Pratum Blog

Information Security Policies, Procedures, and Standards

Information security Policies, Standards, and Procedures typically fall to the bottom of many companies’ to-do lists. While these documents may seem tedious, the effort you put into the creation and maintenance of them will pay off in the long run!

What They Are

First, let’s break down what each of these governance documents are, and how to take care of them.

Information Policies – The “What”
Policies are the high-level statements that communicate a company’s objectives. This is typically the philosophy of solving security problems that may arise. Here you will find out what the organization’s objectives are, and how they are designed to protect the company’s assets.

Information Standards – The “How Often/Much”
Policies and Standards are similar but do differ in some very important ways. Standards go more in-depth and elaborate on the Policies. Who will be involved in implementing the Standards? What are the specific responsibilities of the associated departments? Who does the Standard pertain to? Who owns the individual Standard? Specific requirements are laid out here for a comprehensive look at how each control area fits into the overall information security program. Standards are what most compliance requirements and frameworks ask for.

Information Procedures – The “How”
Procedures are the step-by-step instructions for fulfilling the Policies and Standards. For every control area your Policy covers, there needs to be corresponding sections for how the company will carry out that Policy. Procedures take Policies and Standards and creates tangible action steps. In these procedures, the business should call out specific employees and technologies that are used to carry out each procedure.

Why You Need Them

Now that we’re on the same page about what these governing documents are, let’s explore why they’re important for your business!

Establishes Continuity
Showing your employees exactly what is expected of them is crucial. Without a clear vision set, there will inevitably be questions. Creating a universal guide for everyone to see and understand will unify the team in times of crisis or confusion.

Allows Easy Enforcement
Without implementing a governance program Executives will have no way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy to find Policies, Standards, and Procedures there will be proof to hold people accountable for not abiding by them.

Creates a Security Culture
Usually if an Executive is involved in the creation of Policies, Standards, and Procedures they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the Executives. (Many companies will ask employees to sign a document saying they are aware of the Policies, Standards and Procedures and agree to comply with all security controls and directives.)

How to Get Started!

1. Figure Out Your Needs
What an organization’s size or niche is will mandate what their governance documents should be. If you have a large business with several employees, you may need a more detailed plan. If you have a small organization with people who do a little of everything, you should consider what guidelines to put in place to enable employees to effectively perform their job duties in a secure manner.

2. Build an Action Plan
Next, address how to get the governance program in place. Talk with your IT operations team to make sure they are in compliance with the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key!

3. Maintain and Update
Last, once you have your Policies, Standards, and Procedures in place, the work is not finished. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to do annual reviews of all these important documents to proactively evaluate the security controls related to the confidentiality, integrity, and availability of your business’ sensitive information.

If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.

Information Security Questionnaire

When working with a client, vendors are often asked to supply some sort of proof they will protect the client’s sensitive data. While this may seem like a reasonable request, knowing how much information to share and the best way to do that can be tricky.

As a vendor, you may receive multiple requests from clients for compliance reports or third party validated security reports, such as a SOC 2. If you don’t have a third-party compliance report the client may ask you to complete a security questionnaire. (Something we discussed in a recent blog, here.) That process can be very time consuming, especially with multiple questionnaires asking for different information.

We’ve created five guidelines to help vendors meet their clients’ needs, without risking their own security:

1. Analyze your relationship with the client.

Sometimes clients will send out questionnaires to every vendor they use, without really looking at what that vendor has access to. If you are a vendor, but do not deal with the client’s sensitive data, you may not need to fill out tedious questionnaires. That client could be following their own company protocol without considering each request being made.

2. Know which data you should provide your client.

We typically don’t advise vendors to share Policies, Standards, and Procedures with a client. This sort of information could put you, the vendor, at risk. Be cautious and make sure you’re not sharing more information than what is required. It is not necessary to risk your own companies’ security to comply with a client’s wishes.

3. Know when to push back, and how.

If a client asks for more information than you’re comfortable with, you have the right to object. Oftentimes this will be a conversation, rather than a finite “no”. Ask for your client’s reasoning for the information they’re requesting. If it is still too much, explain why you are uncomfortable with the situation.

4. Offer up an alternative.

If you’ve turned down the client’s questionnaire or request for your Policies, Standards, and Procedures, they may still need some proof that you are ready to protect their security interests.

  • One way to do that is with a pre-filled questionnaire. A method used in many of these cases is called SIG (Standardized Information Gathering). This questionnaire tool allows vendors to create a standard form, ready to be handed out to any clients who need an explanation of your security procedures. You can also create an inventory of your Policies and Standards with only the Table of Contents visible. This shows the documents are in place but doesn’t give all the details.
  • Another option is to set up a meeting with the client. This can be a video call with screen sharing, or a webinar. If you plan to show the client any sensitive data, make sure they do not screen-grab or record the conversation. We suggest having the client sign an NDA beforehand.
  • If a client requests a SOC 2 report, but you have another form of compliance report already completed, ask the client if that will work instead. They may be able to accept a different type of third party validated report, even if they did not specifically ask for it.

5. Decide if this client is worth the effort.

Completing compliance reports, filling out dozens of questionnaires, and sharing sensitive data can come at a cost to you. You need to decide if the client in question is worth the time and resources their requests will take. Sometimes it’s more cost-effective to let that client go than to jump through more hoops.

Hopefully this helps you know how to handle the inevitable security requests vendors face! If you need more assistance with preparing a SIG or knowing which information may be too sensitive to share, be sure to reach out to a cybersecurity expert.

Technology Association of Iowa - Iowa Technology (IT) Roadshow sponsored by Pratum

As Iowa’s leading cybersecurity experts, Pratum is excited to announce a new partnership with the Technology Association of Iowa (TAI). Pratum will serve as a sponsor of the first Iowa Technology (IT) Roadshow; promoting the importance of cybersecurity across the state of Iowa.

The goal of the IT Roadshow is to share information and promote advocacy for the technology industry. As a company with clients across Iowa, it’s important for Pratum to bring knowledge of cybersecurity to the entire state. This is part of Pratum’s continual mission to provide quality, cybersecurity resources through education and assistance.

What the Roadshow will look like:

There will be ten stops on the IT Roadshow with the hope of reaching as many people as possible. These events will be held in rural communities all over Iowa to share information with individuals looking to learn more about the technology industry. Each event will feature four panelists who specialize in different fields of technology. As leading sponsors Pratum and U.S. Cellular will be constant fixtures, speaking at every stop on the tour.

"The Technology Association of Iowa continues to connect its members and provide unique opportunities to unite Iowa's technology community. The IT Roadshow is a prime example of their commitment to finding innovative ways to provide technology education to our state, and we are excited to join them on this tour across Iowa,” said Jordan Engbers, Pratum CAO.

Topics being covered:

Each panel will be customized to fit the needs of the community attending. Some of the topics covered during the tour will include: Agriculture Technology, Tech Education, Telemedicine Services, Manufacturing Technology, and much more! (TAI will be releasing more details early in 2020 on the topics being covered in each city.)

Pratum’s involvement in the IT Roadshow will be discussing how cybersecurity impacts businesses from every corner of the state. Pratum will share information about the importance of protecting your data, and how to pinpoint the risks even small businesses face. The practices Pratum will be speaking on are the same for anyone looking to create a more robust security program, no matter the size of your organization.

“There are a lot of really cool things happening across the state of Iowa. Pratum recognizes the strength of our economy is tied to helping maintain and grow the business environment throughout the state, not just the larger metro areas. The IT Roadshow proves that TAI and our members are a statewide community that can collaborate to meet the needs of the entire state,” said Dave Nelson, Pratum Founder and CEO.

With the constant changes in technology, particularly cybersecurity, Pratum is thrilled to share expertise with anyone looking to protect their online assets.

Iowa Technology Roadshow Events:

Spring IT Roadshow Schedule (Updated dates coming soon)

  • Burlington, Iowa (Greater Burlington Partnership)
  • Ottumwa, Iowa (Ottumwa Regional Legacy Foundation)
  • Grinnell, Iowa (Grinnell Area Chamber of Commerce)
  • Indianola, Iowa (Indianola Chamber of Commerce)
  • Council Bluffs, Iowa (Council Bluffs Area Chamber of Commerce)

Fall IT Roadshow Schedule

  • October 19, 2020: Decorah, Iowa
  • October 20, 2020: Waverly, Iowa (Waverly Chamber of Commerce)
  • October 21, 2020: Fort Dodge, Iowa (Greater Fort Dodge Growth Alliance)
  • October 22, 2020: Spencer, Iowa (Iowa Lakes Corridor Development Corporation)
  • October 23, 2020: Sioux City, Iowa (Siouxland Chamber of Commerce)

Pratum is an information security consulting and managed cybersecurity services firm. Our goal is to enable every client to securely use technology to meet business objectives.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.