Is Your Cyber Security Documentation in Order?

While these five pieces of cyber security documentation won’t necessarily cover everything your business needs, they are great starting points for a business putting their strategy together from scratch. And if, while going through these, you notice a document that your business doesn’t already have in place, now’s the perfect time to start putting it together. 

Remember that security shouldn’t be an afterthought – it should be built into your company culture and will play an important role in reaching and exceeding your goals.

1. Information Security Policy

Data security has never been more important, and your employees have a fundamental role to play in ensuring its safety. Your Information Security Policy is a guide for your teams, ensuring that they know exactly which information is confidential, how it should be stored, who it can be shared with, and under which circumstances. 

Any decent Information Security Policy should include: 

• Email security protocols 
• Steps that should be taken if data becomes compromised 
• Details of how your data is stored and secured 
• Any legal requirements from regulations like POPI that restrict how information is processed

2. Disaster Recovery & Business Continuity Plans

Don’t wait for disaster to strike. By then it’s too late to start putting together a recovery plan. All that will lead to is panic. You want to have a plan in place before the worst case scenario becomes a reality. 

Disaster Recovery Plans are often all about keeping your IT up and running, or getting it back online as quickly as possible. But there are also other areas of your business that are at risk and should be covered in your cyber security documentation. Your Business Continuity Plan revolves around every area of your company, beyond just your IT services and infrastructure.  

It covers, for example, what should happen if your premises becomes inaccessible due to a fire or natural, or if a critical member of your staff were to no longer be available. It covers any and every eventuality to ensure that no matter what risks your business faces, you have a plan for reacting to them. 

Your Disaster Recovery and Business Continuity Plans should include: 

• Critical areas that cannot afford to go offline 
• Your Recovery Point and Recovery Time Objectives (RPO and RTO) 

• List of people who are responsible for putting security measures in place 
• List of people who are responsible for bringing your business back online 
• Contact details for service providers who will need to be informed of disasters 
• Procedure for informing your clientele of disasters 
• Where, how and how often backups are stored

3. Data Backup Policy

For many businesses, their Data Backup Policy will form part of their Disaster Recovery Plan. But it’s important to have a policy in place for storing copies of your data in general as well. After all, disasters may come in forms that many businesses wouldn’t think of.  

Human error, for example, can result in files, documents or data becoming lost without a natural disaster or cyberattack taking place. And these kinds of mistakes can cause almost as much damage as a full-scale attack if not planned for accordingly with a Data Backup Policy. 

Storing your files and data in the cloud to begin with is a step in the right direction. It ensures that they are accessible to whole teams of people, one of whom is likely to notice a human error before it’s too late. But even cloud storage on its own is not infallible. Which is why you need to ensure that your critical data is being captured and stored separately, ready to be recovered should the need arise. 

Your Data Backup Policy should include: 

• Details of the backup facilities that are in place 
• Schedules for when backups should be performed 
• List of people who are responsible for checking and testing backups 
• Process for restoring data backups

4. Incident Management Plan

Disaster Recovery and Business Continuity plans are complex and overarching. They entail everything that needs to be done to ensure the seamless continuation of business even when disaster strikes. But when it comes to individual instances, often a more step-by-step approach is required. And this is where your incident management plan comes in. 

• What should your employees do if they come across a phishing email? 
• Who should they call if they notice unauthorised access to a document? 
• What steps should they take if their antivirus picks up on malware on their machine? 

These are all questions that your Incident Management Plan should answer. And the answers shouldn’t be theoretical either. Training your teams should be all about regularly putting these scenarios, and your teams’ responses, to the test. This will ensure that your Incident Management Plan is fool-proof and detailed enough to cover any problems that your employees may encounter.

5. Remote Access Policy

With more employees working remotely than ever before, it’s essential that your business have a Remote Access Policy in place for any team members who need to work from home or while traveling. Even if all of your employees are currently in the office, there is no knowing when the next hard lockdown may hit, or what the future may hold for work environments. Having measures in place to accommodate remote working, even if it’s as a last resort, can see your company thriving, even during the most difficult of times. 

Your Remote Access Policy should include: 

• Details of when employees can qualify for working remotely 
• Information that should be provided to your business to ensure secure remote access 
• Lists of devices that your remote employees use, together with their MAC and IP addresses 
• Lists of people responsible for managing access to your network and cloud solutions 
• Security apps that your employees should have installed on their devices 
• Details of communication platforms that remote employees should have access to.