Cybersecurity – It Starts on Paper

By Barry Semple
Director of Technology

How many times in the past year have you heard mentions of cybersecurity? The topic is in the news constantly.
 
I get asked about the subject a lot: how to protect a server, how to protect a user, how to protect my company. However, what most forget is that cybersecurity for any organization starts with the written word.

Start at the Beginning

What’s the first step in building a house? You start by drawing up the blueprints and then creating a plan, writing out a schedule.  Without that planning step, building your house would just be a bunch of people adding structure in their own methods with no rules or standards.
 
Like a house, cybersecurity needs to be built from the ground up. This is where an Information Security Policy comes in – a critical first step to building your organization’s secure future.

Building Your Cybersecurity Policy

So how do you get started on creating an Information Security Policy to support a comprehensive cybersecurity strategy? One caveat: be aware that policies must be tailored to the uniqueness of every business. You can start with an “off the shelf” template, but make sure your policy fits your organization and doesn’t omit critical details that could impact business continuity or add unnecessary liability.

1. State your company’s perspective – this covers the purpose, scope, and objective of your policy.
2. Create a list of applicable industry compliance regulations – you will need to ensure that each point in your plan meets the compliance requirements and standards your industry demands. (For example: HIPAA, PIPEDA, Payment Card Industry/PCI or GDPR)
   1. Determine what happens in the case of a security incident. Do any relevant compliance/standards bodies define the meaning of an incident and require specific actions on the part of your organization? Failing to report a breach for example, could result in stiff penalties.
   2. Also examine any contractual obligations and what promises you have made to clients with respect to data security and sovereignty (For example: if you have Canadian customers, are you permitted to store data in the U.S.?).
3. Consider the data perspective – think about the data you hold as an organization, and consider how to classify it and who requires access to it in order to ensure operational effectiveness.
4. Also consider the physical perspective – this refers to standards regarding physical access to data within an organization and security of servers and physical layers. This can refer to something as basic as having locked doors on cabinets where servers are contained.
5. And last, but certainly not least – you must include the people perspective – recognizing the security responsibilities and training for all staff. 

A Good Plan Can Save a Company!

I’m sure you would agree that cybersecurity is critical in this day and age to protect data assets and mitigate risk.
You would never build a house without a plan, so why would you do the same with something as critical as cybersecurity?

Just remember what that house would look like with no blueprint or written plan to work from. Building a solid Information Security Policy for your organization will direct your efforts and ensure you have a solid foundation.