Let’s get real for a moment.
This saying exists for a reason “...it’s not IF but WHEN you will have a security incident
A few real-world experiences that will happen:
- Finance falls for a phishing scam and sends funds to a false account/person
- A customer reports that they have found their personal information on a common search engine
- FBI investigators reaching out relating that a bank is stating Credit Card (CC) number skimming has been traced back to your organization
- A staff member gets their PC encrypted from a ransomware email or worse the ransomware has impacted your server farm
The first item that will be requested by both legal counsel and an Incident Response (IR) Investigator are your policies. Information security policies are to describe how the organization wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules that will be used to implement the policies. Some policies can have multiple guidelines, which are recommendations as to how the policies can be implemented.
A mature security program requires the following policies and procedures:
- Information Security Policy
- Access Control Policy (ACP)
- Acceptable Use Policy (AUP)
- Remote Access Policy
- Incident Response (IR) Policy
- WiFi Policy
- Social Media Policy
- Email/Communication Policy
- Mobile Computing Policy
- BYOD Policy
- Disaster Recovery Policy/Business Continuity Plan (BCP)
Building and managing a security program is an effort that most organizations grow into overtime.