Even though most companies have this policy in place, employee-based mistakes are still responsible for 90 percent of data breaches in the cloud, according to Kaspersky Lab.
So, how to compose a cyber security policy that works if you are a small-to-medium business owner or IT admin with no experience in that matter?
To build an effective, easily implementable cyber/digital/IT security policy, you must include easy-to-follow directions and security measures for:
- C-level management
- IT guys
- Other employees
- Multiple third parties
As a cybersecurity platform whose main job is to secure client’s data, SpinOne has helped thousands of IT specialists to easily set up multiple data security policies and secure the organization’s data from loss and leak. In this post, we outline key approaches, rules, and activities to include in your cybersecurity policy checklist that protects your company’s IT systems and data from various threats.
Before getting to the bullet points, let’s walk through the fundamentals to keep in mind when developing your security policy. (Read it, it’s important)
Table of Contents
Basics of Creating a Cyber Security Policy
To create a policy that works, you must apply its rules to every unit in your company. This means keeping in mind everyone who will be subject to this policy and addressing their risks accordingly.
Think of everyone with temporary or permanent access to your system—directors, employees, contractors, vendors, and others. Then answer:
- What do these people do?
- When and why do they do it?
- What shouldn’t they do?
- Who has access to what?
- Who shouldn’t have access to what, and why?
- How will you ensure and control these processes?
- How will you hold people accountable in case of policy violation?
To answer these questions, you may need to involve your company’s board and legal, IT, and HR teams.
The full cycle of the policy creation should look like this:
Also, answer the next questions:
- What regulations might you need to consider in the policy (e.g., GDPR, CCPA, NIST, etc.)?
- What units should you include (e.g., data, network, devices, etc.)?
- What work-related situations must be outlined in the policy (onboarding, offboarding, etc.)
Free Cyber Security Policy Template for Newbies and SMBs
To build this template, we used a “checklist” approach.
Checklists happen to be an effective way to break down a complicated task into simple and digestible steps without letting essential tasks slip away. Even surgeons and astronauts use it to complete their operations successfully.
The following security policy checklist will provide you with general security guidelines for your employees. Use it as a framework for adding more information to every point and creating a more personalized policy template for your company. You can revise it every six-to-twelve months, extending and making some changes.
1. Password security
Passwords are the first line of defense, and your users must be able to manage password strength, expiry, rotation, and so on. For them to do so appropriately, provide them with helpful guidelines.
1.1. Weak passwords: consequences and examples
1.2. Strong passwords: standards and examples
1.3. General guidelines for password security:
- Enable multi-factor authentication
- Change passwords every six to twelve months
- Never use the same passwords within and outside of the work system
- Never reveal passwords
- Do not leave credentials exposed
Check out the article about the cybersecurity practices while working from home you may want to share with your employees.
2. Employee and vendor access management
In this section, you need to specify who has access to what data inside the system, when this access takes place, which permissions can/cannot be granted, and so on. You can include here access rules for all the third parties, like suppliers, vendors, and partners.
2.1. Rules of user registration and user suspension
2.2. Process of granting and revoking system access
2.3. Network access management rules
2.4. Remote/External access control rules
2.5. Third-party (vendors, suppliers, outsources, etc.) access rules
2.6. User responsibilities and accountability regarding access security
3. Data Sharing and Download Control
The organization’s data cannot be shared or downloaded freely in most cases.
- Data sharing rules outside of the organization domain
- Data sharing rules within the organization domain (e.g., sharing information between departments)
- Template of a user requests to access/share data (who attempts to access what and what for?)
- Types of data that must be protected by the not-sharing rule (like sensitive information, business-critical data, and so on)
- List of secure channels by which users can share data that is classified as important or sensitive
Read also: Shadow IT: Rules and Tools to Manage It
4. Sensitive/Personal and Confidential Information Control
Suppose you work in a company that interacts with sensitive or personal information regarding your customers or clients. In that case, you are bound to secure this information from unauthorized access and sharing via unprotected channels.
Also, you must outline rules and regulations concerning the usage of the company’s confidential information.
4.1. Definition and types of sensitive and personal information
4.2. Definition and types of confidential information
4.3. Sharing rules for sensitive/personal data
4.4. Sharing rules for confidential data
4.5. Storing and processing rules for sensitive and personal data
There are hundreds of malware types that pose a threat to your organization’s data. One of the most widespread and dangerous of them is ransomware, which is, by the way, now can infect your corporate Google Drive or OneDrive files.
Aside from the obvious need for antivirus software and multiple security customizations on your side, there are rules your employees should follow to avoid catching ransomware and malware.
- Create an anti-malware policy that encompasses all the guidelines for antivirus installment and updates, vulnerability tests, and other measures of malware prevention for the IT team
- Explain what malware is, how it can lead to data loss and data leaks, and how it can be installed
- Establish communication rules in case malware has infected the system
- Fundamental rules to follow to avoid malware from the employees’ side:
- Do not click on dubious ads and pop-ups.
- Do not provide access permissions to third-party applications if they are not on the whitelist.
- Do not click on suspicious emails (include a list of the criteria to identify a suspicious email).
- Do not download unapproved applications/addons/extensions without informing the IT department
These are the basics your user must be aware of when interacting with company data and systems. Feel free to extend this list by adding more specific rules regarding social media, email, and personal device usage.
Want to know about threats employees present, and how you can manage them?