“Below is a list of documents that is requested by a vendor management company. Information Technology needs to be able to provide these documents on demand:
-Information Security Policies (Current)
-Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing) (Current)
-Incident Response Policies with client notification protocols (Current)
-Disaster Recovery/Business Continuity Plan(s) (Current)
-Disaster Recovery Testing Results (Current)
Whether it is a partnership, vendor relationship, or just being a customer, it’s no longer unusual to get asked how companies treat security. Risk Management survey’s include questions like, “Has your company been hacked in the last 12 months” and “What was your incident response plan to the breach”.
Where to go to get this stuff? Where do you keep it? How to manage? Many larger companies hire the talent to write it. Alternately, resources exist that can help with what is needed to cover. Here are a couple of resources:
- SANS Information Security Policies (Free)
- BizManualz – Security Policies and Procedures (Paid)
- Mike Sisco – Practical IT Policies & Procedures (Paid)
I have used all three in my career with success. Managing these documents should be no different than other IT policies. In other words, manage collectively with yearly reviews and periodic changes as the organization matures.
What tools or resources have you used to help write security documentation? Drop me a link to add to the list!