I have been seeing a lot of similarities in policy between organizations, especially small to medium sized businesses. A policy is meant as a hard guide towards achieving a certain holistic goal/s for an organisation. It not something you can just rip off the internet an attach to your organisation and organisational structure.
👉Cybersecurity policies are unique. It's not a matter of copy and pasting your company name onto a template.
👉There is no one size fits all, as every company has different risks to attend to.
👉Remember some of these templates floating online are catered to fit companies who can afford what is being demanded AND need the corresponding high levels of data confidentiality and integrity.
👉The #CIA matrix can be quite fluid at a granular level. It's not just a static 'triangle' thingy. It can be a good base for measuring what your #informationsecurity posture as a small to medium sized business should be.
As I informed one the bosses I was working with, that the policy he had put in place calls for bi-monthly penetration tests by internal staff and these guys did not have a single Cybersecurity/Information Security professional.
It's quite disheartening to know that people don't even take the time to read and understand what they have lifted off the internet.
As with anything pertaining to an organisation or life in general, one must cut a coat according to their size.
Comments