Drafting Cyber Security Policy for your Company
The aspects you need to cover when drafting or updating your company’s cyber security policy- from employee responsibilities to federal compliance policies.
Drafting cyber security policy for your company can seem an overwhelming task. There is so much to cover and it all has to be customized to your company’s distinct needs and requirements. You have to keep legal, business and privacy/security objectives in mind throughout the drafting process. Depending on your industry and market, you may have specific federal regulations to follow (i.e. HIPAA or GDPR) and depending on your company size, your data sharing policy needs will vary greatly. If your company runs regular business hours it may work to do updates overnight, however, if you have 24-hour support, this update schedule may not work for you. By giving you the what and why of each aspect of your cyber security policy draft, I hope to narrow down the points you have to consider when drafting.
Without further ado, let’s dive right into drafting your company’s Cyber Security Policy.
Roles and Responsibilities
The main goal of cyber security policy is to give employees an understanding of their roles and responsibilities in protecting the cyber security of the company, what they can do in the event of an incident, and what the repercussions might be if they breach policy. Make sure you are clear about what you expect from your employees. If you’re unsure about where responsibility lies, when it comes to the cyber security of your business, check out this blog entitled “Who’s responsible for the Cyber Security of your Company?” This will give you some clarity about what those expectations should be.
Incident Response and Security Event Plan
The incident response plan warrants a blog all to itself (perhaps I’ll have to publish one in the near future) but it is crucial to your cyber security policy, so let’s look some of the components of a great incident response plan, but forego the details for now.
- Contact information and responsibilities of the incident response team.
- Your system’s details
- Handling procedures
- Documenting and Reporting procedures
- Reporting hierarchy and contacts
Security Awareness Training Policy
If you’ve been reading our blogs and about our business, you already know that we’re passionate about training. Training is one of the most critical elements in ensuring the cyber security of your company, as one simple phishing email attachment being opened could cause massive amounts of damage to your business. That being said, I suggest you have required awareness training and tests for all roles, as well as environment-specific security training for your IT team. (Or, at the very least, get them all their Security+ CompTIA training.)
After outlining what is expected of each department in terms of training, make sure you include how employees are expected to follow up their training. Be sure to detail who is in charge of enforcing the security awareness training policy and who is responsible for deploying the training itself. Also, keep in mind that training can be brought up again as an impactful tool in the “disciplinary” segment of your cyber security policy.
Infrastructure and Data Handling
For every piece of your policy (if you haven’t caught on to the trend yet) you need to have an owner/enforcer/someone responsible for ensuring the policy is carried out. For each of the below items, you need to delegate responsibility. This is another section warrenting a blog unto itself, but here are the main topics you’ll need to cover:
- Security Programs
- Access to Systems
- Backup/Recover, Classification, Disposal and Retention
- Apps and Online Services
- Password Management and Additional Measures
There are a number of cyber security initiatives, frameworks, standards and mandates for every industry. The CNCI (Comprehensive National Cybersecurity Initiative) is one such initiative that has largely become an important guide for infrastructure security standards that has also become mandatory for certain industries. There are also mandates such as ISO 27799, ISO/IEC 27002, ISO/IEC 27010, HIPAA and more which are required for particular industries to follow. Work with your security team to ensure you are following legal obligations, as well as any industry frameworks you’d like to follow by choice.
As always, with whatever industry mandates and frameworks you choose to, and need to, follow- be sure to assign someone to enforce, and to be held responsible for ensuring compliance with those initiatives, mandates and frameworks. Many cloud service providers also have built-in compliance reports and other ways to help you comply with important policies. To get more information about what to expect from cloud service providers, read this blog.
It’s important that disciplinary actions are put in place to incentivize cyber-aware behavior. However, it’s important to note that your cyber awareness program/initiatives should have positive incentives as well. For the sake of your cyber security company policy, you need to lay out disciplinary actions in case of noncompliant employees. Here are a few items you may want to consider for your cyber awareness. Make note, in your policy draft, that every incident needs to be considered on a case-to-case basis.
- For first time, unintentional and small-scale security breaches, the behavior should be acknowledged, but you don’t want to use fear tactics with your employees. Frame it as a learning opportunity by issuing a warning and requiring further awareness training.
- For larger scale incidents, but still unintentional and limited damage, up-the-anti by limiting their access permissions and privileges, require further training and have them record their online activity more rigorously.
- For large scale incidents, with fair-to-severe damage, whether intentional or unintentional. You can employ any and all of the tactics listed above, or take measures up to and including termination, if necessary.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.