IT Policies and Procedures: The Missing Piece of the Cybersecurity Puzzle

New technologies have emerged that allow unprecedented efficiency, freedom and functionality e.g. cloud services, mobile computing, etc. However, they also introduce new risks that are harder to control and have higher impacts when something goes wrong. Technical measures, such as data backups and virus protection, are important for maintaining cybersecurity.

However, they are only a part of the puzzle. They don’t protect organizations from: employees who take customer lists when they leave, internet downloads that slow internet connections or systems administrators who peak at email containing HR information. IT policies and procedures can protect against this.

While there is no such thing as 100% cybersecurity, the following in combination with appropriate technical measures, will provide organizations with a very effective level of protection:

    • Ensure that staff knows cybersecurity do’s and don’ts
    • Ensure that staff has sufficient resources and skills to exercise its cybersecurity responsibilities
    • Ensure that staff knows what to do in case critical IT services are unavailable
    • Ensure that cybersecurity is considered in job performance appraisals and results in appropriate rewards and disciplinary measures
    •  Ensure that staff has been vetted, especially staff in sensitive roles
    • Ensure that the organization is not dependent on one individual for any key IT or cybersecurity tasks
    • Ensure that privacy and intellectual property rights as well as other legal, regulatory, contractual and insurance requirements have been identified with respect to cybersecurity
    • Ensure that cybersecurity aspects have been considered in all service level agreements and the security competence of the service providers has been assessed
    • Ensure that cybersecurity guidance and contractual obligations for e-commerce and electronic payment exist
    • Ensure that applicable cybersecurity measures have been implemented, tested and kept up to date (e.g. data backup, archiving, access control, insurance, etc.)
    • Ensure that software patch installation and computer network maintenance procedures are followed
    • Ensure that access control and connectivity rules for internal and external users have been implemented based in business need and risk
    • Ensure that important computer equipment is safe from theft or damage (e.g. keep laptops and mobile phones on your person, ensure data backups are sent offsite, use operating systems with encryption on laptops)
    • Ensure that cybersecurity is an integral part of the application development process
    • Ensure that a business continuity program is established, implemented, tested and kept up to date
    • Ensure that there is a cybersecurity program in place based on IT risk, gap analysis and computer network performance monitoring

If the bottom line is higher on your priority list than cybersecurity or reputation, policies 1, 2, 4-6, 11 and 15 can prevent many of your more expensive IT support incidents.

Menu
dialpad