Cyber threats evolve quickly, which means policies and procedures must keep pace.
Cybersecurity policies document specific requirements or rules that must be met within the organization.
Cybersecurity procedures provide guidance on the implementation of these rules within the operating environment.
Organizations must perform periodic cybersecurity due diligence through a comprehensive process that includes prevention, detection and reaction to threats. A critical component of this process is the development, refinement and enforcement of a cybersecurity policy. This task should be revisited at minimum yearly, and ideally each quarter.
A company’s cybersecurity policy defines the governance framework which:
- Clearly defines who has what roles and responsibilities
- Ensures systems are utilized in the manner for which they were intended
- Helps users to understand their roles and responsibilities
- Mitigates legal liability
IT security policies should, at minimum, cover the following:
- Incident Response / Security Maintenance Policy
- Storage Media Policy
- Personnel / Physical Security Policy
- Risk Assessment Policy
- System & Communications Security Policy
- Business Continuity and Disaster Recovery Policy
- Acceptable Use / Account Control Policy
- Remote / Wireless / Mobile Access Policy
- Mobile & Wireless Access Policy
- External Information Systems Policy
- Security Awareness & Audit / Training Policy
- Configuration Management Policy
- Authentication Policy