A significant risk to most organizations concerns documentation. Many organizations have either non-existent or incomplete documentation of their policies and procedures or they are simply out of date. In addition, many times, significant gaps exist between policy and the organization’s ability to execute in accordance with the policy. Lacking IT operations procedures also puts the organization at risk when there is staff attrition and important information is limited to the “tribal knowledge” within the heads personnel that represent single points of failure. InfoSec Advisors can help determine what documentation you need, help determine appropriate operational strategies and assess compliance to minimize risk. We can also review existing policies you may have and identify gaps and make recommendations for improvement.
Every organization needs the following documentation to minimize risk:
- IT Operations Manual – This is a comprehensive document that captures all day to day operational policies and procedures of the IT function.
- IT Security Policy – This captures all aspects of and organization’s IT risk management strategy and requirements that all personnel adhere to including but not limited to acceptable use of Internet, email, laptop, smartphones and tablet, password requirements, network and application access control & authentication, physical security and access control, data encryption and use of approved third party cloud services, etc.
- Business Continuity & Disaster Recovery Plan – This captures all aspects of the organization’s ability to continue day to day operations and/or recover when faced with various types of catastrophic events such as fire, hurricanes, flooding, acts of terrorism, hacking attacks, network, systems or applications services outages, etc.
- Regulatory Compliance-specific documentation – These capture all regulatory specific requirements to support such acts as HIPAA, GLBA, PCI, FFIEC and others.