Every business or organization has a set of company policies (whether they are documented or not) that govern their actions. They typically cover areas such as employee conduct, attendance and time off, workplace health and safety, etc. Similarly, security policies govern cybersecurity related aspects and behavior.
Security policies are a subset of policies designed to guide business activities related to securely handling, processing, and transmitting data. They provide guidance by answering fundamental questions like 'Why is encrypting data important?' and 'What are the minimum data security controls I need?'. As per NIST SP 800-53 Rev.5: A set of rules that governs all aspects of security-relevant system and system component behavior.
How Security Policies work
According to NIST, "Security policies define the objectives and constraints for [an organization's] security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent."
What Security Policies should your business have?
Different businesses have different needs depending on the nature of their business and the type of data they collect. But almost everyone should have theses foundational policies:
- Data Security Policy
Outlines behaviors expected of employees when dealing with data and provides a classification of the types of data.
- Network Security Policy
Provide requirements to ensure access to company resources are restricted to only authorized users with business needs.
- Incident Response Policy
Details the preparations the business has taken to prepare for security incidents as well as the approved responses, and provides guidance on creating a plan of action.
- Acceptable Use Policy
Establishes the organization’s requirements and security controls for the acceptable use of information assets, systems, and equipment by its staff.
- Backup and Retention Policy
This policy sets forth requirements for identifying, backing up, and retaining company data for as long as needed.
Writing these policies from scratch could seem daunting. That's why Zeguro Cyber Safety provides templates for these policies and more to get you started.