Cybersecurity Practice #10: Cybersecurity Policies (medium/large)

Modified on Wed, 14 Jun, 2023 at 2:34 PM

Cybersecurity policies must be established for the workforce to understand how they are expected to behave within regard to cybersecurity. These policies should be written for the various user audiences that exist in the organization. There are differences between the general workforce user, IT user, and high-profile or high-risk users (e.g., finance, HR, or health information management).


To set proper expectations, organizational policies should support new cybersecurity hygiene controls. Without such policies, it may be unclear to the workforce what level of adherence is required and what activities put the organization at risk for the threat types discussed in this document.


Several policy templates have been provided in Appendix G of the Main Document.


 

Cybersecurity Practice 10: Cybersecurity Policies

  
 

Data that may be

affected

N/A

Medium Sub- Practices

10.M.A         Policies

Large Sub- Practices

N/A

 

 

Key Mitigated Risks

  • E-mail Phishing Attacks
  • Ransomware Attacks
  • Loss or Theft of Equipment or Data with Sensitive Information
  • Insider, Accidental or Intentional Data Loss
  • Attacks Against Connected Medical Devices and Patient Safety

 

  


Sub-Practices for Medium-Sized Organizations

 

10.M.A

Policies

NIST FRAMEWKORK REF:

ID.GV-1

There is only one general safeguard for this section: a list of policies that organizations can consider, presented in Table 14.

 

Table 14. Example Cybersecurity Policies for Consideration

 

Policy Name

Description

User Base

 

Roles and Responsibilities

Define all cybersecurity roles and responsibilities throughout the organization. This includes who will establish policy and who will implement and conduct security practices.

 

 

All users

 

 

Education and Awareness

Define the mechanisms that will be used to train the workforce on cybersecurity practices, threats, and mitigations. Ensure that education includes common cyberattacks (such as phishing), lost/stolen devices, and methods for reporting suspicious behavior on their computers.

 

All users

 

Cybersecurity department

 

Acceptable Use / E- mail Use

Describe actions that users are permitted and not permitted to take. Explicitly define how e-mail is to be used.

 

All users

 

Data Classification

Define how data are to be classified, with usage parameters around those classifications.

 

All users

 

Personal Devices

Define the organization’s position on the use of personal devices (i.e., BYOD). If these are permitted, establish expectations for how the devices will be managed.

 

All users

Laptop, Portable Devices, and Remote Use

 

Define policies for the security of mobile devices and how they are to be used in a remote setting.

All users

 

IT department

 

 

Incident Reporting and Checklist

 

Define user requirements to report suspicious activities within the organization. Define the responsibilities of the cybersecurity department for managing incidents.

All User

 

Cybersecurity department

 

Disaster Recovery Plan

Define the standard practices for recovering IT assets in the case of a disaster, including backup plans.

 

IT department

 

 

IT Controls Policies

Describe the requirements for IT security controls in a series of policies or a single long policy. Examples include access control, identity management, configuration management, vulnerability management, and data center management.

 

 

IT department

 

 

 

IT Acquisition Policy

 

 

Define the actions that must be taken to ensure proper identification and protection of all IT assets purchased by the organization.

Supply chain / procurement users

 

IT department


Threats Mitigated

  1. E-mail phishing attacks
  2. Ransomware attacks
  3. Loss or theft of equipment or data
  4. Insider, accidental or intentional data loss
  5. Attacks against connected medical devices that may affect patient safety

 

 

Suggested Metrics

  • Number of policies reviewed over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard.
  • Number of workforce members who review and sign off after reading policies over a specified timeframe. The goal is to establish a standard practice for workforce members to review applicable policies and attest to the review, and for the organization to monitor compliance with this standard.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article