Cybersecurity Policy Components

Cybersecurity policies are critical to establishing and maintaining security of networks and data, communicating expectations to employees, and determining consequences for actions. Such policies represent an expression of expectations. Here are the key elements of a good cybersecurity policy:

  • Definitions, which explain terms in the context of the organization's mission and culture.
  • Access to computers and data, which explains the processes for gaining access privileges and approvals, and the expectations regarding use of company IT assets. Password expectations would also be established herein.
  • Use of external (e.g., mobile) devices, to include any restrictions on use of outside devices on internal company IT assets.
  • Security procedures, explaining the reporting requirements should malicious acts be discovered.
  • Internet use, to include acceptable use policy and what, if any, filtering might be used. This policy also explains personal use of the internet on work-related computers.
  • Data storage and recovery, defining storage requirements (length of time, type of data to be stored), and the expectations regarding recovering from unexpected outages or losses.
  • Remote access, which explains expectations regarding remote access to company IT assets, and expectations regarding that privilege.
  • Auditing, which describes frequency and type of review for cybersecurity and IT assets.
  • Training, which explains requirements for maintaining or learning skills or policies needed for cybersecurity.