The major goals of every organisation are to maintain business operations, keep customers happy and turn in a healthy profit. These goals are well articulated in strategic business documents which convey the business goals and objectives, and in policy documents which provide a set of business principles and guidelines to achieve the strategic goals.
Cybersecurity teams also have strategic goals which could include (but are not limited to) any of the following:
- Maintain confidentiality, integrity and availability of the organisation's systems, network and data.
- Ensure cybersecurity operational resilience.
- Prevent financial and/or data loss, etc.
And just as in the wider business environment, the cybersecurity team leadership drafts cybersecurity strategy and policy documents to ensure effective governance of the organisation's cybersecurity programme.
A cybersecurity policy is a high-level governance document defined and documented by the IT / cyber team leadership (the CISO, for example) to provide guidelines to employees on acceptable conducts to ensure the confidentiality, integrity and availability of the organisation's information systems, network infrastructure and data. These policies could apply to specifically to the cybersecurity team or the whole organisation.
Cybersecurity policies are critical in every organisation because employees are mostly always the weak links in the event of a cyber attack. Employees use weak passwords, fall prey to phishing emails, download and install unapproved software, visit malicious websites, and engage in several other activities that would endanger the organisation at large. It is, therefore, important that the organisation is clear on acceptable activities and documents these guidelines in cybersecurity policies to ensure that employees do not become a cybersecurity vulnerability.
Based on different reasons, an organisation could decide to have the cybersecurity policy as one governance document or they could break them down into several different cybersecurity policies. Whichever choice the organisation makes, the following cybersecurity policies are found in most organisations:
- Incident Management Policy: The incident management policy outlines the approach the organisation will undertake to manage incidents and remediate their impact on organisational operations
- Access Control Policy: Ensures that logical and physical access to the organisation's information systems, network and data are controlled, protected and available to only the authorised persons.
- Patch Management Policy: This policy (mostly specific to the cyber team) outlines the companies guidelines on managing patches on IT systems.
- Password Policy: This policy creates a standard for creation and management of (employee and system) passwords across the organisation.
- Anti-virus Policy: Sets out the organisation's standards on handling anti-virus related issues and for handling malware.
- Network Policy: This policy defines the acceptable standards for connecting to the organisation's network.
- Acceptable Use Policy: This policy outlines the constraints and practices that an employee using organizational IT assets must agree to.
- Bring Your Own Device (BYOD) Policy: Provides guidelines on the use of personal devices (mobile phones, laptops, tablets) to access company-owned resources, services and/or applications. For example, a Customer Relationship Manager logging on to the CRM portal with her personal phone must obey the guidelines stipulated in this policy.
Other cybersecurity policies include:
- Security Logging and Monitoring Policy
- Cloud Security Policy
- Cyber Threat Intelligence Policy
- Change Management Policy
- Secure Software Development Policy
- Threat and Vulnerability Management Policy
- Email Policy
- Disaster Recovery Policy
It is important that every organisation documents (and implements) these cybersecurity policies. Effective implementation might just be what keeps their business safe.