When Should You Review and Update Security Policies?
by Natalie Sjelin, Assoc. Director of Training, CIAS-ISAO
Many individuals view policies and procedures to be set in stone and believe they should not be changed. In reality, your policies should be living documents that evolve as your organization grows and changes. Effective policies do not sit on a shelf and collect dust. If it has been a while since your security policies have been reviewed, you may find that they are outdated, no longer comply with new laws and regulations or may not address the systems and technology you are using today. Think of your Information Security policies as the backbone and foundation of your security program and the guide to ensure everyone in your organization knows what they need to do to protect data and assets.
When should you review, update or create new policies? At a minimum, review security policies on an annual basis. That is a good start, but there are other considerations that should be indicators that your policies need to be reviewed.
If it has been a while since your security policies have been reviewed, you may find that they are outdated, no longer comply with new laws and regulations or may not address the systems and technology you are using today.
Adopting New Technologies
Technology implementations are continual considerations to make organizations run more effectively and efficiently. New technologies, such as cloud-based storage, the Internet of Things and advanced detection and protection tools needed for threat identification or notifications, may be at the top of your list to implement into your organization’s infrastructure or perhaps you already have. This is the time to make sure policies are updated to reflect how the technology should be used and secured.
Many businesses wait years before updating their policies on how to properly use a technology within their organization. If you fail to review and update your policies and procedures when you implement new technologies, you are possibly exposing your organization to an increased risk of data loss.
Consider: your organization uncovers a data leak incident where some confidential information was leaked when an employee used an unsecure network to access company information. The breach results in a security review that identifies several security policy changes needed around mobile devices, encryption of sensitive data and scanning laptops for malware.
Your security policies are there to ensure employees understand acceptable behavior and to reduce risk to the organization. If policies and procedures are in place, you can analyze the details of an incident to see if everything was done correctly. Determine if there are gaps in the policy or in the training provided to ensure the employee’s understanding of the policy.
Updating policies before an incident to avoid a breach is more desirable, but this is an example of when a breach or incident could initiate information security policy updates.
Operational and Workforce Changes
A great many of us experienced changes due to the pandemic. Businesses had to find new ways for employees to communicate, collaborate and get their work done – all while being remote. Customer engagement changed for many businesses as they had to ensure they were responsive to customers and implemented ways to provide services with little to no contact.
Technology played a major role in solutions to many of these challenges. When your organization or workforce undergoes changes that impact how you do business, this is a good time to update and revise your policies.
Changes in Compliance, Legal Requirements and Contracts
New cybersecurity requirements associated with contracts, compliance and legislation are constantly on the horizon. One example is how the Department of Defense (DoD) is now requiring contractors to comply with a combination of cybersecurity safeguards and requiring them to reach a certain level of security based on the sensitivity of the work they are doing. Companies wanting to do business with DoD are updating, revising and implementing cybersecurity capabilities to not miss out on DoD contract opportunities.
Another example includes possible legislation coming soon after the SolarWinds incident where malware was injected into software updates that went out to as many as 18,000 government entities and Fortune 500 companies that were clients of SolarWinds. New federal regulations are being discussed around when and how technology companies report data breach incidents, but this may also impact businesses who have contracts with the government.
State, federal and international laws and regulations change constantly. Changes in regulatory standards, or ensuring you are compliant involving a contract, should be a trigger to investigate any changes that may be needed regarding your cybersecurity and information security policies.
Your organization’s security policies play a critical role in protecting your company from financial, reputational and data losses. Make the necessary updates at least once a year, but consider other triggers to stay ahead of potential threats, minimizing risk and staying compliant with laws, contracts and regulations.
EHL Insights (Ed.). (n.d.). Post COVID-19: What's next for digital transformation? EHL. https://hospitalityinsights.ehl.edu/what-next-digital-transformation Nadkarni, A. (2019, May 14). How often should you review your policies and procedures? 24by7security. https://blog.24by7security.com/how-often-should-you-review-your-policies-and-procedures Ratnam, G. (2021, March 03). SolarWinds incident may bring data breach notification rules. Government technolog. https://www.govtech.com/security/solarwinds-incident-may-bring-data-breach-notification-rules TGS Author (Ed.). (2021, April 16). Do outdated policies increase your cyber risk? Techguard. https://blog.techguard.com/are-you-vulnerable-due-to-outdated-it-policies