Don't miss any great conversations. Set-up your Compass notifications today!
Watch this how-to video.
Good morning and Happy Friday!
We just went through our annual audit and cybersecurity issues were raised and it was suggested we create a policy. I was wondering if any one has addressed this issue and maybe created a policy we could review? Thank you for any assistance.
Hi Katie. Our governance committee is currently working on a policy. It may be a month or two before it is firmed up. Please feel free to contact me in September to ask about it if you haven't found one by then.
I thought I would jump in here and offer a little guidance from my seat at Foundant.
First, congratulations on even thinking about Cyber Security and being willing to go down the path of strengthening your security posture.
The first thing I will recommend as you go down this path is to remember to right size the policies and procedures for your organization. What one organization needs is going to be different for another.
The second thing is to lay out a plan where you can make strategic advancements for becoming more secure. Start with low hanging fruit and go from there. The goal is really to mitigate risk and plan for the unfortunate day where there is some sort of security breach or incident.
I would start with a disaster recovery plan and an incident response plan. For disaster recovery, what assets do you have and how will you bring them back online? Think about possible scenarios and who is responsible for the recovery. For Incident response, create a team that can come together quickly in the event of a cyber security incident and can evaluate the risk and next steps. Have a process for documenting the events and the mitigation/recovery efforts.
The most important thing any organization can do is provide awareness and training to their employees. This could easily be done with a couple of Awareness and Training products that exist out there today (Mimecast or KnowBe4). The largest threat we have in the cyber security world is human error. We can patch systems, buy every security product, and lock down networks; but at the end of the day we, as humans, are more likely to cause the breach.
Several years ago at Foundant, we worked through building a security plan with a vendor. They sat down with us and walked through the Center for Internet Security Controls. We evaluated where we were today and what steps we should take to strengthen the controls. From there, we had a security plan and could take appropriate actions as we evaluated the need and risk. I am happy to connect you with this vendor if you would like as I highly recommend their services. I do not know what you have budgeted, (organizations never budget enough for security) but the overall cost was not unreasonable.
I hope my long security rant helped in some way or another.
Director of Information Systems
Thank you for this advice! I am not certain what I am getting into but when the auditor wanted us to explore this, I thought I would reach out to our knowledgeable peers. I will keep all this in mind and will reach out to you on my cybersecurity journey!