SOC 2 School

Policy

Nov 10, 2020 2:00:00 PM / by Alex

Nobody wakes up and wants to write a policy, but this week in SOC 2 School we are helping you rip the band-aid off. We are providing you with guidance and *FREE* templates to create your own policies.
It may not be the most riveting topic, but you will eventually have to do this if you want your company to continue growing, so we are making it as easy as possible for you to complete this task!

Take It For A Spin

Full Transcript

 

SPEAKERS 

Vikas Bhatia - Founder & CEO, JustProtect
Bryan Urias - Security Analyst, JustProtect

 

Bryan Urias

Hello, everyone. Thank you for joining us again on this episode of SOC2 School. My name is Brian. And this is Vikas. Vikas how are you doing?

 

Vikas Bhatia

Great, Brian, how are you?

 

Bryan Urias

Great, thanks. So, in the past couple weeks, we have shown you how to consider the certification process. And we've talked about different ways to plan out the entire certification, how to get your team ready for it. So, in this episode, we're going to talk about policies, And Vikas can you explain to us when a company is getting ready to do a big certification? What do policies cover? And what should they be entail around?

 

Vikas Bhatia

So, you know, the policies really are a set of high-level documentation. You know, we talked about, you know, what's the policy for everyone has a policy, everyone's aware, aware of the word policy, but really, policies are high level documents, that that provide direction. So, in terms of the certificates, whether it's a sub two, or it's ISO, whether it's high trust, etc. Or even, you know, with newer certifications, like the cmmc. an auditor is looking for documentation that can be provided as evidence that enables the organization to have a high-level direction in the things that they're supposed to do. So, let's break that down for a second, we might talk about SOC2, and then have the trust principles, so security, availability, etc. So, if we just take security, and the policies will be documented, that describe the policies documented, will describe security position that the organization takes. So that could be, you know, down to a suitable password length encryption, or best practice for hiring people. And again, the policies are generally high-level statements that are documented, that are in line with business objectives are approved by management, and are distributed to all employees, at least some are distributed to third parties as well.

 

Bryan Urias

So, you mentioned some of these security principles essentially being used for the policies. And do those policies guide my business objectives? Or should the business objectives come first? How do I structure that?

 

Vikas Bhatia

Great question, so that the business objectives always come first, we need to take direction from the business the way that the business is run. So, if the business says that it runs things in a secure manner, then you need policies to describe that. If the business cares, doesn't care as much about security, but cares more about availability, for example, the policies will need to guide that direction. So understanding what the business know what the business objectives are, and how those business objectives can be demonstrated and operated in a consistent manner, really lend to what's in the policy, what's in the policies and who they're communicated to, etc.

 

Bryan Urias

So, once I know these business, strategic goals, and I understand how I should incorporate them in my policies, how do I actually start writing a policy? Like, where do I begin?

 

Vikas Bhatia

Great question. So, there are a number of templates available. And if you know, if you if the listeners or the viewers need those templates, then then just put those in the comments below. But as simple as simple search on, you know, simple Google or getting a template provides you with a good starting point of what should be in a policy. They should, you know, I've seen organizations who are quite small, start with large numbers of documents, which are difficult to maintain. Well, if you're a small organization, you may just want to start with a single information security policy that covers many different areas. As your organization grows and as your as your organization introduces complexity, or departments or divisions, you can start to break those policies out. But really, it's a there are a number of templates that are available. Again, happy to provide those if you put in the comments and You take that and you make the policies fit your business, not the other way around.

 

Bryan Urias

So once a company starts getting into, you know, starts kicking into gear to get these certifications, and they start pumping out these policies, who exactly is in charge of these policies? Is there a certain person or a certain department that should be, you know, responsible for updating them and creating them?

 

Vikas Bhatia

Great question. So generally, the policies are owned by a department that is relevant to that policy. So for example, if you have a, if you have an organizational policy, it should be someone at the organization level with their technical policies, and we're talking about like startups, then then maybe the CTO or the, the VP of engineering can take some of those policies on. But if you've got HR policy, you shouldn't have HR policy owned by someone that doesn't have any input into HR. So that's policy ownership should be relevant to the person or people that are doing those those jobs. It's okay, if there are, you don't have a specific role. So, for example, if you don't have a dedicated HR person, but your CEO is the de facto HR person, then the CEO can own it. Also, that person that is responsible for that policy, is also responsible for keeping it up to date. So, we recommend that, and auditors prefer that policies are reviewed at least annually and updated, you know, revised at least once a year, or if there are any major changes. But the other critical, important component that people often miss, is that the policies need to be approved by senior management. So typically, a CEO, or a, you know, an authorized signer, within the organization should sign it off, which then demonstrates that the policy has got management oversight and is then communicated.

 

 

Bryan Urias

So and Vikas so when people are assigning these responsibilities per policy, and who's going to create this policy and who's going to be responsible for it? What are some common mistakes that companies often create via, you know, startups that are two people or companies as big as 50 people?

 

Vikas Bhatia

So, some of the common mistakes really lend to what the policies objectives are. So, the policy really should be a high-level document. I often found that people, organizations who are very, at the earliest stages of their maturity, tend to confuse policies for procedures. So, when you have a procedure, your procedure might be owned by three or four different people. And what they'll do is they'll put those procedures into a policy document, which then means that a policy document is owned by many, many, many people, really, a policy should be owned by one person. And that could be at like the departmental level if you will. And any subsequent ownership of procedures or line items should be broken out into procedural documents. Another area where people often make mistakes is the enforcement, because policies are at the organizational level, you really want to be able to document what will happen if someone doesn't follow the policy. So, you know, we often sign employee agreements or contracts, when we're when we're going into a new, a new role. And in those contracts, it will say, No, adherence to company policies, or lack of adherence to company policies will lead to termination or just disciplinary action, well, that that enforcement really needs to be communicated at the policy level as well. And some of these, some of these considerations may involve, you know, input from sub subject matter experts like ourselves, feel free to comment below, or might need, you know, you might need someone from HR or someone from counsel to guide you on that language. And, and then, the third most common mistake that I see in policies is that the policies aren't distributed to the to the people or the groups that are in scope for that policy. So in a in a policy, it will say the purpose of this policy is to demonstrate information security, and is it is applicable to all employees, but then if you ask the employees, have you seen the policy, they would respond not. So having a policy and not get getting it to or making it available to the right people is definitely a common mistake. And specifically to the sock and ISO certifications, orders, auditors will want to see that the policies have been communicated to the right people, and that they have acknowledged them. And there are there are some innovative ways in which you can do that. Again, we're happy to share those with you. But you need to just you need to have the policy. You need to make sure it is owned, make sure that there is enforcement action and make sure it's distributed to the to the appropriate people.

 

Bryan Urias

Thanks Vikas, so you know if you guys have made it this far, we know nobody wakes up in the morning and wants to just work on policies unless you're Vikas, but when you guys have any questions when you need any advice, we're here to help you. We want to hear back from you guys. You know, feedback is very important. And thank you guys for watching this. When Next week, we'll be talking about procedures and hopefully yes are more interested in that or perhaps you need a little bit more help that we can provide. So, thanks for watching. Leave a like you know, subscribe to our channel and thanks for everything, guys. So, see you guys next time.

 

Vikas Bhatia

Okay. All right.

 

Take It For A Spin

Tags: mission, compliance, Strategy, assessments, SOC2, Risk Assessor, Startups, Policy, Information, Security

Alex

Written by Alex

Comments