What is a Cyber Security Policy?
All about a Cyber Security Policy:
If you own a business, it is important to have a cyber security policy. This is not only a guide and reference to be used internally with your employees, but also as a reference point to deal with any external data from customers.
Your Cyber Security policy should be thought of as a moving, changing entity that will need to be updated regularly to keep up with technological advancements, and any changes within your business.
What does your Cyber Security policy need to cover?
Firstly no two cyber security policies will be the same. Your Cyber Security policy will be unique to your business, depending on your particular type of business, and what kind of data you deal with.
The first thing you need to do is to identify the particular risks for your business. If you are an accountant for example, your focus is on how you deal with customers’ personal information, bank details, IRD number etc.
Once you have worked to clarify your specific risks, you can then prepare for what to do if something goes wrong. Your IT Alliance member has knowledge of a wide variety of industries, and will be able to assist you to clarify what you need to be mindful of.
Having a clear plan in place, means that everyone in your organisation knows what to do, who is responsible for what, and what processes you have in place to mitigate the risks.
You will also need to create two cyber security policies. One, an internal one for employees, and the second one is a public one for customers.
What needs to be included in the Policy?
The below information has been taken from the Cert nz website
Cert NZ suggests that you break your internal policy down into different areas.
This should cover how you handle data safely and securely — both your business’s data and your customers’. Think about:
It’s important to identify what systems you have, and which ones are critical to your work. Consider:
Security and protection
Security and protection covers how your staff and customers access your systems and data. It means thinking about:
People and users
You need to think about what you consider to be acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations so they know:
Physical devices and systems
When you think about protecting your business’s devices and systems, make sure you cover both:
Problems and incidents
You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.
The team at Decision1 are used to helping clients with their Cyber Security policies. Reach out to us here and we will be able to assist you.