What Are You Missing in Your Security and Compliance Policies?

A Headshot of Joel CaskeyWritten by:

Joel Caskey
Sr. Technology Business Engineer
NET Xperts LLC

Security audits have been a trend in the recent few months.  One of the big places that I see businesses “missing the boat” on audits are with formal compliance policies.  These are good to have in place not only for audit purposes but also just in good practices.  At the minimum, some basic security and compliance policies to have in place for any business include:

  • Incident Response Plan – This is a “what happens when…” type of plan. This includes procedures on how to handle items such as data breaches, compromised accounts, and ransomware attacks.  This requires regular testing, which should be covered in the policy and plan document.
  • Password Policy – This is the foundation of your security. Every business should have a password policy, which should promote strong passwords and changing them regularly.  Multi-factor authentication should also be included for sensitive systems.
  • Information Handling Policy – This policy can be based on the data that your organization works with. It should include data classifications such as “Confidential”, “Internal Only”, or “Public” and how to store, handle, and transmit each type of data.
  • Acceptable Use Policy – This is simply a policy advising what is and is not acceptable for employee use of your technology assets. This could be as simple as “Company technology assets are for business use only.  Personal use of company systems and assets is prohibited.”
  • Disaster Recovery Plan – This is another “What happens when…” type of plan. This plan, however, addresses more of the “real worldly” items, such as fire, flood, accidental data destruction, or basically anything that would warrant needing to restore from a backup.  Some of this may overlap with an Incident Response Plan as Cyber Security Incidents often can require invoking a Disaster Recovery Plan.  This also requires regular testing, which should be covered in the policy and plan document.


Some of these things may seem like overkill for a small business, but they are going to become more and more popular as compliance audits become more and more widespread.  Having these policies formalized will help with an audit, as well as readiness for future items that require an additional response.  Once developed, policies and plans should be reviewed on an annual basis for correctness and any changes that need to be made.

Security audits should be welcomed, not dreaded, let NET Xperts take some of the worry off your shoulders and assist with your business’ cybersecurity. Give us a call at 412.244.NETX (6389) to speak with one of our Technology Business Consultants!

Leave a Reply