Cybersecurity is an important issue for both IT departments and C-level executives. However, security should be a concern for each employee in an organization, not only IT professionals and top managers. One effective way to educate employees on the importance of security is a cybersecurity policy that explains each person's responsibilities for protecting IT systems and data. A cybersecurity policy sets the standards of behavior for activities such as the encryption of email attachments and restrictions on the use of social media.
Cybersecurity policies are important because cyberattacks and data breaches are potentially costly. At the same time, employees are often the weak links in an organization's security. Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and neglect to encrypt sensitive files. Grand Theft Data, a McAfee report on data exfiltration, found that people inside organizations caused 43% of data loss, one-half of which was accidental. Improved cybersecurity policies can help employees and consultants better understand how to maintain the security of data and applications.
These types of policies are especially critical in public companies or organizations that operate in regulated industries such as healthcare, finance, or insurance. These organizations run the risk of large penalties if their security procedures are deemed inadequate.
Even small firms not subject to federal requirements are expected to meet minimum standards of IT security and could be prosecuted for a cyberattack that results in loss of consumer data if the organization is deemed negligent. Some states, such as California and New York, have instituted information security requirements for organizations conducting business in their states.
Cybersecurity policies are also critical to the public image and credibility of an organization. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.
Defining a cybersecurity policy
Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security. Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the "roles and responsibilities" or "information responsibility and accountability" section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The SANS Institute provides examples of many types of cybersecurity policies. These SANS templates include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
Organizations in regulated industries can consult online resources that address specific legal requirements, such as the HIPAA Journal's HIPAA Compliance Checklist or IT Governance's article on drafting a GDPR-compliant policy.
For large organizations or those in regulated industries, a cybersecurity policy is often dozens of pages long. For small organizations, however, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
- Rules for using email encryption
- Steps for accessing work applications remotely
- Guidelines for creating and safeguarding passwords
- Rules on use of social media
Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be fairly simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personal identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data.
Who should write the cybersecurity policies?
The IT department, often the CIO or CISO, is primarily responsible for all information security policies. However, other stakeholders usually contribute to the policy, depending on their expertise and roles within the organization. Below are the key stakeholders who are likely to participate in policy creation and their roles:
- C-level business executives define the key business needs for security, as well as the resources available to support a cybersecurity policy. Writing a policy that cannot be implemented due to inadequate resources is a waste of personnel time.
- The legal department ensures that the policy meets legal requirements and complies with government regulations.
- The human resources (HR) department is responsible for explaining and enforcing employee policies. HR personnel ensure that employees have read the policy and discipline those who violate it.
- Procurement departments are responsible for vetting cloud services vendors, managing cloud services contracts, and vetting other relevant service providers. Procurement personnel may verify that a cloud provider's security meets the organization's cybersecurity policies and verifies the effectiveness of other outsourced relevant services.
- Board members of public companies and associations review and approve policies as part of their responsibilities. They may be more or less involved in policy creation depending on the needs of the organization.
When inviting personnel to participate in policy development, consider who is most critical to the success of the policy. For example, the department manager or business executive who will enforce the policy or provide resources to help implement it would be an ideal participant.
Updating and auditing cybersecurity procedures
Technology is continuously changing. Update cybersecurity procedures regularly—ideally once a year. Establish an annual review and update process and involve key stakeholders.
When reviewing an information security policy, compare the policy's guidelines with the actual practices of the organization. A policy audit or review can pinpoint rules that no longer address current work processes. An audit can also help identify where better enforcement of the cybersecurity policy is needed.
The InfoSec Institute, an IT security consulting and training company, suggests the following three policy audit goals:
- Compare the organization's cybersecurity policy to actual practices
- Determine the organization's exposure to internal threats
- Evaluate the risk of external security threats
An updated cybersecurity policy is a key security resource for all organizations. Without one, end users can make mistakes and cause data breaches. A careless approach can cost an organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes.
Web security resources