documenting_policies_and_processes
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
| documenting_policies_and_processes [2019/08/09 19:19] – neil | documenting_policies_and_processes [2019/08/14 19:09] – neil | ||
|---|---|---|---|
| Line 6: | Line 6: | ||
| ====Documenting for compliance==== | ====Documenting for compliance==== | ||
| - | As a general rule, most regulators like to see documented policies and processes. They prove that you have thought things through — even if not perfectly, then at least attempted to address | + | As a general rule, most regulators like to see documented policies and processes. They prove that you have thought things through — even if not perfectly |
| - | Clearly, if what you have done is negligent, you are perhaps creating even more of a mess for yourself, and putting together a nice paper trail, but if you are reading this site, and thinking about your and your firm’s cybersecurity needs, you probably aren’t the highest risk in this regard. | + | Clearly, if what you have done is negligent, you are perhaps creating even more of a mess for yourself, and putting together a nice paper trail, but if you are reading this site, and thinking about your own and your firm’s cybersecurity needs, you probably aren’t the highest risk in this regard. |
| - | Â | + | |
| - | The Information Commissioner’s Office is particularly keen on there being a solid paperwork basis for your approach to matters of data protection and, if you are processing personal data — whether that’s your staff, or your clients, or of anyone else — having a framework which would keep the ICO happy is no bad thing. | + | |
| If you can set out what your policy is, who is responsible for it, and document your processes and controls, review them regularly, and keep a note of what you’ve reviewed and when, you’re likely to be heading in the right direction. | If you can set out what your policy is, who is responsible for it, and document your processes and controls, review them regularly, and keep a note of what you’ve reviewed and when, you’re likely to be heading in the right direction. | ||
| - | If you have staff, there’s likely to be an expectation of training them and keeping them informed of changes, and a record of ongoing training can be useful too. | + | If you have staff, there’s likely to be an [[educating_your_staff|expectation of training them]] and keeping them informed of changes, and a record of ongoing training can be useful too. |
| ====Remembering why you made a decision ==== | ====Remembering why you made a decision ==== | ||
| Line 20: | Line 18: | ||
| I also find it useful to record reasons why I have made decisions. | I also find it useful to record reasons why I have made decisions. | ||
| - | In some cases, the reasoning behind a decision might be obvious. But if you weighed up various factors, and reached a risk-aware conclusion, you might want to just set out what you considered and why you came to the conclusion that you did — even if just so that, in future, when you are trying to remember why you did something, or didn’t do something, you can get back to the state of mind you were in when you made the decision. | + | In some cases, the reasoning behind a decision might be obvious. But if you weighed up various factors, and reached a risk-aware conclusion, you might want to set out what you considered and why you came to the conclusion that you did — even if just so that, in future, when you are trying to remember why you did something, or didn’t do something, you can get back to the state of mind you were in when you made the decision. |
| But documenting things has benefits beyond regulatory compliance. | But documenting things has benefits beyond regulatory compliance. | ||
| Line 29: | Line 27: | ||
| * It gives you something to use as a framework for talking to a new starter or colleague, rather than trying to remember everything you might do for your own security. | * It gives you something to use as a framework for talking to a new starter or colleague, rather than trying to remember everything you might do for your own security. | ||
| - | In some cases, having a handy reference guide as to what you’ve decided to do in a particular situation may be the difference between absolute panic and just, well, slight panic, if something does go wrong. | + | In some cases, having a handy reference guide as to what you’ve decided to do in a particular situation may be the difference between absolute panic and, well, slight panic, if something does go wrong. |
| + | Â | ||
| + | If you’ve documented the procedure for [[securing_your_devices# | ||
| + | Â | ||
| + | ====Getting an accreditation ==== | ||
| - | If you’ve documented the procedure for wiping a lost mobile device, for example, you don’t need to remember things in the heat of the moment: you just work through your document. | + | If you want more than your own documentation, you might consider an [[accreditation]] |
documenting_policies_and_processes.txt · Last modified: 2021/07/06 09:26 by 127.0.0.1