Cyber security policies are a necessary evil.
Organizations need to have cyber security policies in place and demonstrate that they are strictly followed. The trouble is that very few organizations take the time and trouble to create decent policies. Instead they are happy to download template examples then cut and paste as they see fit. The result is often a mess that is of no use to anyone and can often leave the business vulnerable to unforeseen issues.
Let’s look at a common scenario:
Your organization has been informed that you have to validate your compliance with the Payment Card Industry Data Security Standard (PCI-DSS). One of the daunting tasks ahead of you is having a policy in place that covers how your organization addresses all twelve requirements of the standard.
Do you have one in place?
No? You’re in luck! Consider this your quick cyber security policy cheat sheet. In my opinion the following are the bare-minimum policy components required to start building an effective cyber security policy that will meet the requirements of many frameworks, not just PCI-DSS.
This section simply describes the reason why the policy exists (the “why”.)
Scope and Applicability
This section states what assets, infrastructure, and personnel are covered by the policy (the “where”.)
This section contains the overall body of the policy (the “what”.)
Roles and Responsibilities
This sections contains information in regards to what roles (ie. IT Security Department, Helpdesk, etc.) are involved and what their responsibilities are in relation to the policy (the “who”.)
Maintenance and Review
This section describes the frequency at which the policy is reviewed (preferably annually and/or after any significant changes have been made that will impact the policy.)
References and Supporting Documentation
This section lists any related policies and/or procedures.
Terms & Definitions
This section lists any relevant terms and definitions contained in the policy.
A policy document should be a simple statement of the business’ position on the chosen topic, not to be confused with the procedural documentation which deals with how the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing processes that must be followed. System-specific security policies and corresponding procedures tend to fall into this category.
Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to point them to the other relevant policies and procedures for the areas in which they operate.
By following these ideas you should be able to create a basic cyber security policy, but more importantly have employees that are effectively looking after your organization’s assets. Cyber security policies provide vital support to security professionals as they strive to reduce the risk profile of a business and fend off both internal and external threats.
In short, what makes a good policy?
1. It is relevant to your audience
2. It is aligned to the needs of the business
3. It is applicable to the compliance and/or regulatory frameworks in which you operate
4. It is as short as possible
If you’re ready to get started with developing your cyber security policies, you will want to check out how Securicy makes the process easy!
This blog is meant to provide a starting point to implementing cyber security practices within your company. Due to the rapid progression of technology this is an ongoing and ever-evolving subject!