This is an embarrassing true story. The CFO at a distribution company, mistakenly falls for an MFA bombing attack and unwittingly allows an attacker to gain access to his email. The attacker, then sends a phishing email to everyone in his contact list, which includes their biggest customers. It was an embarrassing hit to their reputation.
Data protection can be daunting, but it's a critical task for every business. Losing proprietary information or customer data could injure your reputation and negatively impact revenue. Which is why having policies and procedures in place to help prevent the worst-case scenario is paramount.
What is an Information Security Policy?
An Information Security Policy (ISP) is a living document that outlines rules and practices regarding how an organization protects the information it stores and distributes.
Every policy will vary based on the organization's goals, objectives, and client base, but it should be centered on the three principles of information security: confidentiality, integrity, and availability.
- Confidentiality: Not all data is created equally. Some data types require more protection, such as personally identifiable information (PII). The ISP should outline procedures for each kind of data the company handles.
- Integrity: Data needs to be accurate, and it needs to stay that way. The ISP defines who has access to modify data and processes for auditing and tracking changes to prevent any errors, whether accidental or deliberate.
- Availability: Business stops when data isn't available to users when they need it. Data storage, backups, disaster recovery, and business continuity are all discussed in the ISP to keep everything running in any situation.
What does an ISP Include?
An ISP can include a wide variety of information depending on the organization it is written for, and it's meant to be flexible and adaptable.
An ISP will have a section for Data Classification that categorizes sensitive info by assigning different levels of protection to data types and explains what kind of harm could be done if the information is exposed; more sensitive data is on a higher level than public knowledge.
It will also have Access Control areas that explain restrictions on employee access to data.
An Acceptable Use Policy is also often included in an ISP, which gives employees rules regarding how company technology is to be used, such as an email policy and how customer data should be handled.
Information regarding data backups, disaster recovery, incident response, business continuity, as well as security awareness training (which would have helped the CFO recognize MFA bombing) all reside in a well-written ISP as well, but the details will vary greatly depending on the business itself.
Why is it Important?
There are countless reasons to utilize an ISP, most notably to keep company and customer data safe.
Internally, an ISP ensures employees are held accountable for their actions in the event of an incident.
Externally, many third-party vendors are requiring one before continuing to do business with them.
Also, many compliance standards, such as the PCI Data Security Standards or HIPAA, often require written ISPs, and their criteria may apply to your company.
And, of course, having your ducks in a row with internal security standards helps build trust with existing customers and can even bring in more business.
While it is tempting to look online and find a free-to-use boilerplate ISP to save both time and money, it is worth the investment to have a professional help you create an ISP.
Using the resources required to customize an ISP to fit your business fully will pay for itself in the long run.
Covering your bases with your employees, vendors, and regulators can be easier than you think.
Need help? We can help you. Contact us today for a free quote at 866-680-3388. A cybersecurity professional is standing by.
References: