The Secret to SMB Information Security: Writing It Down

This article is part three in a twelve-part series on information security fundamentals for small and medium-sized businesses.

In 1997, United Parcel Service launched a marketing campaign around moving at the speed of business. They keyed in on a truth that all business owners are acutely aware of: if you want to succeed in business, you need to be prepared to move quickly. Your business is constantly in motion and, for many business owners, slowing down means losing business to your competitors.

With this in mind, the last thing many business owners want to do is take a step back and document your policies, procedures, and standards. You have orders to fill, services to provide. How can you afford to pull employees away from their day-to-day responsibilities to work on documentation?

More importantly, how can you afford not to?

Jerod Brennen

Savvy business owners understand that a critical component to every successful business is consistency. This is especially true for SMBs. Consistency means stability. Consistency enables growth. Consistency is the key to longevity.

And the key to consistency is documentation.

Successful SMBs understand the need for information security in today’s marketplace, and consistent information security practices rely on three key elements: policy, standards, and procedures.

It’s important to understand that this documentation doesn’t just represent good business practice. Organizations that handle health care data or customer credit card data are actually obligated to maintain and implement these documents.

The information security policy contains the information security rules that apply to your business. What expectations do you have for your employees with respect to email, Internet, and instant messenger use? If you don’t write down what’s okay and what’s not okay, along with the penalty for violating policy, it’s unrealistic of you to expect that your employees will adhere to those rules.

The information security standards contain specific details about the technology you have deployed in your organization. For example, do you allow both iOS and Android devices to connect to your internal network? If so, what are the security settings that you require for those devices before they’re allowed to connect? These are the details you need to document in standards, and the standards need to be updated each time the technology changes.

The information security procedures outline how you do what you do. These are the step-by-step documents that you rely on to ensure that certain processes are followed the same way every time they are executed. A classic example of a critical information security procedure is the Employee Termination Procedure. Passwords need to be changed. Accounts need to be disabled. Devices need to be accounted for.

How confident are you that your IT employees are handling terminations consistently? What is the risk to your company if a key step in the termination procedure is overlooked?

Once you’ve documented your key information security policy, procedures, and standards, the next step is to train your employees on those documents. Keep in mind that each employee has a different learning style.

Some employees learn best by visual cues, others by audio input, and others by physically interacting with the material they’re studying. Some learn best in group settings, while others prefer to study in solitude. If you truly want your employees to understand and adhere to your information security policy, procedures, and standards, then you need to take the time to determine the best way to deliver this training material.

One last thing to remember is that your documentation and training efforts will be a waste of everyone’s time unless that documentation is both current and relevant. What’s the value in a Windows 2000 Server Security Standard if all of your Windows servers are running Windows Server 2008 R2? You need to implement (schedule) a recurring document review process once your documentation is complete.

To recap, every business owner should do the following:

  • • Document information security standards
  • • Document information security procedures
  • • Train employees on these documents
  • • Keep these documents relevant via recurring reviews and updates

In the next article, we’ll tackle Asset Management.