3 "Must Have" Cybersecurity Documents
January 10, 2020 by Loren Lachapelle
We see news of devastating cyberattacks every day in private and public organizations of all sizes. From phishing attempts, to business email compromises, to full-blown ransomware attacks. Any device that’s connected to the internet is at risk for an attack.
But there are certainly things you can put into place to reduce that risk, educate your employees, and prepare to respond should disaster strike. By having prepared documents that outline these efforts, you’ll establish a baseline functionality for your enterprise during an incident. The following are documents that should be written and integrated into your organization’s standard operations:
1. Information Security Policy
The Information Security Policy (ISP), and plans associated with it, are the "operating manual" for your security program. It is a document(s) that outlines how your security program works, the roles and responsibilities of every workforce member, and what things are required to be done in a certain manner. The ISP includes an overview of all day-to-day activities that keep the cybersecurity program working, as well as the big-picture strategic focus of the program.
Having a well-understood and smoothly operating environment based on your team’s processes and documented details allows you to ensure you have all the normal bases covered and will be prepared for adverse events.
When creating an ISP for your organization, be sure to follow these recommended best practices:
- Integrate it into the organization’s mission and core business objectives; security should not be an afterthought or something that seems apart from the organization’s core strategy.
- Ensure staff at all levels of the organization understand the program as beneficial.
- Make it applicable to every workforce member, not as an IT-only document.
- Make sure it’s a natural part of your organization that acts as a business enabler.
Learn more about creating an ISP to fit your organization.
2. Incident Management Plan
The next written document your organization should have is an Incident Management Plan (IMP), a plan that is created and exercised to prepare for adverse security incidents such as phishing or ransomware attacks.
The purpose of an IMP is to ensure (and put into writing) you know what you can and cannot do in response to a cyberattack or other security-related incident. These activities, resources, and limitations are pre-defined, trained, and tested to ensure they are in place before they are needed and enacted during an incident to effectively manage all the stages from identification to recovery.
Just like the ISP, an IMP should be integrated into your organization’s mission and business objectives. It’s important to include business managers, front-line staff, senior managers, and board members in the program — in other words, the security team should practice incidence management activities with everyone. If the organization gets attacked, all staff should know what they can do to respond so it can be resolved as quickly as possible. This is not “someone else’s role.” From event identification to conclusion, an incident may involve everyone and anyone within the organization.
Read about how to prepare for and defend your organization against ransomware here.
3. Disaster Recovery & Business Continuity Plans
The Disaster Recovery (DR) Plan and Business Continuity Plan (BCP) and associated policies, standards, and procedures should also be integrated into the mission.
The DR plan describes the action-steps needed to restore functionality to the organization following an adverse event. For example, if a natural disaster or hardware failure creates a disruption of IT services or facilities, the DR plan outlines how the organization will respond, and who will manage that response, to recover normal operations. The BCP is the bigger strategic plan for resilience — i.e., how you keep the business functioning during an adverse event and which business processes take priority in the recovery efforts.
When documenting the DR and BCP, keep in mind the following practices:
- Untested DR and BCP are less likely to work when you really need them; make sure you practice and test all activities (at least annually) at the departmental level.
- Exercise the DR plan beyond a desktop; simulate real-life examples to confirm the DR will work when needed.
- Be sure to update your BCP as business situations change — otherwise, it will be irrelevant.
Tying It Together
These three key institutional documents, and all the processes they describe, are essential for the health of your overall business. It would be undoubtedly harder to mitigate the damage and recover fully from an adverse event of any kind — while still keeping your business operational — without documenting and practicing procedures before disaster hits. Remember to always have your ISP framework requirements tie back to the mission, vision, and goals of the organization. Ensure that the IMP not only works, but it works efficiently. Do this by educating all levels of the organization and empower each workforce member to perform their role should they be called to duty.
These foundational documents are the starting point to protecting your business and creating the resilient organization you’ll need to thrive in this evermore unpredictable business environment.
Download our Sample Information Security Program Template and you will be well on your way to resiliency!