What is a Cyber Security Policy?

A cyber security policy is a document that defines a company’s principles, approach and action to take effective measures and management for possible cyber attacks made by cyber criminals. It aims to spread awareness in the organization to protect both employees and employers in their daily online business transactions.

How do you write a Cyber Security Policy?

A cyber security policy starts with a thorough discussion of carefully studied up-to-date data regarding the present cyber world – its upgrades, risks, and protection – along with the experts in technology in the organization to establish facts, policies, and guidelines that will serve as the foundation of their policy. From then, your organization should produce its documented implementing rules on cyber security policy. This policy template covered most of the guidelines needed for a cyber security policy, download it and customized it by adding clauses and other rules according to your company.

What are the Major Components of a Cyber Security Policy?

A cyber security policy should include these three major components: confidentiality, availability, and integrity. Confidentiality refers to the strict implementation of authorized access given only to authorized personnel to avoid disclosure of important information to unauthorized business transactions. Availability refers to the reliable access and use of information by authorized personnel under any circumstances. Integrity refers to the protection of data from unauthorized access or any changes to ensure data accuracy and privacy.

Cyber Security Policy Template

Policy Title: Cyber Security Policy

Executive-in-Charge: [Partner.FirstName][Partner.LastName]

Cyber Security Manager: Information Technology Office, Chief Officer [Officer.FirstName][Officer.LastName]

Office-in-Charge: Information Technology Office

Policy Endorsed by: The Committee on Cyber Security

Policy Approval Date: (date)

Policy Effective Date: (date)

Policy Next Review Date: (date)

To be implemented by: ALL DEPARTMENTS AND DIVISION; ALL ORGANIZATION AND AFFILIATES UNDER [Officer.Company]

I. POLICY BACKGROUND

The [Officer.Company] ("Company") is committed to safeguarding the confidentiality of all access and application assets available and to complying with the current laws, regulations, guidelines, and best practices to protect its (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) from the dangers of the cyber world due to its technological advances that include cybercriminals who engage in various types of cybercrime such as phishing, data leakage, inside job or threat, unethical hacking, and ransomware.

II. PURPOSE

This policy was written and approved by the Committee on Cyber Security to provide a security framework to all bonafide (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) of [Officer.Company] that will ensure protection from unauthorized access, loss or damage while supporting the information exchange that usually happens while accessing the internet that may be vulnerable to all of the above-mentioned dangers of the cyber world.

Failure to act in accordance with this policy may subject its (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) to disciplinary actions, potential penalties, or, worse, termination of the contract.

III. DEFINITION OF TERMS

1. Cyber Security

Also known as Information Technology Security refers to the practice of protecting the computer, hardware, software, servers, mobile devices, electronic systems, and data from malicious attacks that will compromise the efficiency of the Company to safeguard the confidentiality and integrity of all the access and applications.

2. Information Technology

Refers to the use of computers and the internet to access and exchange all kinds of information.

3. Unauthorized Access

Refers to the person who tries to gain access to a certain application or information without proper consent or permission from an authorized user or Company.

4. Cybercrime

Refers to an unethical activity that involves computers and a network that is commissioned to commit an online crime with the sole purpose of harming someone or a company’s security, especially its financial health.

5. Cybercriminals

Refers to an individual or group of people that engage in cybercrime.

6. Phishing

Refers to a fraudulent activity that masks itself as an official and reputable entity in all forms of communication. These cybercriminals, for example, will send an email in a seemingly official update from the bank through its distributed attachments and links that will help them gain access, should it be successfully filled out, by the victim’s account.

7. Ransomware

Refers to a type of malware (“malicious software”) that blocks and locks the user from accessing its application or files, usually happens in the Company or an organization setting, that unblocks and unlocks the user once the cybercriminals received the payment.

IV. CYBER SECURITY TRAINING AND AWARENESS

The (Company Name) will provide Cyber Security training with a certified Cyber Security Professional for its bonafide (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) to help them discern all their activities that involve networks, computers, and the use of the internet for their safety as well as the Company’s.

The Cyber Security Training and Awareness may involve the following topics:

How to Recognize Phishing Attacks
Unique Passwords and Authentications
The Proper Use of Removable Media
Devices Security: Mobile, Laptops, and Computers
Working Remotely and Security at Home
The Dangers of Public Wi-Fi
Physical Security Within and Outside the Premises of the Company
Social Media

V. PERSONNEL RESPONSIBILITIES

All subjects – bonafide (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) – must be cyber security aware and informed by attending all training and certification as well as compliant with the process and procedures of the Company. All subjects are required to do the following:

All devices provided by the Company – (list what those devices are, e.g., mobile, laptop, and computer devices) – are strictly for business use only to avoid any possible access opening from the outside network. It is provided for the sole purpose of the performance of your role to the Company and its Clients.
Properly sign out of the systems and devices after office hours.
Login credentials, especially the passwords to different systems and databases, should be stored in the secured password manager system as prescribed by the Company.
Lock computer or laptop devices when the personnel is not in their respective workplace or work area.
Avoid sharing any company data or information, especially with the person/s that is not in the company circle or in the business to know.
Always be vigilant in your surrounding area outside the premises of the company in order to protect yourself, your essential belongings, your mobile, and your laptop devices. The company information may be important, but the subject itself is more valuable than any assets available.
It is strictly implemented that all subjects must adhere never try to connect to any public Wi-Fi – anytime and anywhere; in malls, fast food chains, coffee shops, and any other places with a high risk of a security breach.
Always be in your cyber security mindset.

VI. SECURITY OFFICER AND POLICY REVIEW

The [Officer.Company] has its own appointed Cyber Security Manager, the Chief Officer of the Information Technology Department, [Officer.FirstName][Officer.LastName], who will also lead the Committee moving forward.

The Cyber Security Manager is in charge of the implementation and execution of the overall process concerning cyber security. The Manager also has the sole authority to make and discern all cybersecurity-related decisions. All subjects are required to follow the directions given by the Cyber Security Manager along with the Committee.

Cyber Security Manager Short Bio:

[Officer.FirstName][Officer.LastName]

Role/s taken in the Company:

(insert timeline of employment and role/s of the manager had in the company)

Previous Employers and Role/s taken during employment:

(list down all previous employers along with the timeline and his/her role/s taken)

Certification and Licenses:

Training, Seminars, and Conferences Attended:

Awards and Achievements:

Publications:

The Cyber Security Committee:

These Officers will serve as the Cyber Security Manager’s body that will be of great help in the implementation and execution of this Policy to all its organization.

(list all the names of the appointed members of the committee at least one (1) representative from each department along with their credentials)

Policy Review

The Policy Review will be done every (number of years) from the Policy Effective Date and should be carefully deliberated with the Committee and higher management for the (Company Name) to keep up with the latest updates, changes, and innovations within the Cyber World.

The (Company Name) is full of great expectations that all the concerned subjects – (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) – adhere, carefully read, understand, and agree to the Policy.

We are asking for your usual cooperation.

Signed:

Signature

MM / DD / YYYY

Executive-in-Charge: [Partner.FirstName][Partner.LastName]

Signature

MM / DD / YYYY

Cyber Security Manager: [Officer.FirstName][Officer.LastName]

Cyber Security Policy Template

I. POLICY BACKGROUND

II. PURPOSE

III. DEFINITION OF TERMS

1. Cyber Security

2. Information Technology

3. Unauthorized Access

4. Cybercrime

5. Cybercriminals

6. Phishing

7. Ransomware

IV. CYBER SECURITY TRAINING AND AWARENESS

V. PERSONNEL RESPONSIBILITIES

VI. SECURITY OFFICER AND POLICY REVIEW

The Cyber Security Committee:

Policy Review

Cyber Security Policy Template

Useful resources