When starting a new business cybersecurity policy creation is usually the last thing on your mind. You’ve got a corporation to form, operating agreements to draft, bank accounts to open, office space to find and then finally sales to make, and a long list of other things in-between. This means your cybersecurity policies are low on that list, if on it at all, and as you grow that list grows and they usually get forgotten.
Not having policies in place can be a problem for a number of reasons, including some states such as Massachusetts requiring at minimum a Written Information Security Policy (WISP). This outlines the basics in terms of risk assessment, minimum technical security, dealing with third-party contractors, employee training and how to notify customers in the event there’s a breach. But this is just the start.
In addition to a WISP you should have the following policies in place:
- Business Continuity Policy to plan for natural disasters or cyberattacks
- Change Management Policy to set guidelines for upgrading / changing systems, providers, etc.
- Incident Response Policy for how to deal with incidents and who is in charge of what in terms of remediation, notifying customers/vendors, etc.
- Risk Management Policy to identify your companies internal and external risks and vulnerabilities and apply actions and solutions to make sure your are adequately protected
Our talented team of cybersecurity experts can help you get these policies in place and execute the required exercises, scans and reports. Get in touch today!