Does your organization have IT security controls? Yes, of course. Even the smallest, one-person business manages their data security with simple controls around passwords, where data can be stored, and what information can be shared. How formally those controls are documented, mapped to IT security frameworks, or tested internally or externally can vary widely from one organization to another.
Regardless of your company’s size, your IT security controls should be:
Clearly and consistently documented;
Easily accessible to all employees;
Communicated frequently;
Updated periodically as risks and business needs change; and
Clarified, re-communicated, and/or formally trained if common violations occur.
For larger companies or those with higher IT security and data security risks, you may also need to:
Choose and implement an IT security framework, such as ISO 27001, SOC 1, SOC 2, NIST, or PCI;
Document and map formal IT controls to the framework, providing evidence that all requirements of the framework are met; or
Gather signoffs and certifications from employees that they have reviewed the critical controls – or certifications from control owners that the controls are being performed.
For those organizations that are required by law or due to customer demands to comply with specific frameworks – particularly if required to comply with multiple IT security frameworks – there may be an additional need to:
Map internal IT controls to multiple frameworks simultaneously;
Gather evidence that controls are being performed or followed for internal assessment;
Provide access to external auditors, regulators, or customers to review internal controls and assessments – or perform their own testing on internal controls; and
Report on IT security controls as they relate to specific IT security frameworks.
Regardless of where you fall in the spectrum, policyIQ’s platform provides a solution allowing you to manage your IT security controls. Small organizations may simply document and communicate controls, while more formal framework mapping and audit testing can be performed for organizations with expanded needs. The best part? policyIQ can grow with you.
Contact us if you have questions about how to implement policyIQ for IT security controls! If you like to take a look at an example – using policyIQ’s own SOC 2 IT security environment – this previously recorded training is a great overview.
Comments