Essential IT documentation for your company

By Craig Rhinehart, chief information officer, Robinson, Grimes & Company

Maintaining documentation is part of my job, and it's a struggle for me. I suspect I am not the only one, so I'll call this "the elephant in the room" and acknowledge its presence.

The purpose of this article is not to justify or make a case for creating written policies. It's about recommended IT-related policies for your firm. With that said, though, here's a brief justification for creating written policies:

Documented policies and procedures help guide an organization's operation. Well-written policies and procedures allow outside auditors or peer reviewers to assess risk and perform compliance work. It also helps an organization stay consistent when management needs to make decisions. When documenting formal policies, it is important to keep them as simple as possible and involve the appropriate team members in their development. It is also essential to keep the policies easily accessible and promote them throughout the organization.

In very practical terms, having documented policies can:

• Improve compliance. Pick any regulatory body (SOC, HIPAA, PCI, GLB, GDPR, etc.) and various policy documents will be on their compliance checklist. Also, some clients or potential clients will have vendor policies that hold you, as a potential vendor, to a standard –often requiring you to have specific policy documents (among other things).

• Reduce cyber-liability insurance costs or improve the availability of coverage. Insurance providers will want to know you have specific policies in place and may want to review those policies. Without them, you may be denied coverage.

• Lead to organizational improvements. Reviewing and updating policies often triggers creative thinking and can lead to organizational improvements.

• Boost employee confidence. Having policies in place sends a clear message to the entire team that everyone is on the same page. There is no guesswork about what they're doing and how they are to do it.

A common struggle is knowing which IT-related policies should be created. There are numerous possibilities, but a few are essential to any firm's IT operation - regardless of size. Each firm's policies will look different because each

firm is different. This is at least part of why finding good "fill-in-the-blank" templates for most policies is difficult or impossible. Below are those essential IT-related policies that every firm should have in place. This list could also be applied to other businesses; it isn't specific to accounting firms.

• Information Security – From NIST (the National Institute of Standards and Technology at the US Department of Commerce), an Information Security Policy is an "Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information." PurpleSec (a network security company that provides risk assessments, vulnerability management, and penetration testing services) describes it this way: "Information technology security policies are a set of written practices and procedures that all employees must follow to ensure the confidentiality, integrity, and availability of data and resources. Creating security policies is considered the most critical element of an IT security program." In more simple and practical terms, it's a policy that describes how your firm manages and protects its data. This is a good place to start if you do not have written IT-related policies.

• Incident Response – According to NIST, an Incident Response Plan is "The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against an organization's information systems(s)." CISA (the U.S. government's cyber defense agency ) says, "An Incident Response Plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident." All of the cyber liability insurance provider applications I have reviewed in the past year inquire about this policy. All firms should have an Incident Response plan in place.

• Business Continuity and Disaster Recovery – These policy document names are frequently used interchangeably but serve distinct purposes. According to KirkpatrickPrice, an information security auditing firm, "Disaster recovery planning is limited to IT infrastructure and resources. It concerns preparations for IT outages and downtime, temporary measures to maintain availability when infrastructure is disrupted, and how the organization plans to recover IT operations to their original state.

The list above represents the essentials — the policies every firm should have. There are numerous other policies that your firm may choose to have in place. Some may be separate policy documents, while others may be contained within one listed above - most likely the Information Security Policy. The list below is not an exhaustive list of all possibilities, but it does include some of the more common additional policies or content sections:

• Acceptable Use – Describes a firm's systems' acceptable (and unacceptable) use(s).

• Backup – Describes procedures, policies, and responsibilities for performing backups, including a welldefined schedule.

• Bring-Your-Own-Device – Describes when and how employees, contractors, and other authorized end users can use their own laptops, smartphones and other personal devices on the company network to access corporate data and perform their job duties.

• Clean Desk – Ensures that confidential data is not exposed to unauthorized individuals who may pass through your area.

• Document or Data Retention – Stipulates when data no longer serves its purpose and should be deleted. Data Retention Policies are critical to meeting various regulations and retention requirements. This includes retaining data and records for the specified period of time and also the prompt deletion or destruction of records once the retention timeframe has expired.

• Hardware and Media Disposal – Establishes and defines standards, procedures, and restrictions for the disposition of IT equipment and media in a legal, cost-effective, and secure manner.

• Password – Describes the password rules login accounts must meet, such as length, complexity, age, and re-use limitations.

• Patch Management – Describes the parameters by which an entity operates its software patch management program.

• Remote Work – outlines when and how employees can work from locations other than the office or on a flexible schedule.

• Social media – Part of a company's business code of conduct that tells employees how to represent themselves and, by extension, the company on social media. It includes guidelines to protect the company's security, privacy, and legal interests.

• Vendor Approval/Management – Describes how to evaluate vendors according to risk level and assess potential new vendors for adherence to appropriate cybersecurity practices.

When suggesting creating policies, it is common to hear, "Where can I get a template or an example?" Therefore, any article with a list of policies would be incomplete without some attempt to provide at least a few sources for examples. There are numerous sources for policy templates on the internet. Some sites offer them at no cost, while others provide them with a fee attached. Here are a few sites that offer quality IT policy templates at no cost:

• PurpleSec (purplesec.us)

• The National Institute for Standards and Technology (nist.gov)

• The SANS Institute (sans.org)

• The Center for Internet Security (cisecurity.org)

A golden rule about policies is, "If it isn't written, it doesn't exist." These are wise words when it comes to your firm's IT policies.

Reprinted with permission of The Georgia Society of CPAs.

Craig Rhinehart is the chief information officer for Robinson, Grimes & Company, PC, in Columbus, Georgia. Craig has served as the firm's IT manager, director, and now CIO for over 25 years. He is a member of the GSCPA IT Advisory Council and the BlackBerry Cylance Executive Advisory Board.