Do I really need security policies?

Top 10 Policies

A cyber security policy is a document that defines the measures and procedures for protecting an organisation’s technology and information assets from potential threats. 

This includes identifying the assets that need protection, recognising the risks and hazards, and establishing protocols for security and privacy. If a company employs people, it is crucial to have a cyber security policy in place to educate employees on the proper use of technology, handling of sensitive information, and guidelines for sharing and storing data. 

The policy should ensure that everyone understands their role in safeguarding the business’s technology and information assets.

We have compiled the top 10 list for you.

Acceptable Use Policy

The Acceptable Use Policy (AUP) outlines the acceptable use of computer equipment. It is used for business purposes in serving the interests of the company, clients, and customers during normal operations. The AUP defines inappropriate use of information systems and the risk that it may cause. Improper behaviour may compromise the network system and may result in legal consequences. An example of inappropriate use is when an employee accesses data through a company computer for reasons other than doing his or her job. The AUP includes general use, appropriate behaviour when handling proprietary or sensitive information, and unacceptable use.

Security Awareness and Training Policy

Security awareness training should be administered to all workforce members, so they can properly carry out their functions while appropriately safeguarding company information. Employees must sign a confidentiality agreement and provide proof of completion when they have finished the training. Management should design the training to educate users on the security policy of the organisation.

Goals for the security awareness and training policy should include education about the security policy and help develop an understanding on how the policy protects the business, employees, and customers. The policy must also highlight personnel that is responsible for creating and maintaining the training. These personnel must learn to recognise changes in technology that impact security and the organisation.

Pertaining to all users, the policy should include points on maintaining workstations, email and internet access policies, and employee responsibility for computer security. Key parts of security awareness training includes identifying social engineering tactics, limiting system downtime, and protecting critical business information.

Change Management Policy

An organisation’s change management policy ensures that changes to an information system are managed, approved, and tracked. The organisation must make sure that all changes are made in a thoughtful way that minimises negative impact to services and customers. The change management policy includes methods on planning, evaluation, review, approval, communication, implementation, documentation, and post change review. Change management relies on accurate and timely documentation, continuous oversight, and a formal and defined approval process. The change management policy covers SDLC, hardware, software, database, and application changes to system configurations including moves, adds, and deletes.

Incident Response Policy

The incident response policy is part of an organisation’s Business Continuity Plan. It outlines an organisation’s response to an information security incident. The incident response policy should be documented separately from the Disaster Recovery Plan, as it focuses on procedures following a breach of data or other security incident.

The policy should include information about the incident response team, personnel responsible for testing to the policy, the role of each team member, and actions, means, and resources used to identify and recover compromised data. Phases of incident response include:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recover
  • Post- Incident

The incident response policy also needs to identify the incident response team and information about the system such as network and data flow diagrams, hardware inventory, and logging data. Incident handling procedures should be detailed in the policy. One of the most crucial aspects of this policy is educating users on who to report to in the case of a data breach or other security incident. Management should always assess and monitor performance, ensure cooperation between staff, and regularly test the incident response plan.

Remote Access Policy

Remote access involves connecting to the company’s network from any host. The remote access policy is designed to minimise potential exposure from damages that may result from unauthorised use of resources. This policy should be directed to all employees and should include provisions for sending or receiving emails and intranet resources. The policy should also include requirements for VPN access and disk encryption.

Requirements for remote access should be like requirements for onsite access. For example, employees should not engage in illegal activity on their remote access and should also not allow unauthorised users to use their work device. The policy should also enforce strong passphrases, logging off when leaving their device alone, and refraining from connecting to other networks at the same time they are connected to the internal one. They should also require users to ensure that they are using the most up to date antimalware software and operating systems.

Third Party Management Policy

The Third party management policy validates a third parties compliance and information security abilities. The policy should address the process to acquire vendors and how to manage all a company’s vendors. The organisation should assess the business associate’s ability to create, receive, maintain, or transmit confidential data on behalf of the company. The company should trust that the third-party vendor will appropriately safeguard the information that it is given. It is critical that the organisation keeps a list of their vendors that is tiered based on risks, contacts for the vendors, and legal consequences if data is ever breached. Another necessary step is to create internal response plans for each vendor in the event of a failure.

Consider the following points when choosing a vendor:

  • Are they ISO27001 or NIST compliant, have they done the Essential 8 maturity assessment and what other frameworks do they abide by?
  • What does their SLA look like?
  • Do they undergo annual security risk assessments?
  • What actions do they take if their product fails?
  • What access to our network will they need?

The policy should cover procedures for selecting a vendor, risk management, due diligence, contractual standards, and reporting and ongoing monitoring. Additionally, the policy should address the relationship to other areas of the risk management and compliance management practices.

Password Creation and Management Policy

The password creation and management policy provides guidance on developing, implementing, and reviewing a documented process for appropriately creating, changing, and safeguarding strong and secure passwords used to verify user identities and obtain access for company systems or information. The policy should touch on training and awareness as to why it is so important to choose a strong password. It should include rules for changing temporary passwords and risks of reusing old passwords.

The policy should also include specific password complexity and length requirements. It should educate users on risk using an easy word or including personal information in the password. The policy should also identify any exceptions, such as apps or other information systems, that use different password requirements. It should mention password log outs and maximum retry attempts and outline procedures for logging all unsuccessful login attempts.

Network Security Policy

A complete network security policy ensures the confidentiality, integrity, and availability of data on company’s systems by following a specific procedure for conducting information system and network activity review on a periodic basis. The policy ensures that systems have appropriate hardware, software, or procedural auditing mechanisms. Audit events include failed log in attempts, information start up or shut down, and the use of privileged accounts. Other logging items include anomalies in the firewalls, activity over routers and switches, and devices added or removed from the network. Organisations should log details of the activity such as date, time, and origin of the activity.

The policy must state applicable actions taken during an auditable event and who is responsible for what. For example, IT will fix a problem and then report to the ISO. This process should be clearly identified in the policy.

The Network Security policy may branch out into other policies depending on a company’s infrastructure. Additional policies may include Bluetooth baseline requirements policy, router and switch security policy, and wireless communication policy and standard. All these policies should incorporate rules and behaviours when accessing the network.

Access Authorisation, Modification, and Identity Access Management

Using access authorisation requires organisations to implement the Principle of Least Privilege. This is the idea that users and systems should only be given access to information needed to complete their job. The organisation should create and document a process for establishing, documenting, reviewing, and modifying access to systems and sensitive information. This process usually involves HR and IT, who allow access upon hiring and termination. Access must be granted based on valid access authorisation, intended system usage, and other attributes required by organisations. An access authorisation and modification map should be created in accordance with the access authorisation policy and password management policy. HR and IT must consider group membership, special privileges, temporary or guest accounts, and shared users. These policies and procedures must be updated regularly as they are critical in data privacy.

Data Retention Policy

The data retention policy specifies the types of data the business must retain and for how long. The policy also states how the data will be stored and destroyed. This policy will help to remove outdated and duplicated data and creating more storage space. A data retention policy will also help organise data so it can be used later. Types of data includes documents, customer records, transactional information, email messages, and contracts. This policy is essential to businesses that store sensitive information. Organisations should reference regulatory standards for their data retention requirements.

Other Important Policies to Consider

So, you’ve got the Top 10 Important Policies implemented, but here are few more we highly recommend you review and consider adding to your policy set.

  • Mobile Device Management (MDM) Policy and Procedures
  • Bring Your Own Device (BYOD)
  • Encryption and Decryption Policy
  • SPAM Protection Policies
  • HR Policy Set
  • System Maintenance Policy
  • Vulnerability Management Policy

Our cyber security experts are here to help

We work with businesses of all sizes to help them identify, and then manage their cyber security risks.