It includes simple security controls with regard to staff use of your network and the operation of devices and systems used by your business.
Why is a cyber security policy important?
Businesses that do not have a policy in place can be leaving themselves exposed to external threats and potential legal issues. This is particularly important for businesses that carry out e-commerce or collect customer data online.
In addition, a cyber security policy helps to provide guidance for staff around acceptable use of devices and online material so that they understand the important role they play in protecting your business' cyber security.
A cyber security policy will also help give your customers confidence in your business and can, if relevant, be good to include on your company's website for this reason.
What does it involve and where do I start?
There are a number of areas that a cyber security policy should cover, including why it is important for your business to have one in the first place.
Consider undertaking an audit to determine the risk factors in your business. For example, do you have a password that is changed regularly and not easily guessed, a secure way to keep sensitive documents and an anti-virus product on your computers and other devices?
Once this review has taken place, the most appropriate security systems can be identified. It is important to remind your staff of the importance of good cyber security practices and regularly undertake reviews to ensure you keep your company information secure.
A basic security policy may include:
- Acceptable use of email and the Internet for staff - should certain websites be blocked to staff? Should there be a restriction on the size of email attachments?
- Protecting your mobiles - have you articulated that a work mobile device should not be shared? Or that any mobile on which you can access work emails or information must be PIN or password protected?
- Handling sensitive data - where and how should sensitive data be handled and stored? You may need to consider whether there should be restrictions on access to sensitive information ("user privileges").
- Securing and handling equipment - is there a system in place to track who is using equipment in the organisation? Is there an inventory of all IT equipment and software?
- Using the Internet safely - what system is in place to ensure anti-virus, anti-spyware, operating systems, web browsers and other software are kept up-to-date?
- Remote access - what is the system to ensure security is maintained while accessing work documents from the road or at home?
- Are there policies regarding things such as use of USB drives, CDs, DVDs etc - to ensure that malicious software (malware) is not introduced (and important data is not stolen).
- Workplace surveillance and monitoring policies - how can you ensure that your policies are being followed by staff, and are there clear disciplinary procedures in place to deal with consequences of a breach?
- Guidelines for customers - what is your business policy on what will and will not be sent via email in order to minimise exposure to phishing scams?
At the bottom of this document is an example security policy template for you to modify. This is not intended to be a complete list, but rather a catalyst to get you started.
A Word on Policies and Procedures
Your policies should be clear statements of how your business or organisation intends to carry out its business. They don't need to be long or complicated. In fact we believe the easier a policy is to understand, the more likely it is to be followed.
In addition to your cyber security policy you may have a remote access policy, teleworking policy or bring your own device (BYOD) policy etc.
Sitting behind your policies may be procedures (or processes). They describe the 'how' and usually outline things such as responsibilities and the steps to follow. Procedures can be bullet points, flow diagrams, checklists or a set of instructions.
So, in addition to your cyber security policy it can be useful to have:
- A process for reporting security breaches - this may be confidential if you feel there is a scenario whereby it could be difficult for employees to speak out. For example, an employee is aware that a colleague lost a device containing sensitive information but is yet to report it.
- A code of conduct - this would outline appropriate employee behaviour in the workplace.
- An incident management plan (refer to How to establish an incident management plan)