Defining a cybersecurity policy
Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security. Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the "roles and responsibilities" or "information responsibility and accountability" section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The SANS Institute provides examples of many types of cybersecurity policies. These SANS templates include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
Organizations in regulated industries can consult online resources that address specific legal requirements, such as the HIPAA Journal's HIPAA Compliance Checklist or IT Governance's article on drafting a GDPR-compliant policy.
For large organizations or those in regulated industries, a cybersecurity policy is often dozens of pages long. For small organizations, however, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
- Rules for using email encryption
- Steps for accessing work applications remotely
- Guidelines for creating and safeguarding passwords
- Rules on use of social media
Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be fairly simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personal identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data.
Who should write the cybersecurity policies?
The IT department, often the CIO or CISO, is primarily responsible for all information security policies. However, other stakeholders usually contribute to the policy, depending on their expertise and roles within the organization. Below are the key stakeholders who are likely to participate in policy creation and their roles:
- C-level business executives define the key business needs for security, as well as the resources available to support a cybersecurity policy. Writing a policy that cannot be implemented due to inadequate resources is a waste of personnel time.
- The legal department ensures that the policy meets legal requirements and complies with government regulations.
- The human resources (HR) department is responsible for explaining and enforcing employee policies. HR personnel ensure that employees have read the policy and discipline those who violate it.
- Procurement departments are responsible for vetting cloud services vendors, managing cloud services contracts, and vetting other relevant service providers. Procurement personnel may verify that a cloud provider's security meets the organization's cybersecurity policies and verifies the effectiveness of other outsourced relevant services.
- Board members of public companies and associations review and approve policies as part of their responsibilities. They may be more or less involved in policy creation depending on the needs of the organization.
When inviting personnel to participate in policy development, consider who is most critical to the success of the policy. For example, the department manager or business executive who will enforce the policy or provide resources to help implement it would be an ideal participant.
Updating and auditing cybersecurity procedures
Technology is continuously changing. Update cybersecurity procedures regularly—ideally once a year. Establish an annual review and update process and involve key stakeholders.
When reviewing an information security policy, compare the policy's guidelines with the actual practices of the organization. A policy audit or review can pinpoint rules that no longer address current work processes. An audit can also help identify where better enforcement of the cybersecurity policy is needed.
The InfoSec Institute, an IT security consulting and training company, suggests the following three policy audit goals:
- Compare the organization's cybersecurity policy to actual practices
- Determine the organization's exposure to internal threats
- Evaluate the risk of external security threats
An updated cybersecurity policy is a key security resource for all organizations. Without one, end users can make mistakes and cause data breaches. A careless approach can cost an organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes.