Cybersecurity policies must be established for the workforce to understand how they are expected to behave within regard to cybersecurity. These policies should be written for the various user audiences that exist in the organization. There are differences between the general workforce user, IT user, and high-profile or high-risk users (e.g., finance, HR, or health information management).
To set proper expectations, organizational policies should support new cybersecurity hygiene controls. Without such policies, it may be unclear to the workforce what level of adherence is required and what activities put the organization at risk for the threat types discussed in this document.
Several policy templates have been provided in Appendix G of the Main Document.
|
|
Sub-Practices for Medium-Sized Organizations
10.M.A | Policies | NIST FRAMEWKORK REF: ID.GV-1 |
There is only one general safeguard for this section: a list of policies that organizations can consider, presented in Table 14.
Table 14. Example Cybersecurity Policies for Consideration
Policy Name | Description | User Base |
Roles and Responsibilities | Define all cybersecurity roles and responsibilities throughout the organization. This includes who will establish policy and who will implement and conduct security practices. |
All users |
Education and Awareness | Define the mechanisms that will be used to train the workforce on cybersecurity practices, threats, and mitigations. Ensure that education includes common cyberattacks (such as phishing), lost/stolen devices, and methods for reporting suspicious behavior on their computers. |
All users
Cybersecurity department |
Acceptable Use / E- mail Use | Describe actions that users are permitted and not permitted to take. Explicitly define how e-mail is to be used. |
All users |
Data Classification | Define how data are to be classified, with usage parameters around those classifications. |
All users |
Personal Devices | Define the organization’s position on the use of personal devices (i.e., BYOD). If these are permitted, establish expectations for how the devices will be managed. |
All users |
Laptop, Portable Devices, and Remote Use |
Define policies for the security of mobile devices and how they are to be used in a remote setting. | All users
IT department |
Incident Reporting and Checklist |
Define user requirements to report suspicious activities within the organization. Define the responsibilities of the cybersecurity department for managing incidents. | All User
Cybersecurity department |
Disaster Recovery Plan | Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. |
IT department |
IT Controls Policies | Describe the requirements for IT security controls in a series of policies or a single long policy. Examples include access control, identity management, configuration management, vulnerability management, and data center management. |
IT department |
IT Acquisition Policy |
Define the actions that must be taken to ensure proper identification and protection of all IT assets purchased by the organization. | Supply chain / procurement users
IT department |
Threats Mitigated
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Suggested Metrics
- Number of policies reviewed over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard.
- Number of workforce members who review and sign off after reading policies over a specified timeframe. The goal is to establish a standard practice for workforce members to review applicable policies and attest to the review, and for the organization to monitor compliance with this standard.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article