Policy on policies. Seriously?
Seems odd to have a policy on policies. It works though. Having a policy on policies will keep your team on track for the year. It will ensure reviews are completed in a timely fashion. A policy on policies will also give you a consistent approach to the review process. To go along with the policy on policies, having a policy template is an efficient move. The template keeps all policy components consistent across the full library of policies. Having a template also allows for the quick creation of new policies if they are needed throughout the year. The template should include revision numbers, review dates, revision dates, revision history, approval name, approval date, and clear ownership.
Policies or plans or both?
Below is a list of the top 40 B2B SaaS security policies. Three of these policies are also plans, like Incident Response, Business Continuity, and Disaster Recovery. As a plan, the policy will have specific activities requiring training for your team. Additionally, any policies which include a plan would be appropriate to use in tabletop exercises. These three plans sound very similar but are actually quite distinct from each other. All three are unique and serve their own purpose. There can certainly be overlap across them though.
Or are they really processes?
The Risk Assessment policy is also a process. To conduct an internal risk assessment requires a documented process which can be replicated year after year to capture new risks, new mitigation strategies, and learnings from experience throughout each year. Many policies also include processes. For instance, the Policy Management Policy (policy on policies) includes the process for reviewing policies.
Why are HR policies in this list?
On the surface, a few of the policies in this list look more like human resources policies like, Employee Sanctions, Code of Ethics, and Whistleblowing. However, these all play a significant part in maintaining an overall successful security posture.
How do we keep track of it all?
Enter the Compliance Calendar. With 40 B2B SaaS security policies to review each year, it is a lot to monitor. On top of the policy reviews, there are the annual internal risk assessments, and then the plan tests for incident response, business continuity and disaster recovery. Having a Compliance Calendar holds it all together and on track.
Here is the list of the top 40
Acceptable Encryption
Acceptable Use
Access Control
Anti-Bribery and Anti-Corruption
Anti-Virus and Malware
Business Continuity
Change Management
Clean Desk
Code of Ethics
Configuration Management
Data Backup
Data Breach
Data Classification
Data Destruction
Data Loss Prevention
Data Retention
Disaster Recovery
Email/Communication
Employee Sanctions
Firewall Configuration
Incident Response
Information Security
Internal Usage
Key Management
Mobile Device
Monitoring and Logging
Network Security
Password Management
Patch Management
Physical Access
Policy Management
Privacy
Remote Access
Risk Assessment
Security Awareness and Training
Technology Equipment Disposal
Vendor Management
Vulnerability Management
Web Application
Whistleblowing
Photo credit to Wesley Tingey.
If you need help thinking through this or other leadership challenges, let’s have a discussion to see if I can help in some way.