What is a cyber security policy?

What is a cyber security policy?

What is a cyber security policy?

A cyber security policy outlines:

technology and information assets that you need to protect
threats to those assets
rules and controls for protecting them and your business

It’s important to create a cyber security policy for your business – particularly if you have employees. It helps your employees to understand their role in protecting the technology and information assets of your business. When you prepare your policy, ensure it guides your employees on:

the type of business information that can be shared and where
acceptable use of devices and online materials
handling and storage of sensitive material

When developing your cyber security policy consider the following steps.

1. Set password requirements

Your cyber security policy should explain:

requirements to create strong passphrases
how to store passphrases correctly
how often you need to update passphrases
the importance of having unique passphrases for different logins

2. Outline email security measures

Include guidelines on:

when it’s appropriate to share your work email address
only opening email attachments from trusted contacts and businesses
blocking junk, spam and scam emails
identifying, deleting and reporting suspicious looking emails

3. Explain how to handle sensitive data

When it comes to handling sensitive data, outline:

when staff may share sensitive data with others
ways they should store physical files with sensitive data, such as in a locked room or drawer
ways to properly identify sensitive data
ways to destroy any sensitive data when it is no longer needed

4. Set rules around handling technology

Rules around technology should include:

where employees can access their devices such as a business laptop away from the workplace
how to store devices when they aren’t in use
how to report a theft or loss of a work device
how system updates such as IT patches and spam filter updates will be rolled out to employee devices
when to physically shut down computers and mobile devices if not in use
the need to lock screens when computers and devices are left unattended
how to protect data stored on devices like USB sticks
restrictions on use of removable devices to prevent malware being installed
the need to scan all removable devices for viruses before they may be connected to your business systems

5. Set standards for social media and internet access

The standards for social media and internet access may include:

what is appropriate business information to share on social media channels
what is appropriate for staff to sign when using their work email account
guidelines around which websites and social media channels are appropriate to access during work hours

6. Prepare for an incident

If a cyber security incident occurs, you should minimise the impact and get back to business as soon as possible. You’ll need to consider:

how to respond to a cyber incident
what actions to take
staff roles and responsibilities for dealing with a cyber attack

Prepare a cyber security incident response plan

An incident response plan helps you prepare for and respond to a cyber incident. It outlines the steps you and your staff need to follow. Consider the following stages when preparing a plan.

Prepare and prevent

Prepare your business and employees to be ready to handle cyber incidents.
Develop policies and procedures to help employees understand how to prevent an attack and to identify potential incidents.
Identify the assets that are important to your business – financial, information and technology assets.
Consider the risks to these and the steps you need to take to reduce the effects of an incident.
Create roles and responsibilities so everyone knows who to report to if an incident occurs, and what to do next.

Check and detect

Check and identify any unusual activities that may damage your business information and systems. Unusual activity may include:

accounts and your network not accessible
passwords no longer working
data is missing or altered
your hard drive runs out of space
your computer keeps crashing
your customers receive spam from your business account
you receive numerous pop-up ads

If you see a security incident, document any evidence and report it to either your IT section, a team member or to ReportCyber.

Identify and assess

Find the initial cause of the incident and assess the impact so you can contain it quickly.
Determine the impact the incident has had on your business.
Determine its effects on your business and assets if not immediately contained.

Respond

Limit further damage of the cyber incident by isolating the affected systems. If necessary, disconnect from the network and turn off your computer to stop the threat from spreading.
Remove the threat.
Recover from the incident by repairing and restoring your systems to business as usual.

Review

Identify if any systems and processes need improving and make those changes.
Evaluate the incident before and after, and any lessons learnt.
Update your cyber security incident response plan based on the lessons learnt so you can improve your business response.

7. Keep your policy up-to-date

You should develop, review and maintain your cyber security policy on a regular basis.



Generated by Feedzy