A cyber security policy will help:
- your team understand how cyber security fits into your day-to-day work
- your customers know how you’ll look after the data they share with you.
It should list all the things your business will do with regards to cyber security. You’ll need to create an internal version for your staff, and an external version for your customers.
- An internal policy is more detailed than the external, and shouldn’t be available publicly. It explains what your internal processes are — such as who does what in the team, and what they’re responsible for — and may include sensitive information that you don’t want to make public.
- The external policy is for your customers and should be available publicly — on your website for example. It can be more of a 'light touch' policy compared to the internal version. It’ll cover things like how you’ll treat your users’ data, and what you’ll do if something goes wrong.
Having a cyber security policy available on your website can also be helpful if someone finds a bug or vulnerability in the site. If they want to report it to you, it’ll let them know how to contact you and what you’ll do with their report.
Why you need a cyber security policy
Your cyber security needs will be specific to your business, and based on the kind of services you provide. For example, if your customers provide you with personal information — like their bank account details — you need to think about what you’ll do to protect that data, and document it in your cyber security policy. Having a policy in place will mean that:
- you’re prepared for questions about cyber security (from both your customers and your staff)
- you and your staff will know who’s responsible for what
- you’ll be ready in the event of a security incident
- you’ll be in a stronger position with regards to cyber security overall. It means that you’ll already have identified the risks for your business, and defined mitigations for them.
What goes into your internal policy
You need to break your internal policy down into different areas.
This should cover how you handle data safely and securely — both your business’s data and your customers’. Think about:
- how much to collect
- where you’ll store it (locally or in the cloud)
- how to protect it, for example keeping data at-rest (when stored) and in-transit (when communicating) encrypted
- how often you’ll back it up, and who’s responsible for doing backups.
It’s important to identify what systems you have, and which ones are critical to your work. Consider:
- setting some rules around updating, or patching, your systems — how to make sure they’re done regularly and who’s responsible for making sure it happens
- what systems your staff can use, including any cloud applications or software running inside your business’s network
- how much access your staff need to your systems. You should make sure your staff only have the minimum level of access in each system they need to do their job. This is what’s called the 'principle of least privilege'.
Security and protection
Security and protection covers how your staff and customers access your systems and data. It means thinking about:
- how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN with 2FA.
- how they authenticate themselves on your system. This includes your password policy and use of two-factor authentication
- what devices your staff can use at work. This covers whether staff can use personal devices for work, or if you’ll provide devices to them.
People and users
You need to think about what you consider to be acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations so they know:
- what their responsibilities are
- what kind of things they should report to you
- how you expect them to take ownership of their accounts and their devices.
Physical devices and systems
When you think about protecting your business’s devices and systems, make sure you cover both:
- protection against loss — if something is stolen, and
- protection against the environment — for example, if your business is flooded during a storm and your devices are water damaged.
You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. As an example, you could have all staff protect their devices by:
- having strong passwords on them
- using device encryption
- setting rules for them about use outside the office.
Problems and incidents
You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.
What goes into your external policy
The external version of your policy should only give your customers an overview of each of these things. Make sure you don't reveal any business sensitive information in it, like details of the technology you use.
For your customers, it means that your cyber security policy will:
- explain how you’ll protect their data. This could mean making sure you encrypt their data, back up their data, and define how long you’ll hold it for
- include making a security policy that’s available for them to view — on your website, for example. CERT NZ’s privacy and information statement includes details of our security policy. It’s a useful example of how you can show this kind of information on your website
- show how you’ll make sure you receive and manage any customer information securely. For example, by collecting information over your customer web application over HTTPS, and keeping it encrypted when you store it in the database.
- describe how you’ll notify your customers of any problems that could affect them
- have a way for people to notify you of security problems. This could be used by customers when they notice bugs in your systems.
Implementing your cyber security policy
Often, a business will hire a consultant, create a cyber security policy, and then never look at it again. But, the policy represents you as a business owner. You need to embed your security policies into:
- your day-to-day work
- the culture of your company
- how you manage your staff, and
- how you treat your customers.
That means you’ll need to instil the principles behind the policy in your staff too. Let them know they can ask questions about it, so they understand:
- the risks you face as a business, and
- the reasoning behind the policy decisions you’ve made.
If you need some help putting a cyber security policy together for your business, talk to your IT service provider. They can work through what to cover in the policy with you.