Security Policy Creation & Documentation

Most small businesses operate on unwritten rules. Everyone sort of knows you're not supposed to use the same password for everything. Everyone sort of knows you should be careful with customer data. Nothing is actually written down, which means nothing is actually consistent. So when someone asks you to prove what your policies are, there's nothing to hand them.

This comes up more often than you'd expect. Cyber insurance applications ask about it directly. Clients doing vendor reviews ask for it. And if something ever does go wrong, having clear written policies is often the difference between "we had reasonable practices in place" and "we never really wrote anything down."

A Security Policy Package fixes that by creating a policy built around how your business is run. 

What's (Generally) Included in a Security Policy:

• Acceptable Use Policy. Spells out what employees can and can't do with company devices, accounts, and internet access. Covers personal use of work equipment, installing software, and what's off-limits on the company network. This is the foundational policy almost everything else builds on.
• Password Management Policy. Sets the rules for how passwords get created, stored, and shared across your business. This typically includes the expectation that a password manager is used and that accounts aren't shared between employees. That way the policy backs up whatever password manager deployment you already have in place with something written down.
• Data Handling Policy. Covers how customer and business data gets stored, who has access to it, and what happens to it when it's no longer needed. If your business collects customer information like names, addresses, payment details, service history, this policy defines how that information is supposed to be treated and stored.
• Remote Work Policy. For any business with employees working outside the office this policy sets expectations around secure connections, device security, and what is and isn't appropriate to do on public WiFi.
• BYOD (Bring Your Own Device) Policy. If employees use personal phones or laptops for work (think checking email, accessing your CRM, or taking photos for a job) this policy defines what's required of those devices. Screen locks, encryption, and what happens to company data on that device if the employee leaves or the device is lost.
• Incident Response Policy. This is a shorter companion to a full Incident Response Plan. This policy establishes the basic expectation that there is a process to follow if something goes wrong, and who's responsible for triggering it. If you don't yet have a full Incident Response Plan, this is often the first step toward one.

Who is this a good fit for?

Any business applying for or renewing cyber insurance. Most carriers ask about written policies directly, and a lot of businesses discover they don't have them at exactly the wrong moment. Any business that came up short on this during a security assessment. And any business that's grown past the point where "everyone just kind of knows" is good enough.