Why SMB’s Need IT Security Documentation

By Paul Young, Chief Innovation Officer, NextSTOP Consulting


1. SMB’s IT Security:  Policy, Process and Procedure Documentation

In 2011, small business hacks represented fewer than 20 percent of all attacks; nowadays the number is close to 50 percent (1). While large companies make the headlines, the reality is one-in-three documented data breaches occur in smaller businesses. And the aftermath is often grim. About 60 percent of small businesses close their doors within six months following a cyberattack, according to Brian Kearney, chief underwriting officer for Travelers Small Commercial Accounts.

SMB’s have come to realize it is now absolutely critical to protect their IT infrastructure and the information stored within their organizations “Ecosphere”. This awareness has driven their need to formalize, develop and implement appropriate IT security policies in preparation for undertaking the deployment of some type of IT Security Framework (ITSF) (2).

Thankfully,  there are very few ITSF’s that are commonly accepted as “best practices.” Listed below are, arguably, the most common:

  1. NIST 800-53 (FISMA)- was designed for use by government agencies, but it is commonly used by businesses in other industries to help them improve their information security systems. Complying with NIST can also help you become compliant with other guidelines, like HIPAA, FISMA, or SOX

  2. ISO- is a security standard that lays out specific requirements for an organization’s information security management system (ISMS), ISP but is especially noteworthy because it doesn’t just cover electronic information; it also includes guidelines for protecting information like intellectual property and trade secrets.

  3. SOC 2- is an auditing procedure that ensures your software manages customer data securely. Typically used by Data Centers.

  4. PCI DSS- a framework that helps businesses that accept, process, store, or transmit credit card data and keep that data secure.

  5. HIPAA- is a federally mandated security standard designed to protect personal health information. Usually, an ITSF implementation (see Figure 1, below) will require a lot of effort, work, and discipline. In general, it establishes a new approach regarding data protection, that modify corporate culture with more comprehensive Policies, Processes, and Procedures (PPP) that are mandatory and will become the organizations new norm.

Figure 1- ITSF implementation

Figure 1- ITSF implementation

Far too many companies, especially SMB’s, neglect to get the basics down in writing early enough. There’s a tendency to believe that “our company doesn’t need them” and that spoken instructions will suffice, or that cryptic notes will do. The most typical concern is how much additional time and effort will be required to ensure current systems are compliant with an ITSF.

One of the significant benefits of an ITSF is that it decreases liability. If your company does not meet the minimum standards of a compliance standard, that deficiency is evidence of negligence. Negligence is demonstrated by a lack of documented due care and due diligence as shown in Figure 2, below:

Figure 2- Compliance and Decreasing Liability

Figure 2- Compliance and Decreasing Liability

The development of an ITSF PPP documentation set provides evidence of due care to ensure users understand their day-to-day security responsibilities and the threats that could impact an SMB’s organization.

1.1 Awareness

Developing formal ITSF documentation, can be very intimidating and is often met at an SMB with the view that documentation is a bunch of additional excessive and pointless work. It is understandable why an ITSF implementation can be a scary prospect for your organization.

Figure 3- The Correct "PPP" Lifecycle

Figure 3- The Correct "PPP" Lifecycle

When undertaking an initial evaluation of implementing an ITSF the requirements might seem daunting and confusing at first, but a well-developed set of Policies, Processes and Procedures (PPP) will make the eventual implementation process go more smoothly. Section 2 describes how NextSTOP can minimize those costs and expedite its implementation.

1.2 Recognizing the wrong way to develop an ITSF’s PPP Documentation.

Many modern businesses operate in a fast-paced, lean and agile manner which is often contradictory to the traditionally bureaucratic approach associated with Fortune 1000 organizations. If you ask an IT security professional to identify their preferred best practice, it generally comes down to NIST or ISO.

Policies and Procedures are two of the words that most employees dread to hear, especially when it comes to IT Security. Information security policies and procedures are the cornerstone of any information security program and they are among the items that typically receive the greatest scrutiny from examiners and regulators. In a pre-certification assessment, missing documentation will probably be flagged as a nonconformity and addressing it can take some serious effort.

Most SMB’s do not have well designed IT Security policies (if any) to ensure the success of their cyber security strategies and efforts. The omission of cyber security policy can result from various reasons, but often include limited resources to assist with developing policies, slow adoption by leadership and management, or simply a lack of awareness of the importance of having an effective IT security program in place.

2. NextSTOP Can Cost Effectively Help SMB’s Develop Their ITSF Documentation (i.e., PPP’s)

It is a commonly held belief that IT is responsible to write the PPP artifacts. In fact, they are not, for several reasons:

  1. IT’s function is to implement the strategic decisions made by a SMB’s Top management. PPP’s impact the entire organization and IT is not at the right level to make those decisions.

  2. PPP’s for an ITSF (e.g. ISO 27001 ISMS, ISP, etc.) encompass not only the IT function, but also HR, Sales, Marketing, Corporate partner’s and contractors.

  3. The old saying “two sets of eyes are better” is especially true when developing PPP’s. The raw material needs to come from all departments, but another individual should be responsible for the actual writing of the PPP artifacts.

NextSTOP solves this problem by taking the detailed PPP development effort off of your IT group and Top management team. Our ITSF PPP Development Service works with you to ensure that your organization has adequate and appropriate ITSF documentation.

2.1  ITSF PPP Development Service

The goal of our ITSF PPP Development Service is to provide you with a document set that meets your security and compliance objectives, while considering your company’s compliance mandates, culture, and risk appetite.

NextSTOP’s ITSF PPP Development Service engagement is structured to fit your needs, NextSTOP:

  1. works with your Top Management to review your business, security, and compliance drivers to determine the ITSF that best fits your needs. If your organization has already determined, or been mandated to follow, an ITSF we work with your to determine the structure of a complete PPP documentation set.

  2. staff work remotely with your in-house teams during the development of your PPP documentation, which avoids the cost of having on-site contractors. NextSTOP works remotely in sync with your organizations staff thereby minimizing disruptions.

  3. brings Policy Templates that that help jumpstart the development of delivering a completely customized set of Processes, Policies and Procedures.

  4. utilizes your staff as the Subject Matter Experts (SME’s) while we do the actual architecture and development of the PPP documentation set.

  5. reviews any existing PPP documentation to validate its effectiveness and how to incorporate those sections that are applicable.

  6. works with your key stakeholders to develop the PPP’s that will be developed, delivering the PPP’s for review, tailored to your environment.

  7. works with your organization all the way, from the gap assessment thru the development and delivery of the final PPP documentation set.

  8. works with your IT group to establish a policy library with versioning for your PPP documentation set, which is critical during an audit or internal assessment.

If your organization has a need to meet multiple ITSF’s (e.g., NIST/ISO), NextSTOP will utilize our experience in matrixing the requirements of separate ITSF’s thru the use of the Cloud Security Alliance (CSA) – Cloud Controls Matrix (CCM). The foundations of the CSA CCM rest on its relationship to industry-accepted IT security standards, such as NIST, ISO, COBIT, etc., and our staff has had successful engagements where “mixed” ITSF audits were performed simultaneously, and successfully.

+

Copyright © 2019 By Paul Young                          

References:

(1) Charles Cooper, Former Occupation: Former Executive Editor / News: What your SMB can do to get big-business cybersecurity — https://www.cnet.com/how-to/11-things-small-businesses-can-do-to-get-big-business-level-cybersecurity/

(2) This list of ITSF’s is not complete: ISO 27001, NIST/FISMA, HIPAA, GDPR, Cobit, etc.

+

Paul Young joined NextSTOP Consulting as Chief Innovation Officer where he is responsible for managing the innovation process by identifying strategies, business opportunities, and new technologies and then develops new capabilities and architectures with partners, new business models and new industry structures to serve those opportunities.

Paul Young is a visionary and goal-oriented successful serial entrepreneur (IT-Cloud professional) with demonstrated experience in planning, developing, and implementing cutting edge information Cloud solutions to address business opportunities.

Young’s high-impact tenure at ClearObject can be summarized as an evolutionary journey where he turned an entrepreneurial vision into reality by building the first Cloud Eco-sphere capable of hosting IBM (SaaS) Rational software development applications in order to commercialize a SaaS model to Fortune 1000 customers. Created a reliable, secure Cloud Eco-sphere environment (CSP) for 10,000+ users including IBM’s Rational Software development tools as well as an IoT CSP Cloud Eco-sphere.

Paul provided the missing link for technology evolution where the start-up executive must simultaneously steer/support operations, workforce, security compliance and technology to better achieve ClearObject’s goals ensuring customer security and satisfaction. ClearObject was successfully sold in March of 2019. 

VITAE: https://www.slideshare.net/slideshow/embed_code/key/FSm3RPhL8XbdIg

+

NextSTOP ITSF PPP Development Service:

NextSTOP Consulting Website

NextSTOP Consulting / LinkedIn

Engage NextSTOP

Guest User