Besides acting prudently by implementing key policies, a business may be required to have certain cybersecurity policies in place before it can obtain cyberrisk insurance. In addition, company Boards are increasingly being required to demonstrate a higher level of competence related to cybersecurity as it pertains to protecting its customer’s privacy.
What is the difference between a Policy, Guideline, and a Standard?
A policy documents a set of rules that must be followed. Policies should be drafted to comport with the actual ability of an organization to construct internal procedures to enforce the policies and that are in accordance with local, state, and federal laws. Guidelines are a set of suggested methods based on the experience and defined best practices of an organization. Company guidelines should be consistent with leadership goals. Standards are usually defined by an industry to create a baseline for quality or proficiency in a particular area. There are several cybersecurity standards, and a company should decide which standard for which it is technically able to meet or exceed the standard’s requirements.
There a many standard policies that a company can consider to implement. Choosing the right policy may be dictated by the industry, the company’s size, and the complexity of its operations. Here are a few typical policies related to cyber security:
Password Construction Policy
Acceptable Use Policy
E-mail Policy
Social Media Policy
Remote Access Policy
Software Acquisition Policy
Workstation Security Policy
Data Storage Policy
Bring Your Own Device (BYOD)
There should be a joint effort if possible. The IT departments should be capable of drafting the technical aspects of the policies. Moreover, an IT department can ensure that the people and current network can actually comply with the policies. However, each policy should have a legal review to help ensure that the policies are comply with local, state, and federal laws. For example, a workstation policy at a medical office may need to have specific items to comply with HIPAA.
Policies alone will not prevent any sort of cyber-attack. Procedures must be implemented to enforce each policy. Procedures should include how often each policy should be reviewed by management for modifications, the actions that will occur for failure to comply with the policy, and how employees will be trained about the policy. People should be designated to review each policy in light of current threats, changes in technology, and employee behavior. Disciplinary rules can be put in place to encourage policy compliance. Training should occur immediately and frequently so that employees understand the purpose of each policy, what is required for compliance, and the possible consequences for not following the policy. Emphasis can be given to illustrate that an employee’s failure to comply with a policy can have a directly negative impact on the individual and the company as a whole.
Jul 19, 2016
by Brian Kirkpatrick
Apr 08, 2016
by Brian Kirkpatrick