Do you believe your policies and procedures are perfect and can withstand any changes? They, like many other artifacts in a corporation, are living documents. They are a crucial component of any organization and are essential to ensure proper continuity of business and consistent decision-making. They also help protect your organization from fraud. They often drive the content of employee training programs. Agreed, policies should ideally not change too frequently because they are usually at a higher level while procedures that are more detailed, tend to need updating more regularly.
[This is the third blog of our 11-part series in support of our white paper, Foresight 2020: 11 Cybersecurity Actions Your Organization Needs to Take. You can read the first and second posts here and here.]
Why is the review and revision of policies and procedures so important?
Simply put, information security is a moving target. We know this because of all the new and innovative methods that hackers are coming up with regularly to steal our data. New threats are continually emerging. One of the ways to help minimize the impact of a cyber attack or a data breach is to review your policies and procedures on an annual basis, or more frequently if your organization has undergone a significant change.
Some common reasons for regularly updating policies and procedures are:
- New laws and/or changes to cybersecurity regulations. If you are ever audited or reviewed by a government agency, they will most likely ask to see your policies and procedures.
- A data breach at your company. An incident may reveal weaknesses in your policies or procedures. A best practice is to debrief after any incident, and fix any newly exposed weaknesses that could be exploited by cybercriminals again.
- Implementation of new technologies (cloud-based solutions, Internet of Things, Big Data, etc.).
- Significant management changes at the company.
- Some policies or procedures may be too complicated and you may find a more straightforward way of doing things.
- Cyber risk insurers often require that you maintain up-to-date security policies and procedures.
Five questions to ask when reviewing your policies and procedures
One good way of conducting the annual review of your policies and procedures is to pass each policy and procedure through a guiding lens. For instance, for each policy and procedure being reviewed, you could see if it meets the following criteria or answers the following questions:
- Is this policy or procedure still valid? Does it need to even exist? Sometimes, there may be changes within the company that necessitate removing or modifying some policies. Smaller changes may involve to procedures alone, but a large enough change could warrant a more in-depth review of your policies as well. For instance, a data backup policy might state that all data must be classified according to criticality, that critical data must be backed up daily. A data backup procedure would list all the steps that need to be taken to ensure compliance with the stated policy. These steps would most likely change if the company moved from an on-site backup solution to a cloud backup service. But the policy, depending on how it is written, may or may not need to be changed.
- Is this policy or procedure being followed properly? Review to see if employees are well-trained, and that the policy or procedure are well implemented in the workplace. Be sure to verify that employees know exactly what they need to do to comply with the policy.
- Does it help satisfy your company’s legal and compliance standards? Is this policy or procedure well aligned with the laws you need to comply with? For instance, many laws require the company to develop, implement, and maintain IT security policies and procedures. A healthcare entity governed by HIPAA would need to maintain and enforce policies and procedures for security, privacy and a data breach. A financial institution may be governed by FFIEC guidelines which also recommend maintaining regularly updated policies and procedures. Your corporate policy might refer to the level of compliance that the company wishes to achieve, and the procedures would provide detailed instructions on how to achieve that level of compliance.
- Is this policy well aligned with the mission and values of your company? This is very important. A company might change its mission and values once in a while. The mission and values define why a company exists and what it stands for. The company’s policies should always be reviewed to be sure that they uplift the company’s mission and values.
- Is the policy or procedure clear and easy to understand? Are employees creating backup material of their own to help follow the procedures? Or, are they simply ignoring the policies and procedures because they don’t understand them? Be sure to review the language and wording of your policies and procedures – keep them simple and easy to follow.
Executive sign-off on policies and procedures
Typically, in most organizations, policies and procedures need to be signed off by senior management.
After completing your annual review, be sure to bake in some time in your plan to present the policy and procedure changes to management, and to get their buy-in and sign-off on them.
Most importantly, be sure to train all team members in your policies and procedures. Clearly handle their expectations and questions while going through this training. Get their commitment to implement these policies and procedures. This is a critical step often missed by organizations. Research shows that 46% of security breaches are the result of uninformed or careless employees.
In short, treat policies and procedures as part of the lifeblood of your organization, as they drive the day-to-day processes that are executed in all areas within the business. Review your policies and procedures annually, update them as needed, get executive sign-off, and train your team members!