Policies and procedures

If you’re part of a larger online business, you might already have a book of policies and procedures carefully spelled out, tightly bound, and neatly filed away in every employee’s desk. The reality for a smaller online company, though, is that you probably haven’t had time to think about formal procedures. If you’re working solo, you might still be skeptical about needing to write these types of policies.

As an online business owner, the purpose of your business continuity and security plan is to protect both you and your customers. By establishing and implementing written policies, especially a detailed security policy, you reduce the risk of overlooking holes or flaws in the plan.

Honestly, the amount of information that has been published about how to write a security policy could fill a small room. No wonder the task of writing one has become cumbersome. However, in a smaller company, you can concentrate on the basics.

Here’s a baseline rule for establishing your security policies: The magnitude of how much policy you need should fit the breadth of your organization and the depth of the risk factor you want to protect.

In other words, IBM might require several hundred policies whereas you might need only five policies. At the end of the day, if either you or IBM suffers a substantial security breach because a policy wasn’t effectively in place, you’re both in the same boat. And we don’t mean in a good way.

With that in mind, follow these steps to create your own policies (however many you might need):

1. Write your overall goals or objectives for your security policy.

   Break down the big-picture goal of protecting your online business into a few smaller chunks of information or goals. Maybe you’re more concerned with outside threats or establishing guidelines for employees. Or you might be most interested in protecting yourself legally and need written policies in place to set precedents.

2. Create a list of areas in your organization that require protection.

   After each item, make a notation of which ones are better served by the implementation of a formal policy. Use the checklist in Table 2-1 as a guide to the areas that are open to possible security risks.

3. Determine the scope (number of policies) that is legitimately warranted for the size and need of your organization.

   In reviewing your list of goals in Step 2, you might find that it makes sense to combine several components into a single policy. Conversely, other areas might produce larger or more frequent risks and require a stand-alone policy.

4. Starting with your first policy, write its purpose and provide an overview of its importance to the organization.

   For instance, you might create a policy about who can access your primary e-mail account. Your goal might be to restrict usage to only designated personnel — and doing so is important so that confidential communications aren’t compromised.

5. Detail the scope of your policy.

   Specify which employees or level of employees the policy applies to. Also indicate which locations, systems, and data are affected by the policy. Refer to your list in Step 2 to make sure that you include all areas that might be affected.

6. Write the operational guidelines of the policy.

   The guidelines are the cold, hard facts. Be specific about which actions and behaviors can and cannot happen under the policy.

7. After the guidelines are in place, write a paragraph about how the policy should be implemented.

   In this part of the policy, provide information such as how employees are to be notified of the policy as well as specific penalties for not enforcing the rules.

8. Document the date when the policy was created.

   Every time you update the policy, add the next revision date. Leave the earlier version dates so that you have a running history of the document.

9. (Optional) Add details to the policy.

   You might include a glossary of terms or cross-reference additional procedures and policies that might also intertwine with this one.

10. Repeat Steps 4–9 for each policy.

After you finish writing all your security policies, you’re ready to place them in the front section of your written business continuity and security plan.

Inventory and skills assessments

One helpful component for your overall plan is to create a catalog, or inventory, of your equipment and the information that you’re protecting. Table 2-2 serves as an inventory assessment guide, and we tell you in this section how to fill it in.

When you’re filling in the guide, your final inventory list should capture the following information:

• Hardware: Record a complete list of your laptops and desktops, including supplemental information, such as their serial numbers and the names of people who use each machine. Also list any warranty information per machine. Denote which systems have DVD and other components. For laptops, note whether the equipment is carried off-site.
• Software: Log an inventory of your company’s software. Include details such as user registration information, licensing restrictions (single or multiple user), and registration numbers. If possible, note which software is loaded on the computers.

• Peripheral components: This list might include data drives; printers; scanners; tablets, iPhone, Android, and other smartphones and mobile devices; handheld devices; portable memory storage devices; extra monitors or keyboards; networking equipment; and even plain old cellphones.

  Employees frequently want to use their own smartphones and mobile devices for both personal and business use, which is referred to as the bring your own device (BYOD) trend. You should include BYOD policies and procedures as part of your overall risk analysis and planning.

  Break out your inventory by each individual piece of equipment or software program. That way, you can compile serial numbers and registration numbers or other unique identifying factors for each piece. This is an important part of business continuity planning and may be required by insurance companies when filing claims for damage or loss.

• Cloud-based applications: Make an inventory of any cloud- or web-enabled programs and services that your business uses, whether for delivering customer surveys, printing online postage, managing customer relationships, or providing business phone service. Detail which computers maintain licenses for each application or have access to web-based solutions.

  When creating an inventory of applications delivered over the Internet, don’t overlook instant-messaging programs and music or video-related applications. You might not use them, but your employees probably have them installed. Increasingly, these programs are becoming an easy delivery method for viruses, worms, and other malicious activity. You want these programs accounted for in your inventory so that proper security measures can be applied.

• Social media: Although social media is not a tangible or hard asset, we recommend including a detailed log of all your business social media accounts as part of your inventory list. Social media accounts have increasingly proven to be vulnerable to security threats, especially if passwords are used across multiple accounts. As part of your inventory assessment, keep track of which platforms you use, associated passwords, and those in your organization who have access to the accounts.
• Documents: This group includes not only critical files but also your intellectual property, promotional materials stored on your computer, financial data, customer data (contracts and invoices), and current and archived e-mail messages.

After you complete this equipment assessment, turn your attention to a skills inventory. (You can add it to the bottom of your inventory assessment.) Compose a paragraph or a complete list of the security expertise that you and your employees have. You can include certifications or other applicable training, too. By conducting a skills assessment, you can see when you need to call in outside security consultants — or how much of that expertise you might need.

A skills inventory can further help you determine points of educational training needed for you and your staff so that you can develop more internal expertise.

Risk analysis

One of the most important pieces of your plan is the risk analysis portion, in which you identify possible threats, determine your greatest vulnerabilities, and calculate the potential impact should your business not be able to function for a period of time. This important exercise forces you to evaluate the factors that hold the most potential for harming your online business. Your first action is to make a list of all potential threats that can compromise your security and your ability to operate. Classify these security occurrences, or disruptive events, under the following categories:

• External threats: Include any risk that originates outside your business. You typically have no control over these events (other than being prepared to combat them if they occur):
  • Viruses and worms: Also group Trojan horses and other harmful programs in this category.
  • Malware: Include any type of malicious software that can be unknowingly installed on your computer from an outside source, such as spam, adware, and spyware.
  • Phishing: Add this popular method of tricking and defrauding employees to your analysis. A phishing scam is an e-mail that looks like it comes from a legitimate source but is from a fake company. This type of scam can add up to lots of lost dollars if an employee reveals sensitive data (credit card number, password, and more) to an online scammer.
  • Malicious intruders: Consider any type of activity originating from another individual that’s meant to harm you. Include hackers, former employees, competitors, and thieves. Don’t forget that theft can occur on-site (at your place of business) or off-site (such as at airports and coffeehouses). Comparatively, hackers steal intellectual property and data by way of an Internet connection. Hackers can also do damage by shutting down your network or your website.
  • Outages: Power outages, or any type of disruption to water or utility services, is a serious consideration when operating an online business. Network outages from cloud-based service vendors (from your hosted phone service and website server to your online accounting software and inventory program) can also wreak havoc to your operations for a few minutes to several hours (or longer).
  • Weather: It may not qualify as a complete disaster, but think about weather-related incidents that impede normal operations to you or your customers. For instance, a snowstorm may cause delays to already time-sensitive holiday delivery schedules. Or, extreme heat in the summer may interfere with storage and delivery of perishable food items you sell online.

  • Disasters: Address floods, tornadoes, hurricanes, and fire as possible external risks. As part of business continuity planning, you should also consider the risks if one of these events happens not only to your business location, but to that of a key vendor. If your primary vendor is hit with disaster, is it still able to provide you with products or services? If not, do you have a backup vendor?

    A critical part of business continuity planning is to consider any and all potential threats to your business, both onsite and offsite. Vendors, delivery services, and online service providers are all critical parts of your chain of operations that could disrupt your online business should their businesses experience a disaster. You cannot prevent these events from occurring, but you can control how you respond to them by having a plan B in place and ready to go in order to minimize the damage.

• Internal threats: Although not always intentional, these incidents occur from within your own operations. Internal threats can do serious damage as well as expose your vulnerabilities:
  • Malicious intent: Employees or other people might have somewhat unlimited access to your assets. Unfortunately, not everyone is as nice or honest as you want to believe. Consider the possibility that a serious — and intentional — breach of security can occur right under your nose.
  • Accidents and user error: Think of any accidents or human errors that can occur. Coffee spills on laptop computers, accidentally deleted data, dropped monitors — the list is endless.
  • Failures: Specifically, these failures are system failures. Whether your computer crashes, your software bombs, or your Internet connection or server goes down, these failures are all part of an unwanted security risk.

After you put on your doomsday hat and identify all possible threats that can take you down, go one step further and prioritize each one according to its level of risk. You can do this by using a hierarchical ranking system. Or you might prefer to assign a low, medium, or high risk value for each of your items.

Ranking your risks is a subjective process that requires you to be open-minded and honest in evaluating the security of your business. If you don’t feel that you can be objective, consider bringing in outside help.

If you find that a risk analysis shows your business to be at a medium- to high-level risk for attacks, accidents, or failures, consider inviting a paid technology or business consultant to evaluate your business and offer solutions. The costs of improving your security and beefing up your disaster-recovery plans will be paid back in the long run by reducing the odds of your losing data, damaging your reputation, putting customer information at risk, and shutting down your ability to operate.

Existing security measures

Unless you’re in the planning phases for a new business, you probably already implemented some level of security. Here’s the appropriate place in the plan to specify which actions to take.

You want to describe firewalls, antivirus software, and other basic security measures that provide some level of protection. However, you can add any routine security-related systems or functions you conduct. For example, you should plan to

• Change passwords regularly
• Back up your data regularly
• Perform routine system maintenance and software updates
• Implement physical security measures, such as alarm systems or fireproof safes
• Minimize access to servers and business-critical computers by storing them in a secure location, such as a controlled server room or lockable closet

No matter what, be honest. If the last time you backed up data was several months ago, don’t include it as a security measure that you can check off your list.

Action plan and backup alternatives

To some degree, you can consider the action plan the meat of your document. After all the assessments, inventories, and analysis, you’re ready for a true plan of action.

The first part of an action plan is creating a communications tree. No, we’re not talking about a tree with leaves, but rather a phone tree! It’s a diagram that has branches (or lists) of critical people to call or communicate with in case of disaster or other critical business disruption. A communications tree should start with you, as the business owner, and may include a list of the most important employees, public relations contact (if it requires external or public notice), vendor contacts, legal contacts, insurance agent … the list can be as extensive or brief as required. The important part of communications is just that — you need to be able to quickly communicate important information to the people in your organization and make sure the appropriate information is also communicated to customers. Be sure you have back-up phone numbers, e-mail, and emergency contact information for your employees.

Once your communications tree is in place, you can turn your attention to the rest of your action plan. Based on the information you collected (see the earlier sections of this chapter), you can readily spot your strengths and weaknesses in the realm of security and business continuity. And now you can focus on what we like to refer to as your points for improvement (PfI), or the specific areas where you find weaknesses that should be corrected.

By concentrating on your PfI, you can create a step-by-step plan of action to beef up your security and business operations. In each step, be specific. Here are examples of some of the steps that you might include in your own plan of action:

• Purchase and install external security locks for all laptops.
• Turn on the Automatic Update feature on all desktop computers to activate a fixed schedule for installing all new software updates.
• Purchase a password generator and choose quarterly dates for changing passwords.
• Implement redundancy (or backup) for service and system failures that occur onsite or offsite.
• Identify secondary sources for key products and services offered by primary vendors.
• Create a scheduled backup, specifically for customer data such as order histories.

Find an online service for an additional backup so that your data is stored off-site yet still readily accessible if your on-site files and backups are destroyed.

Your plan of action might include a couple dozen steps or only a few. You have a thorough action plan when all your PfI are accounted for and the security holes are plugged.

Compare your action steps with the security policies and procedures you already created. Your plan of action for security should take into account those policies and contribute to each one being effectively implemented.

People, resources, and follow-up communications

The final component of your security and business continuity plan addresses the resources (and budget) that are required to put your plan into action. Make a list that identifies all the purchases you need to make to fulfill your plan, especially the security component of your plan. Include a price estimate for each item. If your total is hefty, prioritize which ones fall under the must-have category as well as which ones can wait.

In addition to the resources that require cash, you should include all other resources used in your plan. For instance, budget the time for yourself or employees to attend an Internet security class. Even if a vendor offers this type of training session for free, attendance still requires a small investment in human resources capital.

The last piece of this section should include a timeline for change. Assign both a reasonable date for completion and a person who’s responsible for each action item. Schedule a recurring date for reviewing the progress of your plan’s implementation, too.

No matter how many action items you develop or how many pages your security plan turns out to be, its true worth is measured in one way: Does it work? If your plan is thorough and realistic, your answer should be a resounding “Yes!”