Policy? We ain’t got no policy? We don’t need no policy! I don’t have to show you any stinking policy! This play on a quote from the 1948 film The Treasure of the Sierra Madre perfectly captures how many organizations approach policy development, but they might change their minds if they understood how vital policy is to their organization. Simply defined, a policy is just a guideline that governs actions and processes within your organization. All policies should be aligned with your organization’s requirements and business goals, and they should be written down to help guide decisions or achieve an intended outcome. For example, your board may not want people who have been convicted of fraud or embezzlement working in the finance department, with access to corporate bank accounts and the ability to transfer money. So, they might develop a policy that requires background checks prior to extending an offer of employment. With this documentation in-place, upper management won’t have to handle every single hire, themselves, to keep their company safe. Still, you may think you’re that one organization that doesn’t need any policies. We are going to explore two key concepts that may change your mind: Why do all companies need policy? Why should you review those policies periodically?
Why Do Companies Need Policy?
The list of reasons you need policies is long and includes governmental regulations, contractual agreements/compliance, employee safety, and organizational objectives. In regulated industries, an oversight body from the U.S. government requires that you have certain kinds of policies in-place. Contracts with partners or clients may also require that you perform certain tasks in very specific ways. More and more, for example, clients want to know what their vendors’ cybersecurity practices are, which would include policies around Information Security, Acceptable Use, Encryption, Data Destruction, Data Retention, and more. If you don’t have any policies around multifactor authentication or access to sensitive data, that could be reason for a prospect to not work with you. We know this first-hand, because many organizations hire TRUE to evaluate their potential vendors for that reason. They are afraid to trust a vendor that could get them into trouble with unsafe practices. The ability to provide prospects with your company’s policies when they ask for it could be pivotal to your business.
Why Should Policy be Reviewed?
Once a policy is developed and approved, it should be reviewed (periodically) to ensure that the language and intent remain current and accurate. It should be reviewed to ensure that any changes in regulatory requirements or contractual requirements are addressed, as well as changes to your environment. The needs and objectives of a policy can change as your business grows or develops over time, and it should be updated periodically to reflect the current environment. For example, a company that houses all their servers onsite should have a backup policy to ensure that appropriate data is safeguarded against unforeseen events. Having it in writing could be essential in a number of scenarios. For example, documentation enables you to be more efficient as your team grows. Also, you never know when you might need to provide evidence of best practices. Especially in the case of data retention, if something goes wrong, you need to be able to demonstrate consistent best practices. Policy can support this, but if everything lives only inside your head, there is no way to validate during an inquiry that you did things the way they should be done. In this case, your policy would identify the types of data being backed up, the schedule of the backup, the duration the backup that should be maintained, any encryption of the backup, the type of storage of the backup media, etc.
Now let’s consider that years pass, and management decides to move to the cloud. The company’s physical servers are decommissioned and virtual servers are created in a cloud environment. Backups are now addressed in a completely different manner and media. If the company does not review or update its backup policy to reflect the new environment and practices, employees will not be able to comply with the policy. Should an unplanned event occur that causes a civil or criminal investigation, it will be revealed in an unfavorable light that the company was not following its own policy concerning backups. Courts will be unconcerned with whether or not new processes are better than prior processes, but will most certainly pay attention if there is either a lack of policy, or a disconnect between your policy and practices. Further, if your company is filing on their cyber-insurance this could affect the claim in a negative manner. Insurance adjusters typically perform inquiries on circumstances surrounding failure to recover before paying out on policies.
What Does a Policy Review Entail?
In short, reviews help employees achieve the objectives laid out by those who set the strategic objectives at your organization. A policy review should begin with a complete and thorough understanding of the original policy, any regulatory requirements (old and new), any contractual requirements, and the intent of the company. Next, the reviewer will need an understanding of the current environment to identify any gaps or inconsistencies that need to be addressed. Then, you will want to ask yourself, if any of your policies can be combined and whether any need to be retired altogether. For example, it would not reflect well if you retained a policy in your documentation that defines how configurations should be maintained on a firewall that you no longer use. These are all examples of questions a review should ask and answer. In the end, keeping your documentation up-to-date can increase efficiency and protect you in the event of an inquiry or investigation, but it can also help you avoid fines from regulatory and contractual obligations. Policies are an extremely important way for your staff to understand what is expected of them, and to help them meet the expectations of those in charge of compliance.
The need for a policy may not seem obvious at first glance, but it is essential to help you mitigate many of the risks facing your organization. Having updated policy might just save the day down the road and at the end of the day, that’s what you need from your cybersecurity program.
TRUE helps organizations develop policy through our Risk Advisory Services. If you would like policy development support, feel free to request a consultation with one of our experts.