Key compliance documents that every company should have
At a recent presentation about technology contracts, I was asked if I had a list of the key policies a company should have. I did not, but the question inspired me to create this list of critical compliance documents that every company should create, along with some brief notes on content. Your IT department or MSP should be able to provide templates and assistance with writing these documents. Here at Clear Guidance, our CISO Anthony Cabral personally walks our clients through their policies and any theoretical situations to ensure that every angle is covered.
Key Compliance Documents
Network Use policy
This should cover acceptable use of company IT resources. If the company allows bring your own device (BYOD - common example is email on cell phones), it should address that as well. Other common items included are use of company equipment, access of personal data on the company network, data transmission, social media, and security awareness.
Include your security requirements as part of this document. If everyone is required to use Multifactor authentication (MFA) for access, it needs to be specified here.
Data use policy
There are a few components to this, and sometimes they are built as multiple policies. Many smaller businesses will combine the data classification, data access, encryption, and retention into one document.
Data classification: you should define what types of data require what level of security, encryption, sensitivity and more. For smaller businesses this is often two classes, executive and everything else. It is recommended that you require high security for all data if possible.
Data access: who is allowed access to various data and why. This should define both who (often by role and department) has access to the data, and define the process of granting additional access to an individual.
Encryption policy: there are two types of encryption, at rest and in transit. Everything should be encrypted at rest if possible; an example is encrypted hard drives on company laptops. In transit can refer to moving data over a website, syncing via a program like Dropbox, or sending an email.
Retention: how long data is kept and why. Keeping data for long periods of time can result in high storage use (and cost!) and also creates a headache tracking what exists, and where.
Disaster Recovery (DR) and Business Continuity (BC)
Don’t only consider the IT side for this document. If a natural disaster destroyed your office tomorrow, how would you reach everyone? How would you distribute a copy of your DR plan?
Wire transfer policy & other payments/purchasing
The biggest breach occurrence is wire transfer fraud (WTF). This can occur several ways, but usually it happens through scammers (spoofed or breached emails) pretending to be an executive and requesting a quick transfer, which is not confirmed outside of the email conversation. We also see frequent issues with large gift card purchases.
This issue can be easily integrated into other policies, but is impactful enough that we recommend it stands alone.
Any non-standard purchase should require approval by a second party or a verbal confirmation. It must be communicated to executives that this policy can never be bypassed. Insurance companies will often deny fraud claims where no secondary verification occurs.
Define how the company accepts and stores payment information. Remember that when dealing with credit cards, even keeping one number on a sticky note makes you subject to PCI compliance.
Any changes to AR or AP payment-related processes should require a rigorous verification. Not only is your company internally at risk, but your clients and vendors can suffer breaches as well, redirecting other funds.
Vendor security policy
You are handing over key parts of your business such as bookkeeping and IT to third parties, so you need to ensure they are secure as well.
Patching and security policy
Due to the increasing amount of breaches, there should be a standard for updates being installed, including reasons they can (or cannot) be delayed.
Outline any password policies, login restrictions, or other functionality here as well.
Compliance/Privacy officer role and duties
Many regulations such as HIPAA and GDPR require a specific person to be designated the compliance officer. This position and its duties should be outlined in a document, and signed/acknowledged by the person holding that position.
Breach and incident response policy
It is not a question of whether your business will get hacked, but when. A simple incident response policy will be useful in the heat of the moment. It is also great for setting client expectations on how the company will handle incidents, such as mandatory disclosures to government and regulatory bodies.
No policy is perfect. At least annually, the company should take an honest look at any DR, security, or other gaps that exist. This report should be presented to the business stakeholders and kept on file in the event of a breach.