Cybersecurity is an important issue for both IT departments and C-level executives. However, security should be a concern for each employee in an organization, not only IT professionals and top managers. One effective way to educate employees on the importance of security is a cybersecurity policy that explains each person's responsibilities for protecting IT systems and data. A cybersecurity policy sets the standards of behavior for activities such as the encryption of email attachments and restrictions on the use of social media.
Cybersecurity policies are important because cyberattacks and data breaches are potentially costly. At the same time, employees are often the weak links in an organization's security. Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and neglect to encrypt sensitive files.
These types of policies are especially critical in public companies or organizations that operate in regulated industries such as healthcare, finance, or insurance. These organizations run the risk of large penalties if their security procedures are deemed inadequate.
Even small firms not subjected to federal requirements are expected to meet minimum standards of IT security and could be prosecuted for a cyberattack which results in loss of consumer data if the organization is deemed negligent. Some states, such as California and New York, have instituted information security requirements for organizations conducting business in their states.
Cybersecurity policies are also critical to the public image and credibility of an organization. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.
Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security. Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the "roles and responsibilities" or "information responsibility and accountability" section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The SANS Institute provides examples of many types of cybersecurity policies. These SANS templates include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
Organizations in regulated industries can consult online resources that address specific legal requirements, such as the HIPAA Journal's HIPAA Compliance Checklist or IT Governance's article on drafting a GDPR-compliant policy.
For large organizations or those in regulated industries, a cybersecurity policy is often dozens of pages long. For small organizations, however, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personal identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data
The IT department, often the CIO or CISO, is primarily responsible for all information security policies. However, other stakeholders usually contribute to the policy, depending on their expertise and roles within the organization. Below are the key stakeholders who are likely to participate in policy creation and their roles:
When inviting personnel to participate in policy development, consider who is most critical to the success of the policy. For example, the department manager or business executive who will enforce the policy or provide resources to help implement it would be an ideal participant.
Technology is continuously changing. Update cybersecurity procedures regularly—ideally once a year. Establish an annual review and update process and involve key stakeholders.
When reviewing an information security policy, compare the policy's guidelines with the actual practices of the organization. A policy audit or review can pinpoint rules that no longer address current work processes. An audit can also help identify where better enforcement of the cybersecurity policy is needed.
The InfoSec Institute, an IT security consulting and training company, suggests the following three policy audit goals:
An updated cybersecurity policy is a key security resource for all organizations. Without one, end users can make mistakes and cause data breaches. A careless approach can cost an organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes.