An authoritative set of cybersecurity policies for small businesses are a must-have. However, before we define each of the documents, let’s first discuss how we determine which policies should be present in the portfolio. Typically, the policy writing process starts with a cybersecurity risk assessment. The risk assessment will identify, analyze, evaluate and prioritize the remediation of risk identified. The vulnerabilities are generally within a company’s network, computers and software applications. The risk that they present to the business will be categorized by severity. Additionally, the final report is delivered as an easy to read blueprint to eliminate the findings in the risk assessment. The two components that comprise the reduction of cybersecurity risk are technical controls and administrative controls. This article will focus on administrative controls.
Administrative controls are the foundational elements of a healthy cybersecurity program. Such documents control or set expectations for the company, outline acceptable and unacceptable practices and enhance protection. In cybersecurity, there are three prominent documents that help establish the precedence and they are labeled policy, procedure and control. Let’s take a look at each.
A policy is a statement of where your company stands with regard to certain risks. Its expression could be in the form of a mission statement or a simple overarching rule or can express the management team’s intent or protocol.
The procedure provides step-by-step guidance as to how the policy will be carried out and effectively implemented. Moreover, the procedure provides a set of tasks which can be referenced in an emergency to bring clarity and guidance during a crisis or some other catastrophic event.
A control is a standard with which performance can be measured and reported on. Controls demonstrate the efficacy of a policy and procedure and provide a vehicle for constant improvements. This helps the business understand past, present and future performance in quantitative terms.
Tying It All Together
Governance and\or compliance mandates such as HIPAA, PCI DSS and SSAE18 all require the use of and proper implementation of these three document types. Effectively, they show that a company has thought through its security program and have crafted a set of norms that can be measured and reported on. The expectation is that administrative controls will precede technical controls. They also identify which technical controls are needed to remediate a risk assessment finding. Cyber Security Experts are ready to partner with SMBs to help them craft and implement policies, procedure and controls.
For more information cybersecurity policies for small business, click here.