations mitigate risks caused by employees.
  • To set forth sanctions for employees whose behavior falls outside stated guidelines.
  • To ensure uniform behavior across all departments.

Acceptable use policies also deal with new security concerns that didn’t exist years ago such as mobile device management and bring-your-own-device (BYOD).