Lo:3. Discuss the components of a cybersecurity policy
A cybersecurity policy sets the standards of behavior for activities such as the encryption of email attachments and restrictions on the use of social media.

How Cybersecurity Policies and Procedures Protect Against Cyberattacks
Cybersecurity policies are important because cyberattacks and data breaches are potentially costly.
At the same time, employees are often the weak links in an organization’s security. Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and neglect to encrypt sensitive files.
These types of policies are especially critical in public companies or organizations that operate in regulated industries such as healthcare, finance, or insurance. These organizations run the risk of large penalties if their security procedures are deemed inadequate.
Even small firms not subjected to federal requirements are expected to meet minimum standards of IT security and could be prosecuted for a cyberattack which results in loss of consumer data if the organization is deemed negligent. Some states, such as California and New York, have instituted information security requirements for organizations conducting business in their states.
Cybersecurity policies are also critical to the public image and credibility of an organization. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.

Defining a cybersecurity policy

Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security. Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the “roles and responsibilities” or “information responsibility and accountability” section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The SANS Institute provides examples of many types of cybersecurity policies. These SANS templates include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
Organizations in regulated industries can consult online resources that address specific legal requirements, such as the HIPAA Journal’s HIPAA Compliance Checklist or IT Governance’s article on drafting a GDPR-compliant policy.
For large organizations or those in regulated industries, a cybersecurity policy is often dozens of pages long. For small organizations, however, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
• Rules for using email encryption
• Steps for accessing work applications remotely
• Guidelines for creating and safeguarding passwords
• Rules on use of social media

Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personal identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data.

Who should write the cybersecurity policies?

The IT department, often the CIO or CISO, is primarily responsible for all information security policies. However, other stakeholders usually contribute to the policy, depending on their expertise and roles within the organization. Below are the key stakeholders who are likely to participate in policy creation and their roles:
• C-level business executives define the key business needs for security, as well as the resources available to support a cybersecurity policy. Writing a policy that cannot be implemented due to inadequate resources is a waste of personnel time.
• The legal department ensures that the policy meets legal requirements and complies with government regulations.
• The human resources (HR) department is responsible for explaining and enforcing employee policies. HR personnel ensure that employees have read the policy and discipline those who violate it.
• Procurement departments are responsible for vetting cloud services vendors, managing cloud services contracts, and vetting other relevant service providers. Procurement personnel may verify that a cloud provider’s security meets the organization’s cybersecurity policies and verifies the effectiveness of other outsourced relevant services.
• Board members of public companies and associations review and approve policies as part of their responsibilities. They may be more or less involved in policy creation depending on the needs of the organization.
When inviting personnel to participate in policy development, consider who is most critical to the success of the policy. For example, the department manager or business executive who will enforce the policy or provide resources to help implement it would be an ideal participant.

Updating and auditing cybersecurity procedures

Technology is continuously changing. Update cybersecurity procedures regularly—ideally once a year. Establish an annual review and update process and involve key stakeholders.
When reviewing an information security policy, compare the policy’s guidelines with the actual practices of the organization. A policy audit or review can pinpoint rules that no longer address current work processes. An audit can also help identify where better enforcement of the cybersecurity policy is needed.
The InfoSec Institute, an IT security consulting and training company, suggests the following three policy audit goals:
• Compare the organization’s cybersecurity policy to actual practices
• Determine the organization’s exposure to internal threats
• Evaluate the risk of external security threats
An updated cybersecurity policy is a key security resource for all organizations. Without one, end users can make mistakes and cause data breaches. A careless approach can cost an organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes

Creating a Successful Cybersecurity Policy

Successful Cybersecurity Policy

How well-developed is your company’s cybersecurity policy?
Does it apply equally well to every area in which you do business, providing consistent protection from both interior and exterior threats without hindering productivity?
How quickly can you recover from a data disaster?
Cybersecurity can seem intimidating at first, but there are steps you can take to reduce your exposure, keeping in mind that it is an ongoing process.

Cyber criminals are endlessly innovative and the threats they represent change constantly, so it is important to keep your security practice evolving in order to combat these threats.
Bringing in experts can give your company an enormous advantage. When it comes to cybersecurity, economy of scale works wonders on the efficiency of industry-specific policies, since sector-wide patterns and statistics can be leveraged to create robust, flexible defense infrastructure. Plus, you gain the benefit of experience—there is no need to learn from your mistakes when you can learn from those of others. When millions of dollars in damages could potentially be on the line, those who invest in the right preparation beforehand consistently come out on top.

So what does an effective cybersecurity policy look like? The short answer is that it depends. Many of the details will be specific to your industry, but there are seven main points that all successful policies share.

Characteristics of a Successful Cybersecurity Policy
It’s Usable
It Evolves Over Time
It Accounts for Human Error
It’s Standardized & Followed by All
It’s Multidisciplinary
It Plans for Exceptions
It Explains How to Handle Incidents
#1. It’s Usable
The first and most important thing about your policy is that it must work. While this may seem like a given, you’d be surprised how many otherwise-successful corporate cybersecurity policies hinder performance more than they help. A usable cybersecurity policy is one that is powerful enough to block unauthorized network intruders, but permissive enough to let your employees and business partners use the information they need in a streamlined way.

A usable cybersecurity policy should be easy to understand. This ensures that every single employee in the company, from the CEO to the mailroom intern, fully understands what threats are being addressed and how they are playing their part. Usable cybersecurity policies can only take form when every member of the company shares responsibility for maintaining security—a chain is only as strong as its weakest link—and you should assume that cybercriminals will eventually find that link.
#2. It Evolves Over Time
What kept sensitive data secure in 2014 will not keep it secure in 2015, and what worked in 2015 may not address the most pertinent security needs of 2016. Cybercriminal behavior changes over time, and entire criminal industries have developed because of the lack of adaptability in corporate information security culture. Since the bad guys can adapt to changing conditions faster and more effectively than ever before, the only way to address the threats they pose is to be just as adaptive.

Your cybersecurity policy should have a cyclical update period of between six to twelve months. At that point, your company’s cybersecurity team would get together to address any new issues that have arisen. The policy must be reviewed, adjusted and approved before being implemented. This is the perfect time to hire an outside cybersecurity consultant that can point out weaknesses and suggest ways to remediate them.

Don’t forget to keep a record of past cybersecurity policies. Each revision should be easily retrievable so that you can revise, perform audits and initiate personnel changes smoothly.
#3. It Accounts for Human Error
We’re all human and we all make mistakes. This is exactly why most of the heavy work in your cybersecurity infrastructure should be automated. The more you can automate, the less room you give employees, vendors, suppliers and distributors to make mistakes. Although mistakes can occur even within this context, a flexible and well-adjusted cybersecurity policy will provide the framework necessary to undo errors or quarantine them when needed.

What kind of errors are we talking about? There are plenty: Employees might send sensitive documents through unsecured email accounts. Others might write down passwords on sticky notes in order to not forget them. If your company is in the sights of a cybercriminal, all it takes is a single moment of inattention, an employee opening an email attachment from an untrusted source, and your system could be compromised. When this happens, you want to have protocols in place that limit the amount of damage that can be done while providing means of closing the information gap and keeping your data as safe as possible.
#4. It’s Standardized & Followed By All
Standardization is an important element of a successful cybersecurity policy because it ensures that the perimeter you build has no weak points or loose ends. This helps usability as well, since standardization means that different members of your team still adhere to the same rules when it comes to handling company data. When everyone in your office uses computers to work, it no longer matters what department they’re in or what access they have—an entrance into the system is an entrance into the system.

Each and every member of your team needs to understand your policy and be responsible for enforcing it. Your policy must include consequences for noncompliance and an oversight team that enforces these consequences. That team needs to be deeply aware of cybersecurity trends not just in your industry, but throughout every level of the company.
#5. It’s Multidisciplinary
With various threat vectors looming in each separate department, it only makes sense that your cybersecurity defense should be cross discipline. This means your cybersecurity team needs to work together, bridging senior management needs with stakeholder concerns and relying on the expertise of those who know how their departments work.

When you have a robust, standardized cybersecurity policy, it applies equally well to the mechanics of your finance department as it does to research and development, or corporate leadership. The policy is essentially designed to function within these contexts, providing a streamlined framework for authorized data access and communication. To do this, your entire organization should play a part in drafting the policy, assuring that everyone’s concerns are adequately met.
#6. It Plans for Exceptions
In an ideal world, there would be no need to change policy—no exceptions to the rules. However, we don’t live in an ideal world and when it comes to frequently updated rule sets that need to be flexible and adaptive, exceptions can become the rule. In drafting your cybersecurity policy, your business units may not have covered all the bases or thought far enough ahead to meet all their needs. This means you must be prepared to offer a standardized exception process that is documented, accountable and well-organized.
#7. It Explains How to Handle Incidents
Even if you draft a sound cybersecurity policy, covering all of your company’s business functions, it might not be enough. As the old military adage goes, “No battle plan survives contact with the enemy.” Vulnerabilities may be discovered, sensitive data might be exposed and you may have to quarantine certain elements of your network in order to keep your business safe. You’ll need decisive, responsive and reliable solutions to a variety of possible threats and incidents.
Security Policies-What are they? Types of Security Policies-Email Security Policy Cybersecurity{Video}