What is a security policy?
In business, policies exist to help guide the actions taken by all employees of a company - they are a tool that management uses to guide the actions of the business. Policies are usually high level documents that answer questions like Why? and What?, rather than How? (which is usually reserved for other documents like procedures, job aids, etc.).
Security policies are a subset of policies designed to guide business activities related to securely handling, processing, and transmitting data. They provide guidance by answering fundamental questions like 'Why is encrypting data important?' and 'What are the minimum data security controls I need?'.
What security policy templates does Cyber Safety offer?
Cyber Safety has a set of common security policy templates to help you get started.
Acceptable Use Policy (AUP)
The AUP provides mandatory guidance for all employees on the appropriate use of IT resources like laptops and collaboration tools. It includes prohibited actions and is designed to help employees use resources securely.
Backup & Retention Policy
Backup & Retention is concerned with identifying data that is critical for your company's operations, and ensuring it is backed up, retained, and disposed of as needed.
Data Security Policy
Data Security comprises the classification and handling of data. This includes proper, legitimate use of the data and controls such as encryption to keep it secure.
Incident Response Policy
What happens when something goes wrong? If your business has a data breach or other security incident, this policy provides guidance to prepare, respond, and recover.
Network Security Policy
Data moves over the network and the Network Security Policy details how it is to be protected, including proper identification of users, activity logging, and other security mechanisms.
If you collect data from customers (specifically Personally Identifiable Information), this policy provides a template for communicating how your business secures that data and protects the privacy of its customers.
Overarching Security Program
This document provides high-level details about your organization's information security program, including individuals with named responsibility like the CEO, as well as the process for continuous improvement of the program.
Risk Assessment & Management Policy
Risk Assessment & Management requires three activities: establishing a level of risk your business is willing to tolerate, identifying risks which could impact the business, and dealing with those risks.
SDLC and QA Policy
A System Development Lifecycle (SDLC) guides the process used by your business to build, buy, and integrate systems, while Quality Assurance ensures the systems are built to specifications. Both processes require security oversight and integration, which is described in this policy.
Third Party Security Policy
If third parties provide services to your business it is essential to identify and manage the risks present when sharing data outside the company.
What If I need something else?
If none of these policy templates apply, you can add your own custom security policy. See Customizing Security Policies article to learn more.