The document trail that proves your company takes security seriously

When breaches or inappropriate use of data/security happens, the most common question is, “How can you prove you were doing the right thing?” The companies who are not sweating are those who've compiled the documentation showing they did everything right.

Compliance documentation should not be that in which you immerse yourself just to check boxes; it's your saving grace, your proof of concept, and in many cases, the only thing standing between minor incidents and a company killer.

Why Documentation is Necessary (or Should Be - For Most Owners)

Most owners understand that there will be documentation required; few, however, grasp just how comprehensive that documentation will need to be. For example, it's not enough to have your password policy on a shelf, created and forgotten since.

Generally speaking, if an auditor, regulator or even your own legal team comes a-knocking, they want to see a trail. They want to understand what control you had in place, when you had it in place, who took ownership, and how did you know it worked?

If your company processes payments or has a highly sensitive customer database and someone breaches it, everyone's going to want to know - client-wise; were you neglectful? Insurance wise; did you pay attention? Legally; it's better that you have something than nothing.

The Documents That Protect You

There's a standard set of documents and materials any company with legitimacy should maintain. None of these expected items are optional for those who've been trusted with others' data/money.

First and foremost: security policies. Not the ones you've lifted from the internet and never looked at since but instead compiled based on what your company does specifically, where it keeps information, who has access to what, and what happens when bad news strikes. These should also be reviewed on occasion - need I say more, documentation showing they were reviewed?

Access control lists are huge. Who had access to critical systems? When? When was access removed? If an employee is terminated and he/she still has access three months later, that’s a problem, but if you can’t prove when you removed access to begin with, that's a bigger problem.

Risk assessments are also huge. Companies who don't conduct them or merely check off that they've done them exist to no one's benefit. A good risk assessment shows that your company acknowledges threats and understands how to move forward with or against them.

Incident response documentation is enormous. When something bad happens (and one day it will), how you respond - and document - situations matters. The incident report itself, how incident management occurred what's documented, if you go back to figure out what went wrong - all critical items. The companies who manage breaches well are the ones who document their response all along the way.

What Actual Auditors Look For

More than existence will meet the eye of assessors during a formal examination. Assessors want to understand if documentation lives in a bubble or if it's dispersed throughout a comprehensive approach.

They'll look for change management; when major systems change, someone authorized it, tested it out and documented what happened; they'll look at your testing results to validate you're actually seeking whether these controls work; they'll absolutely assess how you dealt with deviations.

Auditors often get caught up in minutiae; they seek meeting minutes, training records and signatures from people to verify that your organisation is actually functioning as if security matters and not just paying lip service.

What's most surprising about assessments in this type of category are the non-secure items looked at most. A company might think it has everything together until someone digs through the insignificant garbage.

Companies with more formal validations find great benefits in working with professionals who understand what needs to meet the eye from a comprehensive nature. A SOC audit reveals whether your documentation and controls actually hold up, which is far better than assessing on the day something occurs when it's too late.

The Stuff No One Thinks About Until It's Too Late

Vendor management assessments rarely come into play for companies - but they should; if you're working with third-party vendors (and who isn't?), you must keep documentation showing you've vetted that vendor and its systems over time. When someone you're working with gets breached months down the line, they're going to want to know you did your due diligence.

Business continuity/disaster recovery plans mean they're in writing and there's a trail. Haven't tested scenarios? Failed - you should've documented that long ago. Companies think they're covered until the disaster strikes and they realise they're working off theoretical concepts instead of realistic outcomes every time.

Configuration baselines are more important than you'd think. When change occurs (and it does), not only should you know what the approved configuration looks like (to spot unauthorised changes), but more importantly you should know what has been configured/who was given access and when.

Contracts/agreements of employment should clearly specify security requirements so that when protocols must be followed down the line (non-disclosure agreements, accepted use policies or security addendums), there's a paper trail showing compliance from all parties.

How To Keep This Stuff Without Becoming Overwhelmed

Companies who've created comprehensive documentation integrate plans into their everyday operations. When someone gets access or access changes, it gets documented right then and there. When policies are reviewed, notes are taken then. When incidents occur - documentation begins immediately after - not three days later when no one remembers what happened.

Companies need to do this through automation as well as human efforts. Log collection, reviews of access or compliance somewhat can be automated; however, making sure the final products live up to expectations is something where human analysis becomes critical.

Regular reviews keep documentation current (but quarterly or annually at least) result in policies remaining relevant for those who've implemented them - not just those created years ago that say "last reviewed in 2019".

When Documentation Saves You

Real incidents live online forever. Regulatory investigations rarely treat those right who've done their documented homework. The ones without their ducks in a row face wrath from every angle because there's no proof that anyone even tried.

In legal settlements, no one's without documentation. If an irate customer thinks the company was negligent with their information - inappropriate access - or an employee thinks he/she never got trained - your provided records prove otherwise.

Even operating day-to-day gets easier for companies who've found this appeal for their planned vendor assessments. When potential clients ask about security practices unless you've got documentation worth showing - and it's not fabricated - they're going to lose trust.

The Bottom Line

Becoming a documentation wizard isn't necessarily glamorous work but over time it becomes worthwhile saving grace. The difference between having that perfect evidence to show you've kept security sincerities or operated on good faith is worlds apart.

Companies who think their documentation is smaller than life regret it later on - don't ignore it get it done from day one before it's too late! It's not creating more paperwork for paperwork's sake but instead making it known that operating with integrity means holding yourself accountable for all services rendered.

Start with the basics - policies reflective of reality instead of generic ones with real substance based on what your company does - and foster from there what will work for your specific business needs forevermore - as long as documentation takes place consistently.