Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. They set expectations and foster a consistent adoption of behaviors by your workforce. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts.
Sub-Practices for Small Organizations
10.S.A | Policies | NIST FRAMEWORK REF: IG.GV-1, ID.AM-6, PR.AT, PR.AT-1, RS.CO-1 |
Policies are established first and are then supplemented with procedures that enable the policies to be implemented. Policies describe what is expected, and procedures describe how the expectations are met.
For example, a policy is established that all users will complete privacy and security training. The policy specifies that training courses will be developed and maintained for both privacy and security, that all users will complete the training, that a particular method will be used to conduct the training, and that specific actions will be taken to address noncompliance with the policy. The policy does not describe how your workforce will complete the training, nor does it identify who will develop the courses. Your procedures provide these details, for example, by clearly stating that privacy and security professionals will develop and release the courses. Additionally, the procedures describe the process to access the training.
Examples of policy templates are provided in Appendix G of the Main document. Policy examples with descriptions and recommended users are provided in Table 8.
Table 8. Effective Policies to Mitigate the Risk of Cyberattacks
Policy Name | Description | User Base |
Roles and Responsibilities | Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. |
|
Education and Awareness | Describe the mechanisms by which the workforce will be trained on cybersecurity practices, threats, and mitigations. |
|
Acceptable Use / E- mail Use | Describe what actions users are permitted and not permitted to execute, including detailed descriptions of how e-mail will be used to complete work. |
|
Data Classification | Describe how data will be classified, with usage parameters for each classification. This classification should be in line with Cybersecurity Practice #4. |
|
Personal Devices | Describe the organization’s position on usage of personal devices, also referred to as bring your own device (BYOD). If usage of personal devices is permitted, describe the expectations for how the devices will be managed. |
|
Laptop, Portable Device, and Remote Use | Describe the policies that relate to mobile device security and how these devices may be used in a remote setting. |
|
Incident Reporting and Checklist | Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. |
|
Threats Mitigated
- Email phishing attack
- Ransomware attack
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article