Cybersecurity policies are necessary for all technology businesses at this point. Your company must have information security policies in place and demonstrate that you are following them.
The trouble is that very few businesses take the time and trouble to create decent information security policies and procedures.
Instead, they are happy to download template examples, then cut and paste as they see fit. The result is often a mess that no one understands and can often leave the business vulnerable to unforeseen issues.
Let’s look at a common scenario:
Your organization has been informed that you have to validate your compliance with the Payment Card Industry Data Security Standard (PCI-DSS). One of the daunting tasks ahead of you is having a policy in place that covers how your organization addresses all twelve requirements of the standard.
…Do you have a policy in place?
No? You’re in luck! Consider this your quick cybersecurity policy cheat sheet. In my opinion, the following seven points are the bare-minimum policy components you need to start building an effective cybersecurity policy. These are the foundation of any information security program. Many frameworks, not just PCI-DSS, require policies to cover most or all seven of these points. We find most businesses need about 25 individual policies in total.
If you want more robust policies than what you can write yourself, scroll down to the end to learn about our free tools you can use to generate custom security policies for your business. Otherwise, this cheat sheet here is a basic template that you can use to start creating your own policies for data privacy and security.
Template for an Information Security Policy
- Scope and Applicability
- Roles and Responsibilities
- Maintenance and Review
- References and Supporting Documents
- Terms and Definitions
Breaking Down the Parts of a Policy
Keep your policies short. A policy document should be a simple statement of the business’s position on the chosen topic. Although they’re related, policies should not be confused with the procedural documentation which deals with how the policy is to be enacted.
Procedures are sometimes necessarily much longer documents if they are describing processes that must be followed. System-specific security policies and corresponding procedures tend to fall into this category. While your IT team may have a short policy, for example, they may need a much longer documented procedure to adhere to that policy.
Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to point them to the other relevant cybersecurity policies and procedures for the areas in which they operate.
This is the “why” section. This section simply describes the reason why this policy exists. So this doesn’t need to be very long. Just state the objective of the policy and why you have it.
Typically, you’ll need employees to review and adhere to these policies, so keep in mind you’ll want them to take their responsibilities and your reasons here seriously.
2. Scope and Applicability
This section states what assets, infrastructure, and personnel the policy covers (the “where”). Often these are defined during an inventory of your data, during an internal risk assessment by your team. You may have some policies that apply just to your IT team, while others may cover your sales and marketing activities.
This section contains the overall body of the cybersecurity policy (the “what”). This would include all the details about the policy topic, such as your email security policy, the local area network, personal devices, password management, or even printers.
4. Roles and Responsibilities
This section contains information in regards to what roles (i.e. IT Security Department, Help Desk, etc.) are involved and what their responsibilities are in relation to the policy (the “who”). Of course, you want to be clear if you’re expecting all employees to follow a specific policy. But it’s likely you’ll have a number of policies that apply only to certain people, like your IT team.
5. Maintenance and Review
This section describes the frequency the policy is reviewed. When will your security team check that the policies are in line with security best practices and compliant with your specific frameworks? Usually, companies choose an annual review. Also, you’ll want to make updates after any significant changes were made that would impact the policy.
6. References and Supporting Documentation
This section lists any related cybersecurity policies and/or procedures. While you might find you don’t need this section initially, this section may become more useful as your policies grow and evolve.
7. Terms and Definitions
This section lists any relevant terms and definitions contained in the policy. It’s part glossary to make sure your team is all on the same page, part clarification.
In short, what makes a good cybersecurity policy?
1. It is relevant to your audience.
2. It is aligned with your business needs.
3. It is applicable to the compliance and/or regulatory frameworks that you operate under.
4. It is as short as possible.
By following these ideas you should be able to create a basic information security policy, but more importantly, have employees who are effectively looking after your organization’s assets. However, unless you are an InfoSec expert, we’d caution you against writing all of your own policies or copy-pasting from a generic template. Cybersecurity policies provide vital support to companies as you strive to reduce the risk profile of their business and fend off both internal and external threats.