Cybersecurity is an important issue for your organization. It should be a concern for your IT departments, organizational leadership and each employee.

Cybersecurity ensures that you are effectively protecting your data, preventing breaches, detecting potential threats, analyzing suspicious activity and providing remediation if something does occur. You may agree but are now thinking, “How can we get everyone onboard?” One effective way to both educate employees on the importance of cybersecurity and empower them to play an essential role in the organization’s overall protection is to have comprehensive cybersecurity policies. They are the framework for your daily operations and reflect your organization’s values.

Effective policies guide your employees by addressing pertinent issues to the organization and provide a plan of action for desired outcomes and decision making. Cybersecurity policies are essential for any organization’s overall cybersecurity program. These policies should assist you to meet strategic goals, reduce risk and identify opportunities for improvement.

Policy Development

We will look at how to develop your policies and decide which cybersecurity policies you should have in your organization. Developing effective cybersecurity policies requires a deliberate approach. Consider the following six key tasks in the development of your policies:

• • Planning – identify the need for the policy. Policies should never be created just to have a policy in place; rather, they should support your business objectives, contractual obligations or regulatory requirements.
  • Research – ensure all laws, obligations and customs have been taken into consideration. This is an important step in the development of policies because some regulations and contracts have specific requirements, while some laws may be vague or be contradictory to others. Breach notification requirements is a good example because every state has them, but they all differ.
  • Writing – ensure you have identified the target audience for the policy and use language theyunderstand. If your intended audience is not technical, they may not understand the policy if technical concepts and terms are used. Writing the policy in language that best suits the audience will be important to gain acceptance of the policy and will also help ensure its implementation is successful.
  • Vetting – ensures the policy has properly been scrutinized. You will want to engage various parts of your organization to vet the policy. Of course, the extent you vent a policy depends on the size of your organization and how regulated your business is. Stakeholders you may wish to engage include:
    • Legal counsel
    • Human resources
    • Compliance personnel
    • Cybersecurity and technology professionals
    • Auditors and regulators
    • Employees that will be required to follow the policy
    • Contractors and partners required to follow the policy
  • Approving – most cybersecurity policies will be implemented throughout the organization, which means it will be important to build support and understanding of the policy throughout the organization. This will have the added benefit of empowering employees to take an active part in the policy creation process, which will also help them to understand and champion the policy.
  • Authorizing – is the process for executive management or organizational leadership to agree and approve the policy. Recognize that certain regulations may require cybersecurity policies be written and approved. Present the policy to those authorizing it in a meaningful way and ensure they have a good level of understanding before it’s approved.

Now that we have a process for developing cybersecurity policies, do you need to actually write it from scratch? Absolutely not! There are many places you can go to find templates to help you. A basic Google search will lead to places such as SANS and NIST, who have many cybersecurity templates to get you started.

Most templates will walk you through the basic structure of a policy. These may include:

• • Title – make sure the title reflects the policy. The more specific the better.
  • Introduction – frames the document. This conveys the importance of both understanding and adhering to the document.
  • Policy Goals/Objectives – conveys the intent of the policy.
  • Scope – defines what elements, IT assets or organization-owned assets are within the scope and whom it covers.
  • Standards – identifies the hardware, software or configuration standards that all users must comply with and explains the relationship of this policy to these standards. These could include both technical requirements and user requirements.
  • Procedures – explains how you intend to implement and deliver the policy to all those who may follow the policy.
  • Guidelines – explains roadblocks or implementation issues that must be addressed and how to overcome them.
  • Policy Exceptions – identifies the waiver process to request an approval for any deviations or exceptions to the policy.
    
    

Cybersecurity Policy Samples

Finally, let’s discuss the cybersecurity policies you may want to have in place. The policies you will want to implement will be based on what your organization needs and the length of those policies will also be dependent upon what your organization needs to cover.

The list below is a sample of cybersecurity policies that may assist your organization:

• • Acceptable Encryption and Key Management Policy – should address the security of data at rest and data in transit.
  • Acceptable Use Policy – addresses the constraints and practices that a user must agree to when accessing a corporate network or the internet. Should include acceptable use of the internet on business assets.
  • Access Control Policy – minimizes the risk of unauthorized access to physical and logical systems. May be implemented by role-based, discretionary or mandatory access control methods.
  • Data Backup Policy – addresses how and where a copy of data can be recovered,in the event of a primary data failure.
  • Remote Access Policy – addresses the hardware and software configuration standards for gaining access to the network.
  • Mobile Device Security Policy – addresses how computing devices such as laptops, smartphones, tablets and other personal computing devices are supported and managed on the network. It also includes how to handle lost or stolen devices.
  • Monitoring and Logging Policy – collecting and analyzing individual records that represent specific activity, events, error conditions, faults or general status on an information system or network. May also include expectations of organizational monitoring of devices.
  • Network Management Policy – addresses the efficiency and effectiveness of the network and may include least privilege (minimal level of access to do the job), secure operating systems, application security, malware filtering and vulnerability management.
  • Personnel Security Policy – controls on hiring, training and termination of all personnel to enforce compliance and security.
  • Physical Security Policy – addresses visitor and contractor access, employee credentialing, equipment removal and emergency procedures including evacuation.
  • Records Retention Policy – states the organization’s process for managing documents from creation to retention or disposal. Regulatory or legal requirements may dictate this.
  • Security Policy – addresses the development, establishes roles, responsibilities and management of updates of critical security plans, such as an incident response plan, disaster recovery plan, continuity plan or emergency operations plans (to name a few).
  • Software Policy – addresses software installation, storage and documentation, inventories, auditing, upgrades, licensing and registration of software.
  • Technology Disposal – addresses an organization’s concern of managing the secure disposal of equipment that is no longer required. May include the recycling and destruction of those assets, as well as legal requirements.
  • User Identification, Authentication, and Authorization Policy – addresses usernames, the authentication process and techniques that grant or block access.

Policies play a role in your overall cybersecurity program. The objective of an effective cybersecurity policy is to protect the organization, its employees, its customers and its vendors and partners from any harm that may come from intentional or accidental damage.

If we approach policy creation in a deliberate manner, we can craft them in a way that informs employees and external partners of cybersecurity practices. Policies are also a great tool for empowering internal and external stakeholders by engaging them in the process; they will not only understand why the policy is needed, but truly embrace their role in the overall cybersecurity program.

References:

• • https://kirkpatrickprice.com/blog/15-must-have-information-security-policies
  • Developing cybersecurity programs and policies, Third Edition by Omar Santos and Sari Greene
  • https://www.csoonline.com/article/3263738/9-policies-and-procedures-you-need-to-know-about-if-youre-starting-a-new-security-program.html