TechGuard Blog

Do Outdated Policies Increase Your Cyber Risk?

Did you know?

Information security policies and procedures are the backbone of an organization and the foundation of a good security program. If you have information security policies that haven’t been updated in years, you are potentially opening the door and welcoming vulnerabilities from outside threat actors as well as insider threats due to misinformed employees.

 

Information security policies are intended to educate employees of acceptable behavior in the workplace and mitigate risk to the organization. They should be considered a living, breathing management resource. Depending on your target industry, information security policies are required by regulatory compliance bodies in order to perform work or do business in both local areas and foreign countries. Does GDPR ring a bell? The General Data Protection Regulation is one of the latest regulatory framework updates, which had a compliance deadline of May 25th, 2018 and affects any organization that has business dealings with countries in the European Union (EU). GDPR has replaced the outdated data European protection directive from 1995, in which requirements are updated for businesses to protect personal data and privacy of EU citizens for transactions that occur within EU member states. Information security policies most affected by this new framework are Data Handling/Protection, Privacy Policy, and Breach Notification. If you have not met regulatory deadlines for policy updates you are liable to incur legal repercussions and fines.

 

This is just an example of increasing regulatory oversight over cybersecurity and even if your organization doesn’t have clients in the EU, it is a good idea to have policies and procedures in place to protect data. Breaches are becoming more commonplace and consumers are demanding more protection over their data.

 

How often should I review and update my policies?

 

At a minimum, TechGuard Security recommends an annual review of Information security policies. But there are several reasons why information security policies should be updated more regularly. Most importantly, the threat landscape is evolving, and policies require updates to combat new threat vectors. Implementation of new technologies or systems, organizational structure changes or growth (merger & acquisition) and changes to laws and regulations are among the top reasons to review and update information policies and procedures.

 

The TechGuard Solution

 

At TechGuard Security, Cybersecurity Consultants have adopted the Center for Internet Security (CIS) Top 20 Critical Security Controls (CSC) as our baseline for IT Security Controls Audits and use this as our standard when an organization does not have a regulatory requirement to adhere to a specified framework. Many common frameworks can be cross-mapped to the CIS Top 20 Critical Security Controls. TechGuard can also assess against these frameworks:

 

  • NIST
  • ISO
  • PCI DSS
  • HIPAA
  • FFIEC

 

Click HERE to learn more about the Core Cybersecurity Services offered at TechGuard Security, LLC.

Written by Kerri Setzer

Kerri Setzer is a Cybersecurity Consultant at TechGuard Security where she conducts penetration tests, vulnerability assessments, social engineering exercises and IT Controls Audits. Previously, Kerri spent five years in a Fortune 500 healthcare organization in an operational capacity; developing and maintaining advanced information technology solutions while ensuring IT solutions implemented within the organization met HIPAA compliance. She has participated in countless audits to validate various controls under SOX, HIPAA, PCI-DSS and NIST 800-53. In her spare time Kerri enjoys running, fishing and playing outdoor sports with her husband and four daughters.