what is it?
An old boss of mine used to say, “If it’s not written down, it doesn’t happen.” For many organizations security policies are an afterthought, but they are important to bring everyone in the organization onto the same page when it comes to decision-making.
Some very useful things security policies can provide to a business:
An easy way to hold employees accountable to an agreed-upon standard.
An easy way to provide perspective clients, government regulators, and compliance organizations with proof that you have thought through the contents and intend on sticking to them.
An established source to reference when things go wrong, are particularly stressful, or when unexpected incidents occur. Not sure what to do? Break out the incident response policy and follow it!
A commitment to security and a sign of maturity that a perspective client might like to se before doing business with you.
A useful beginning point if you are aiming for compliance against industry standards such as ISO27001 or the NIST CSF. All these standards are heavily reliant on policy.
Helps to “pre-decide” things in advance. Some examples of these would be: who to call, how to handle something, what technology to use, what standards to abide by, who speaks to the media etc.
Writing policy is both time consuming and painstaking, but the benefits far outweigh those annoyances. The good news is that for most businesses, once they’re done, it’s just a matter of keeping them updated a few times per year as things change.