I love working in IT – I always have. Since I was a teenager, I’ve always had a passion for technology. Learning how it works, fiddling with it, fixing it. And there was even a time when I wanted to test my abilities, and see if I could gain access to, for example, my high school’s systems.
Of course, I’m not a bad guy. So once I’d hacked into their systems, my main aim wasn’t to cause havoc. It was to show them where their weaknesses lay, and to fix them. I don’t think the principal was impressed. I was banned from the computer lab for two months, and given a special project to do as punishment.
Why am I telling you this? It’s not just to relive my younger years. It’s to help you in the same way that I helped Mr. Cohen. To ensure that your business is secure against the cyber threats that are out there.
One of the best ways to prepare yourself and make sure that your cyber security is up to scratch is to start simple: with documentation.
Why is Documentation Essential?
Cyber security documentation is essential for any business. It not only helps you to identify risks to your company, but to also systematically detail your steps for avoiding or mitigating those risks. This is also a perfect opportunity for your business to assign responsibilities.
- Who should your teams turn to if something goes wrong?
- What are your employees’ responsibilities when it comes to email and device security?
- Who is in charge of managing access to your company’s documents, whether they’re in the cloud or on-premises?
And it’s not just your internal teams that you can detail the management of in your documentation. It’s important that your service providers are included as well. This will ensure that there is a thorough understanding of where responsibilities lie in case of a worst case scenario coming true.
5 Critical Pieces of Cyber Security Documentation
While these five pieces of cyber security documentation won’t necessarily cover everything your business needs, they are great starting points for a business putting their strategy together from scratch. And if, while going through these, you notice a document that your business doesn’t already have in place, now’s the perfect time to start putting it together.
Remember that security shouldn’t be an afterthought – it should be built into your company culture and will play an important role in reaching and exceeding your goals.
1. Information Security Policy
Data security has never been more important, and your employees have a fundamental role to play in ensuring its safety. Your Information Security Policy is a guide for your teams, ensuring that they know exactly which information is confidential, how it should be stored, who it can be shared with, and under which circumstances.
Any decent Information Security Policy should include:
- Email security protocols
- Steps that should be taken if data becomes compromised
- Details of how your data is stored and secured
- Any legal requirements from regulations like POPI that restrict how information is processed
2. Disaster Recovery & Business Continuity Plans
Don’t wait for disaster to strike. By then it’s too late to start putting together a recovery plan. All that will lead to is panic. You want to have a plan in place before the worst case scenario becomes a reality.
Disaster Recovery Plans are often all about keeping your IT up and running, or getting it back online as quickly as possible. But there are also other areas of your business that are at risk and should be covered in your cyber security documentation. Your Business Continuity Plan revolves around every area of your company, beyond just your IT services and infrastructure.
It covers, for example, what should happen if your premises becomes inaccessible due to a fire or natural, or if a critical member of your staff were to no longer be available. It covers any and every eventuality to ensure that no matter what risks your business faces, you have a plan for reacting to them.
Your Disaster Recovery and Business Continuity Plans should include:
- Critical areas that cannot afford to go offline
- Your Recovery Point and Recovery Time Objectives (RPO and RTO)
- List of people who are responsible for putting security measures in place
- List of people who are responsible for bringing your business back online
- Contact details for service providers who will need to be informed of disasters
- Procedure for informing your clientele of disasters
- Where, how and how often backups are stored
3. Data Backup Policy
For many businesses, their Data Backup Policy will form part of their Disaster Recovery Plan. But it’s important to have a policy in place for storing copies of your data in general as well. After all, disasters may come in forms that many businesses wouldn’t think of.
Human error, for example, can result in files, documents or data becoming lost without a natural disaster or cyberattack taking place. And these kinds of mistakes can cause almost as much damage as a full-scale attack if not planned for accordingly with a Data Backup Policy.
Storing your files and data in the cloud to begin with is a step in the right direction. It ensures that they are accessible to whole teams of people, one of whom is likely to notice a human error before it’s too late. But even cloud storage on its own is not infallible. Which is why you need to ensure that your critical data is being captured and stored separately, ready to be recovered should the need arise.
Your Data Backup Policy should include:
- Details of the backup facilities that are in place
- Schedules for when backups should be performed
- List of people who are responsible for checking and testing backups
- Process for restoring data backups
4. Incident Management Plan
Disaster Recovery and Business Continuity plans are complex and overarching. They entail everything that needs to be done to ensure the seamless continuation of business even when disaster strikes. But when it comes to individual instances, often a more step-by-step approach is required. And this is where your incident management plan comes in.
- What should your employees do if they come across a phishing email?
- Who should they call if they notice unauthorised access to a document?
- What steps should they take if their antivirus picks up on malware on their machine?
These are all questions that your Incident Management Plan should answer. And the answers shouldn’t be theoretical either. Training your teams should be all about regularly putting these scenarios, and your teams’ responses, to the test. This will ensure that your Incident Management Plan is fool-proof and detailed enough to cover any problems that your employees may encounter.
5. Remote Access Policy
With more employees working remotely than ever before, it’s essential that your business have a Remote Access Policy in place for any team members who need to work from home or while traveling. Even if all of your employees are currently in the office, there is no knowing when the next hard lockdown may hit, or what the future may hold for work environments. Having measures in place to accommodate remote working, even if it’s as a last resort, can see your company thriving, even during the most difficult of times.
Your Remote Access Policy should include:
- Details of when employees can qualify for working remotely
- Information that should be provided to your business to ensure secure remote access
- Lists of devices that your remote employees use, together with their MAC and IP addresses
- Lists of people responsible for managing access to your network and cloud solutions
- Security apps that your employees should have installed on their devices
- Details of communication platforms that remote employees should have access to.
How compliant is your business?
What Comes Next?
These five pieces of cyber security documentation are hardly the only documents that your company is going to need. Even the information that we’ve provided about them is far from complete! This is because your business’s cyber security needs are going to be different from the company down the road, or the one next door.
Every business has unique needs, and your cyber security documentation needs are the perfect example of this! But that doesn’t mean that you’re on your own when it comes to putting plans and policies in place.
Solid Systems has decades of experience in helping businesses around the world minimize risk and secure their data and assets. We want to see your company stepping confidently into the future with the help of technologies that have a real impact. So contact us today to find out how we can guide you down your cyber security documentation path.