How to Create a Cybersecurity Policy Document

Just as important as the right staff and software, an organization’s cybersecurity policy is the lynchpin of solid protection 

In the modern digital-centric workplace, the lines between professional and personal lives are now thoroughly blurred, especially with the rise of remote and hybrid work models. Since COVID, the ‘new normal’ necessitates a robust cybersecurity policy that safeguards the organization while accommodating diverse working scenarios.  

As one of those many security team and CISO responsibilities, the role of the CISO now involves creating a comprehensive cybersecurity policy document, no matter the organization’s size, that incorporates cloud technologies and a mix of remote work practices.  

“A strong cybersecurity policy is the foundation upon which an organization builds its defense against cyber threats.” 

[Building a Cyber Resilient Public Sector 2022-2030, UK Gov]. 

The above statement highlights the consensus among cybersecurity leaders that a policy document is critical to establishing security norms and setting standards and expectations within any organization, but where to start? 

Understanding the Necessity of a Cybersecurity Policy  

A cybersecurity policy is a foundational document that outlines an organization’s approach to protecting its information and technology assets. In an time where cyber threats are increasingly sophisticated and regulatory pressures mount, a clear policy is not just a best practice—it is a business imperative. It delineates responsibilities and sets the tone for cybersecurity hygiene across the company.  

Who Should Enforce the Cybersecurity Policy?  

Technically, everyone. While the CISO is typically responsible for the cybersecurity policy, and each dept. head and C-suite member should lead by example; its enforcement is a collective effort.

IT departments, human resources, and department heads all play pivotal roles, ensuring that the policy is adhered to and that violations are addressed promptly. Cyber protection is now a necessity of office culture, and knowing the tell-tale signs of phishing and why the move to zero trust adoption should be common information and enforced and policed by every member of staff.

I heard of a nice idea recently from a client of ours, where they award a $50 Amazon voucher to the first person to report 10 legitimate phishing attempts each financial quarter. Some real, some from testing exercises. Creating some gamification like this breeds awareness and a positive culture and puts security on everyone’s radar. 

Defining the Scope of the Policy  

Before drafting the policy, define its scope. It should cover all types of data, devices, and users within the organization, including remote and hybrid workers, as well as BYOD security (Bring Your Own Device) and company-issued devices.  

Device Usage Policy  

BYOD Policy  

For staff allowed to use personal mobile devices, the policy should include:  

• Device Approval: Define what devices are permitted and the process for getting personal devices approved for work use.  
• Security Requirements: Mandate security measures such as antivirus software, firewalls, and device encryption.  
• Compliance Audits: Schedule regular checks and assign a team member responsible for conducting those checks to ensure personal devices comply with your organization’s defined security policies.  

Non-BYOD Policy  

For staff not allowed to use personal devices:  

• Issuance of Company Devices: Outline the process for issuing company devices, including laptops and smartphones. The process for issuing company devices typically begins with an inventory check and device allocation based on the employee’s role and requirements. Following this, the IT department configures the devices with the necessary software, security measures, and access controls. Each employee is then provided with the device, alongside an orientation on usage policies, security protocols, and maintenance responsibilities. The process invariably concludes with the employee signing a device usage agreement, acknowledging the terms and conditions of using the company-issued equipment. 
• Usage Guidelines: Clearly state acceptable use cases for company devices, emphasizing that they are for business use only.  
• Password Policy Complexity Requirements: Enforce complex passwords with a mix of characters, numbers, and symbols. The protection of a solid password policy is worth any inconvenience when we consider that 81% of hacking-related breaches leverage either stolen and/or weak passwords [Verizon]. 
• Change Frequency: Mandate regular password changes, typically every 60-90 days. 
• Password Management Tools: Encourage the use of reputable password managers to maintain password hygiene.  

Email Security and Phishing  

• Email Use Guidelines: Clarify appropriate usage, including prohibitions on sharing sensitive information without encryption and general guidelines for secure data transfer policies.  
• Phishing Reporting: Establish a protocol for reporting suspected phishing attempts, including whom to contact and how. Often, this can easily be supported with a simple video of screen grabs and a voiceover showing how to report phishing in the likes of Outlook, or however your company supports the reporting function. 
• Training Programs: Implement regular employee training to identify and handle phishing and other email-related threats. Having a named security team champion act as a training liaison and a point of contact should be specified in the cybersecurity policy for clarity and to foster communication in fielding any resulting queries from instruction. 
• Reinforce Policy: Keep security and the cybersecurity policy front of mind. We’ve created two printable versions of our ‘12 Tell-Tale Signs of Phishing Emails’ infographic, ideal for placing around any office to reinforce awareness: DOWNLOAD US INFOGRAPHIC | DOWNLOAD UK INFOGRAPHIC 

Handling Sensitive Data  

• Data Classification: Define categories of data, such as public, internal, confidential, and highly confidential. In an ideal scenario, this is where the decision of microsegmentation vs. network segmentation is made, the practice of dividing a network into specific zones or segments to control access and reduce the attack surface, thereby enhancing security and management at a finer level of detail. 
• Access Control: Restrict access to sensitive data based on job roles. Zero trust is a cybersecurity strategy that operates on the principle “never trust, always verify” and is a common policy for most organizations, requiring strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are inside or outside the network’s perimeter. 
• Transmission and Storage: Provide clear instructions on how sensitive data should be transmitted and stored securely. This might include the use of encrypted channels, like VPNs or secure email services, for transmitting sensitive data or ensuring sensitive data is encrypted when stored, especially on cloud services or external drives. Here is a place to further discuss what is least principle access and highlight the importance of why an organization might restrict access to sensitive data to authorized personnel only.  

Technology Handling Rules  

• Maintenance and Updates: Require regular (ideally automated) system updates and the use of approved maintenance tools. Security teams can securely automate device maintenance and updates by implementing centralized management software that schedules and deploys updates automatically across all devices. Additionally, they can employ tools that ensure updates are obtained from verified sources and include features for continuous monitoring and validation of device integrity post-update. 
• Prohibited Actions: List actions that are forbidden, such as unauthorized software installations or making unauthorized changes to hardware, such as overclocking, changing physical components, or altering configurations. Other prohibited actions to consider might be the use of unapproved external drives, disabling or attempting to circumvent security measures like antivirus software, firewalls, or encryption, or using personal email accounts or unapproved file-sharing services for work-related communication or file transfers. As part of any cybersecurity policy, colleagues need to be aware of company policy on connecting to unsecured or unauthorized wireless networks or VPNs, engaging with potentially harmful content that could introduce malware or lead to phishing attacks, and the perils of sharing company devices with non-employees or other unauthorized individuals. 

Social Media and Internet Access  

• Standards Social Media Usage: Standard policies for social media use on company devices and during work hours typically include restrictions on accessing personal social media accounts to maintain productivity and prevent network security risks, though this is not true and not appropriate for all organizations. Some cybersecurity policies mandate that any use of social media must be work-related, adhere to professional standards, and comply with confidentiality agreements. Additionally, employees are usually required to avoid sharing sensitive company information or engaging in activities that could harm the organization’s reputation; even prohibiting the sharing of imagery taken on company property or of other staff members is not uncommon. 
• Internet Access: Naturally, policies should not hinder productivity, involve illegal activities, violate company values, or expose the organization to cybersecurity threats, such as malware or phishing attempts. Standard policies for acceptable organizational online internet usage typically mandate that employees use the internet for work-related purposes only, prohibiting access to non-business sites, especially those that are known security risks, like unregulated download sites, or those with adult, gaming, or streaming content. Again, however, one size does not fit all, and some companies or departments may find this restrictive on their day-to-day professional activities—I know I would.  

Incident Response Planning 

• Immediate Actions: Detail the initial steps to be taken in the event of a security incident, which, in simple terms, might look something like the following:
  
  Identify the Incident: Quickly determine the nature and scope of the incident.
  Containment: Immediately isolate affected systems to prevent further spread.
  Eradicate the Threat: Remove malware or close security loopholes used in the attack.
  Notify Relevant Authorities: Inform management, legal, and, if necessary, law enforcement.
  Communicate with Stakeholders: Brief employees, customers, and partners as appropriate.
  Preserve Evidence: Secure logs, system images, and other relevant data for investigation.
  Begin Recovery: Restore systems and data from backups.
  Document the Incident: Record all actions taken and findings for post-incident review.
  Review and Update Security Policies: Adjust policies and procedures based on lessons learned.
  .  
• Reporting Structure: Define the reporting line for different types of incidents. 
• Recovery Plan: Include a comprehensive recovery plan to restore services and data after an incident, ensuring swift cybersecurity business continuity.  

Backup Measures  

• Data Backup: Implement and enforce a strict data backup protocol. How, where, when, and at what frequency will backups occur? 
• Backup Testing: Regularly test backups to ensure data is secure, current, and can be recovered in the event of a crisis.  
• Offsite Storage: Something to consider is the 3-2-1 backup rule: keep at least three copies of your data on two different media, with one backup located off-site (be it physically air-gapped or securely in the cloud). 

Cybersecurity Policy Review and Update Cycle  

• Regular Reviews: Schedule annual policy reviews to incorporate new threats, technologies, and business practices.  
• Amendment Procedures: Establish a procedure for proposing and implementing policy amendments.  

Additional Considerations  

• Remote Work Security: Include specific guidelines for securing remote work environments, such as using secure connections, ensuring device and software patches are up-to-date, enforcing strong multi-factor authentication for accessing company resources, using WPA3 encryption and avoiding public Wi-Fi for work tasks, endpoint protection, data encryption, implementing least privilege access for remote workers, and advise on securing devices from theft or unauthorized access. 
• Insurance: Consider cyber insurance to mitigate the financial impact of a breach, which provides coverage for expenses and losses related to cyberattacks, including legal fees, recovery costs, and compensations for affected parties, thus safeguarding an organization’s financial stability. 
• Legal Requirements: Ensure the policy is in line with industry regulations and legal obligations.  

A well-crafted cybersecurity policy is a living document that not only protects an organization but also supports its operational and strategic objectives. It must be comprehensive, practical, and enforceable, with clear roles and responsibilities.  

Cybersecurity is not a one-time project but an ongoing process, and a policy document is the beginning (and foundation) of a secure organization.