You open your email and there it is. Finally, the company that you really wanted to work for has extended you an offer. You feel a rush of adrenaline as you open it and sign it. It’s official! It is time for you to embark on a new adventure.
Almost.
In a follow up email, HR asks you to read through the company’s many policies, standards, and procedures. You are required to provide acknowledgment and agreement of adherence to these policies. What is all this?!
So, why exactly do we need so many security policies and procedures?
Policies and procedures reflect your organization’s internal view of how to run security. In addition to achieving compliance objectives like PCI, HIPAA, etc., companies need to protect their employees, partners, customers, and themselves from damaging acts - either malicious or unintentional. Documented policies and procedures provide a measurable way to validate and enforce compliance, and also gives employees a clear understanding of expectations the organization has for them. Security is everyone’s responsibility and self-management is best encouraged by rewarding the right behaviors!
Below, I’ve created a short guide to cover how to get started with your own IT security policies and procedures. Whether you’re an early-stage startup that is just starting out or an enterprise with your own custom frameworks and policies, we’ve got you covered.
Early Stage Companies: I know policies are important, but I don't know which ones!
Now that we know the importance of security policies and procedures, where do we start? Realistically, the challenge isn’t addressing the need for policies themselves, but rather identifying which policies you need and what good policies look like. However, most early-stage organizations might not know where to begin.
One approach is to purchase from a third party organization. Several organizations exist today that provide templated policies and procedures for companies to start from. The great part is, several of these templates are written to comply with specific frameworks in mind, like NIST, ISO, and SOC2. Things to consider for this approach are:
- Price to purchase templates
- Time and money to build from scratch
Ask yourself, does this make sense for my organization?
At JupiterOne, we believe that security is a fundamental right. We provide simplicity without sacrificing security with open source templates that make it very easy to get started. Our Policies app provides a set of over 120 policy and procedure templates to help your organization build your security program and operations from scratch. The best part is that these templates are derived from our internal policies and procedures and have been through several compliance assessments such as SOC2 and HIPAA.
Enterprise Companies: That's great, but I already have my own Policies and Procedures...
Though your organization may have its own policies, likely, you may not have a policy for every aspect of the business. So let’s try to address any potential gaps by looking at your organization's targeted frameworks. If you’ve already spoken to an auditor or risk and compliance professional, they will have started here to discover any gaps and considered how best to tackle them.
One example of a common policy gap is the SOC2 CC6.1 requirement:
“The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.”
Addressing your digital assets and physical assets with policies and controls will be necessary to show an auditor that your organization is following proper procedures while under evaluation.
You should also make sure to update and scale these policies and procedures as the organization’s growth and goals require it to change! To learn more about the importance of Policy as Code and how to automate and scale it, please check out the previous article in this series: Policy as Code: How We Do It (jupiterone.com)
Next Steps: Set Up Your IT Security Policies and Procedures Today
Are you ready to show off your new policies and procedures yet? In the next blog, we tackle how to programmatically manage your policies and procedures outside of the platform using our command line tool. If your organization is mature enough to have your own set of policies and procedures, make sure to stay tuned! And even if you use templated policies and procedures but want some access to more advanced capabilities, stick around.
Don’t forget to contact your Customer Success Representative for more information and we’d be happy to set up a workshop to help, no matter where you are in this process!