Cyber & Security Policy Development
All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputation and discouraging inappropriate behavior by employees.
Many of these types of policies already exist for “real world” situations, but may need to be tailored to your organization and updated to reflect the increasing impact of cyberspace on everyday transactions, both professional and personal.
One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a
policy that clearly defines the separation of roles and responsibilities with regard to systems and the information
they contain. A well-defined procedures and policies to govern the assignment of roles and their associated
constraints is required. Such policies need to clearly state, at a minimum:
Clearly identify company data ownership and employee roles for security oversight and their inherit privileges, including:
- Necessary roles, and the privileges and constraints accorded to those roles;
- The types of employees who should be allowed to assume the various roles;
- How long an employee may hold a role before access rights must be reviewed;
- If employees may hold multiple roles, the circumstances defining when to adopt one role over another.
The limits on employee Internet usage in the workplace vary widely from business to business. Your guidelines
should allow employees the maximum degree of freedom they require to be productive (short breaks to surf the web
or perform personal tasks online have been shown to increase productivity). At the same time, rules of behavior are
necessary to ensure that all employees are aware of boundaries, both to keep them safe and to keep your company
- Personal breaks to surf the web should be limited to a reasonable amount of time and to certain types of activities;
- If you use a web filtering system, employees should have clear knowledge of how and why their web activities will be monitored, and what types of sites are deemed unacceptable by your policy;
- Workplace rules of behavior should be clear, concise and easy to follow. Employees should feel comfortable performing both personal and professional tasks online without making judgment calls as to what may or may not be deemed appropriate. Businesses may want to include a splash warning upon network sign-on that advises the employees of the businesses’ Internet usage policies so that all employees are on notice;
Social networking applications present a number of risks that are difficult to address using technical or procedural
solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its
activities and communicate with its customers.
At a minimum, a social media policy should clearly include the following:
- Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum;
- Additional rules of behavior for employees using personal social networking accounts to make clear what kinds of discussion topics or posts could cause risk for the company;
- Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites;
- Guidance on selecting long and strong passwords for social networking accounts, since very few social media sites enforce strong authentication policies for users.
All organizations should take the time to identify potential risks to their reputation and develop a strategy to mitigate
those risks via policies or other measures as available.
Specific types of reputation risks include:
- Being impersonated online by a criminal organization (e.g., an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other method);
- Having sensitive company or customer information leaked to the public via the web;
- Having sensitive or inappropriate employee actions made public via the web or social media sites;