What is a Cybersecurity Policy?

Written By Todd Mitchell

The three major components of any security policy are the assets, potential threats and vulnerabilities. The assets are a list of the equipment, technology and information in an organization. This consists of data and intellectual property needing protected. The threats are known actions that can be taken to harm organizations assets. Vulnerabilities are areas in which a threat is not mitigated and poses a risk of actually happening (Bosworth, Kabay, & Whyne, 2014).

The security policy should have enough detail to be useful, but written in a way that can be followed by all members of an organization regardless of technical ability. The best approach is to involve everyone in protecting assets.

An important consideration is that organizations do not change, but people do, and therefore people change organizations (Verton, 2000). Drafts of security policies should be vetted through the members most likely to be affected by the change. This will get buy-in and ownership from the members. The changes should be explained in a policy statement signed by the highest person in the organization. This will help give credibility to the new policy. The policies and training material should be in an easy to read format with enough technical detail to be understood by everyone responsible for implementing the security protections. Finally, mass distribution and awareness training should be implemented to ensure all members at all levels receive the new policies well in advance of being accountable for following them (Bosworth, Kabay, & Whyne, 2014).

References:

Bosworth, S., Kabay, M., & Whyne, E. (2014). Computer Security Handbook (6th ed., Vol 2, pp. 3.20-3.21, 44.14-44.15). Hoboken: John Wiley & Sons.

Verton, D. (2000). Companies aim to build security awareness. Computerworld, 34 (48), 24.

Todd Mitchell
Previous

Choosing an Enterprise Cybersecurity Framework
Next

Do I need Enterprise Level Cybersecurity??