Your Baseline Information Security Policy

Your information is the lifeblood of your business. Without it, you have no business. Some industries, like the legal field, create a higher standard to protect the confidentiality of your client information. But you know this. You understand the importance of protecting your data. The real question is, how? What specific things do you need to do to feel confident that you’re properly protecting the data you’re entrusted with?

The answer is – to give a somewhat “lawyer-ish” response – it depends.

Before we go too far, I want to define data security. When I discuss data (information) security, I mean: The processes by which we protect the integrity, availability, and sanctity of your data.

Integrity: The data you have is the right data to have.

Availability: You can access the data when/where you need it.

Sanctity: Only the right people have the proper permissions to access that data. Importantly, people without need to access the data have no access to it.

The good news is, we can look across industries and see what makes sense to do. Regardless of industry, there are some common exploits that are used to improperly access information. What are the common vectors of data breaches? What is the most common cause of data loss? (Hint: it’s your employees.) We can identify the main risks to your data and put up safeguards to either stop or limit the data loss. This gives us a baseline policy. These are things you’re probably familiar with: Antivirus, firewalls, proper email management, etc.

The bad news is, every business operates a differently from others, including others in the same industry. Different industries have different federal or state compliance regulations to meet. No two law firms are 100% identical. Differing business interests, expectations, and obligations means that no two businesses will follow the same security policy, even though the two differing policies may equally protect their data. And this is where the “it depends” comes into play. What your business needs to do depends on your business.

You must fully understand how your business operates. What are your needs, expectations, obligations? Do you have to comply with federal or state regulations? Do you have to comply with industry mandates? All these factors will influence your data security policy.

Without a full review and understanding of your business, it’s impossible to provide you with a guaranteed security policy. But, as mentioned above, we can begin creating a solid baseline policy. We can learn from other events, industries, our competitors. We can look at what we know does work, at a minimum, and start there. After that, we can dig deeper into the specifics of your business and build on top of that baseline policy.

What is the baseline? I’m glad you asked. You can download it here.

You can also download the accompanying presentation slide deck.

This is an outline of things I believe all businesses should consider first. Start here. Do what’s listed.

Pay attention to what I’ve discussed on this page, and the caution on page one of the outline. This should not be your final product. Start here if you have nothing in place.

This is a process. It isn’t difficult, but we are talking about information security. You should take it seriously. Thoroughly consider and understand the impacts of the decision you are making here.

This is a team effort. Make sure to get input from your decision-making managers. Include your technology services provider (whether in-house or outsourced). When you have the final written policy, have your technology service provider implement the technical aspects of it. Train all your users. Review the policy yearly and update it as needed. Train all your employees on the policy at least yearly, or within 15 days of any changes being made to it.

If you have any questions, call me.