Select Page

Security Documentation: Why and How it's used

Security documentation is, broadly speaking, the documentation of everything related to the protection of an organization’s information and property. Security documentation includes everything from building occupant rosters to cybersecurity penetration test reports.

Who Benefits from Security Documentation?

The simple answer? Everyone.

If you’re a largely analog small business, you may not think you need to have a detailed security plan. It’s true, security documentation is increasingly centering cybersecurity as the workplace shifts online and organizations digitize their information. Companies that stay analog may be safe from cyberattacks, but they, too, need to protect their information and property physically, which security documentation is also needed for. Even highly digitized companies need to physically secure their servers and equipment.

What Types of Security Documentation Do Tech Writers Offer?

Tech writers work with organizations to document security details ranging from social media clearance policy to facility layout. They draw up cybersecurity strategy documents, incident response plans, security infrastructure design documents, cybersecurity communications strategy documents, security policy and procedure documents, penetration testing reports, supply chain security documents, and more.

Tech writers help secure your information by documenting where it’s stored, who has access to it, how to access it, how to protect it, and how to recover it. They prevent both active attacks and passive loss of data through human error.

Your Information Is Less Protected than You Think

Help Net Security reports that a shocking 99% of businesses have underdeveloped cybersecurity systems and strategies. 24% of mid-sized businesses report cyber attacks or are unsure if they have been breached last year, yet 47% have no incident response plan in place. 61% do not employ a cybersecurity expert for consultation.

Meanwhile, Forbes discusses the vulnerability of open-source code. About 73% of software uses open-source code. Silicone chip and software designer Synopsys found weaknesses in 84% of the 2022 open-source code they examined. Furthermore, 91% needed to be updated in some way.

Help Net Security goes on to say that only 9% of employees follow security best practices. Even if your business is protected from external threats, internal carelessness could cost you information.

Security Documentation Can Help You More than You Think

Technical writers aren’t going to engineer security measures for you, so why hire one? Won’t security professionals document their own work? Shouldn’t companies prioritize bringing security professionals onto their teams?

Security professionals can install security software, but they may not tell you what to do with it, so to speak. This is a simplification — user experience is vital enough that any professional will try to make their product accessible. However, a cybersecurity expert’s job is to make sure your networks and information are secure, not to explain it to a layman.

Enter the tech writer. As mentioned in previous articles, a tech writer works with a subject matter expert (SME) to make complicated systems and information understandable, navigable, actionable and shareable. Let’s break down what a tech writer might do to improve your company’s security.

Tech Writers Document Security Policy and Procedure

A cybersecurity policy or procedure document, for example, outlines who has access to what information, how to transfer information, and how to operate security software. Companies can reinforce a policy rollout with staff training, too.

Small Business Trends highlights the following features of a cybersecurity policy document:

  • An introduction that educates its audience on the risk of attack
  • A section defining the purpose of the document: Is this document about remote access policy or acceptable use policy? Will it establish consequences for policy violations?
  • An identification of the audience: Who needs to know this information?
  • An identification of what information is confidential
  • An explanation of your system’s antivirus software, password-protection measures, email security measures and other security features
  • An explanation of how to safely and securely transfer and store data
  • An explicit list of disciplinary measures to be carried out in the event of policy violation

Keep in mind that although disciplinary measures may be necessary, positive reinforcement is a consistently better learning tool than negative reinforcement in animals and humans alike. It’s always a good idea to use collaborative learning and incentives in your security documentation.

Tech Writers Make Incident Response Plans

An incident response plan informs staff how to prepare, react, and recover from a breach in security. Incident response plans can be a part of policy and procedure documentation, but they’re so important that they’re worth mentioning separately.

The Australian government website, for example, divides an incident response plan into three parts: preparing and preventing, checking and detecting, and identifying and assessing.

To prepare and prevent a cyberattack, educate your employees on how to minimize vulnerability through the aforementioned policy and procedure document. Figure out what information is most important to protect, and build your plan around that. Assign incident response roles so that an incident will be reported and resolved as efficiently as possible.

To check and detect cyberattacks, make a habit of noting unusual activity. If you are suddenly locked out of accounts of networks, data is missing, devices are crashing, a business email sends spam, a hard drive runs out of space, or other suspicious activity occurs, raise the issue with the appropriate authorities.

To determine whether or not your company has been attacked, you must identify and assess the incident. In other words, find the source of the attack and assess the scope of the damage. The goal is to contain its impact as much as possible, as quickly as possible. You may have to disconnect the affected parts of the system from the larger network. Be sure to communicate with the affected parties to mitigate panic and further complications.

A security breach can be an ordeal, but businesses can learn from them. Be sure to document the issues that caused the breach and incorporate that knowledge into an updated security policy and procedure plan once the dust has settled.

Tech Writers Document Penetration Testing

To make sure your security system is up to snuff, hire a penetration tester. A penetration tester will hack into your system, tell you where the holes are, and how to patch them. According to the cybersecurity educators known as the EC-Council Cybersecurity Exchange, penetration testers:

  • Perform reconnaissance. They gather as much information as possible about your business to plan an attack.
  • Scan for open ports in your system.
  • Assess vulnerabilities.
  • Exploit the system’s vulnerabilities. A tester will know how to breach your security without crashing the whole system, whereas an attacker will not try to preserve the functionality of your system.
  • Report their findings.

While the bulk of this job falls on the penetration tester, a technical writer may come in handy in incorporating the reported information into your security documentation. A penetration tester may be another SME that a technical writer can collaborate with.

Tech Writers Improve Security from the Inside Out

Sometimes, an employee will violate security policy unintentionally. In fact, one of the leading reasons for security failure is poor usability in a security system. If a company requires complex passwords, for example, employees may use the same complex password for every account, accidentally putting the company at risk.

Another leading reason for security failure is bad communication of policy and procedure. When left to their own devices, cybersecurity experts may not translate their specialized language into user-friendly language in their security documentation. They also may not know how to format a document to maximize readability and clarity.

Once again, that is the job of a technical writer. A tech writer improves the user experience and ensures that the work of the cybersecurity expert is relayed and stored effectively throughout the company.

Tech Writers Improve Facility Security

Cybersecurity gets a lot of attention, but facility security is equally worthy of documentation.

The Interagency Security Committee of the U.S. Department of Homeland Security provides a great template for a facility security plan. It includes cybersecurity, document control, and building security. While this plan was a result of the increased security efforts against terrorism after the 1995 Alfred P. Murrah Building bombing in Oklahoma City, other facility security plans may be geared more toward preventing theft and vandalization.

The ICS facility security plan calls for the identification of security personnel and all occupants of federal facilities. Then, the document establishes a facility profile. That is, it stipulates the type of facility, types of occupants, the facility mission, the location of facility utilities, and building layouts. The plan also outlines day-to-day security at all pedestrian and vehicle entrances, mail rooms and limited-access areas while allowing for changes in security during special circumstances like large events. It explains how to reach first responders and other authorities to restore safety.

Finally, as with cybersecurity plans, facility security documentation requires risk assessment and prevention, an incident response plan, and a means of testing and updating its policies and procedures.

How Can EDC Help with Security Documentation?

Whether you need a single technical writer for a brief project or a team of consultants to produce a complete line of documentation, the quality of our work is guaranteed for you. Our clients work closely with an Engagement Manager from one of our 30 local offices for the entire length of your project at no additional cost. Contact us at (800) 221-0093 or to get started.

Written by Aviva Palencia