Cybersecurity Policies, Procedures & Plans

With over two decades of cybersecurity compliance experience, ArcherHall has developed an extensive library of policies, procedures, templates, plans, and other essential documentation needed to strengthen your organization’s cybersecurity compliance program. Discover more about our cybersecurity policy and procedure development services below.

This documentation includes things such as:

• Incident Response Plan
• Disaster Recovery and Business Continuity Plans
• Written Information Security Program (WISP), including policies such as:
  • Acceptable Use Policy
  • Backup Policy
  • Bring Your Own Device (BYOD) Policy
  • Change Control Policy
  • Data Classification, Handling & Retention Policy
  • Disaster Recovery Planning Policy
  • Disposal Policy
  • Email Usage Policy
  • Encryption & Decryption Policy
  • Guest Access Wireless Policy
  • Network Access Policy
  • Password Policy
  • Physical and Environmental
  • Security Policy
  • Remote Access Work Policy
  • Secure Remote Access Policy
  • Security Awareness and
  • Training Policy
  • Third Party Access Policy
  • User Activation and
  • Termination (User Access) Policy
• System Security Plans
• Risk Management Plan
• Vulnerability Management Program
• Third Party Risk Management Program
• and more…

Custom Policies, Procedures & Plans

On the rare chance that your compliance needs include documentation that ArcherHall has not already written, ArcherHall can create custom documents to meet those needs.

Incident Response Planning (IRP)

• InDesignation of the Incident Response Team
• Classification system for incidents, along with who and how an incident can be declared
• Notification requirements
• Information that is at hand to ensure rapid recovery
• Appropriate response and recovery actions
• Run Books detailing the specifics of how a variety of applicable incidents should be handled for your organization

ArcherHall brings years of experience in creating effective Incident Response Plans (IRPs). Using a proven template developed in house, each organization’s plan is tailored through a structured process that includes discovery meetings, document drafting, and final approval by your team. Optional familiarity training for your staff is also available to ensure everyone is prepared.

Tabletop Exercises & Testing

Having a plan is essential, but your team also needs to be familiar with it, understand what to expect, and know how to execute it during an actual incident. Best practices recommend regular incident response testing to build that familiarity and identify any gaps that need attention before a real crisis occurs. Tabletop Exercises (TTX) are an effective way to simulate an incident, giving your Incident Response Team a chance to practice in a controlled, yet realistic environment.

ArcherHall’s Tabletop Exercises are custom-designed to reflect scenarios your organization could realistically face. These sessions typically last 90-120 minutes and include an introduction, the exercise itself, and a hotwash/debrief session for participants. Following the exercise, we provide a detailed report highlighting your organization’s performance, identifying gaps, and offering recommendations to strengthen your response plan.

Disaster Recovery & Business Continuity Planning & Testing

Incidents and disasters can strike unexpectedly. Forward-thinking organizations understand the importance of being prepared. While we hope you’ll never need to activate your Incident Response Plan (IRP) or Disaster Recovery Plan (DRP), it’s crucial to be ready for any situation that may arise.

A well-developed Incident Response Plan and Disaster Recovery Plan can be the key to effectively managing a crisis and ensuring business continuity, rather than facing severe disruptions or even business failure.

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

When disaster strikes, be it natural or man-made, preparation is the key to recovery and assuring your employees, customers and other stakeholders that you can continue as an entity. The worst time to plan the recovery activities is during the crisis.

Disaster Recovery Plan

 
• Have all the necessary details to efficiently and effectively get the organization’s IT back up and running, supporting the business,
• Lay out the recovery expectations, such as Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs),
• Seek approval from leadership that is consistent with the RPOs/RTOs so that appropriate infrastructure changes supporting such expectations

Business Continuity Plan

Similar to a Disaster Recovery Plan, the Business Continuity Plan is designed to give organizations assurance that not only their information technology needs can be recovered gracefully, but expands further than just IT, covering broad operational requirements that could include: finance, human resources, sales and marketing, and more. Depending on the organization’s needs, Business Continuity Plans can be focused on the overall organization or narrowed to specific environments (i.e. division, geographic location, office) or functional area. Business Impact Analyses (BIAs) are used to understand the overall effect that an outage affects that environment.

Starting with one of ArcherHall’s designed templates (DRP/BCP), ArcherHall holds one or more discovery meetings with relevant stakeholders within the organization. Through a series of questions, discussions and the organization providing pertinent information, ArcherHall will create a robust plan that is accepted by the organization and placed into service. ArcherHall is also available to train the organization’s response team.

Third Party Risk Management

Third-party risk refers to the potential threats an organization faces due to external parties within its ecosystem or supply chain. These parties—such as vendors, suppliers, partners, contractors, or service providers—may have access to sensitive internal company or customer data, systems, or processes, either directly or indirectly.

For instance, if you engage an external analytics firm to analyze sensitive data and provide trend reports, while they don’t access your network, they handle sensitive information. The key question is: what level of risk does this pose to you? What measures does the third party have in place to safeguard the data? As a responsible organization, it’s crucial to assess and manage these risks effectively. This is where third-party risk management comes into play.

ArcherHall’s Third-Party Risk Management (TPRM) Services offer a comprehensive solution to evaluate and mitigate the risks associated with your third parties. Our TPRM services include:

• Identifying and prioritizing your third parties.
• Providing an introductory email template for you to send to your third parties, introducing our services.
• Conducting direct follow-ups with your third parties, administering assessments and questions to evaluate their controls.
• Analyzing the third parties’ responses to determine the relative risk they pose.
• Delivering a detailed report for your review and discussion.

Integrating our TPRM services into your cybersecurity program helps reduce risk and manage potential vulnerabilities associated with third-party relationships. Whether you need to assess risks or address a potential breach, ArcherHall’s TPRM services are here to support your needs.