Okay, so we previously discussed risk and we said that risk really is the foundation for all of our business decisions. Well, that being said and it's absolutely tried true, it's also the foundation for all of our policies, and what this section is going to address is gonna address policy security policy
and how we're gonna protect the privacy of our customer information.
Now we'll also talk a little bit about incident response, which, when something happens, that's a direct violation of our policy. How do we respond? What sort of procedures do we have to recover our assets? If we have had some degree of loss getting onto the beginning of discussing security policy, the first question we might ask is, is who writes policy?
Well, the answer is it should really be a cross functional team. There should be representatives from several different departments.
Ultimately, policy comes from senior management, meaning they're the ones that sign off and implement the part of the policy. But human resource is almost always involved with writing policy. We need legal counsel. You know, there's so many questions of
Is this policy even legal, you know, Is it possible? Is it Is it legal for a company
to monitor phone calls to monitor email? Is it legal for a business manager to seize equipment from an employee? You know, the answer is, honestly, I don't know. That's why we involve legal counsel, legal counselors responsible for overseeing the policy development
and making sure that everything that's in that policy is within the realm of the law.
So don't ever assume always get counsel from legal senior management those ultimately the ones that signs off on policy. And they're the ones that become liable for the specifics of policy
employees. Sometimes we're involved with policy. It's always good to get by in from your team members
regulatory agencies. They may not write your policy, but they certainly have a tremendous input. What my company does is driven by laws and what regulations I'm required to abide by. Certainly industry organizations, industry standards, you know, when we talk about risk, we talked about the fact that,
you know we have to look at due diligence,
would have other industries or other companies in my same industry do what do the laws say. We have to do what's good foundation Aly Solid business practice Ah, and all of those things will lead me to the policy that I create
now with policy development. We said We've got many different departments and elements contributing to policy. So policy gets written handed off the senior management for approval again. It ultimately comes from senior management, and then we make the policy. Public policy should be well known. It should be,
um, you know, usually, companies give out employees handbooks
that go through the policy and the expectations. Remember, our job is never to catch an employee violating policy. Our job is to help employees follow policy, so we always want to make our policy well known. We want to provide our employees with the information that they need to follow the rules,
and we will make it very clear and very easy to understand. We publish that policy, make it available.
Ah, policy, though, is a living, breathing beast, so to speak. And we constantly have to review our policy and make sure that its current on that it's applicable, that it's relevant within our current environment and many times what makes good sense to be part of policy today, we may have to manipulate and change that tomorrow.
We want to make sure that there's a review process. We would look a policy, at least on a yearly basis,
perhaps more based on risk and based on the changing environment. But we wanna have a set policy set of procedures in place for reviewing policy. And then we would also want some sort of change control process. If policy needs to be changed to make sure that there's a thorough process to evaluate those changes
into ratified policy
and then at some point in time policies become outdated. So we archive the old we bring in the new.