Present a significant cybersecurity policy law or institutional change a student would suggest, along with the reasons to make the change and potential basis for opposition
Cybersecurity is an important issue for both IT departments and C-level executives. However, security should be a concern for each employee in an organization, not only IT professionals and top managers. One effective way to educate employees on the importance of security is a cybersecurity policy that explains each person’s responsibilities for protecting IT systems and data. A cybersecurity policy sets the standards of behavior for activities such as the encryption of email attachments and restrictions on the use of social media.
Cybersecurity policies are important because cyberattacks and data breaches are potentially costly. At the same time, employees are often the weak links in an organization’s security. Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and neglect to encrypt sensitive files.
These types of policies are especially critical in public companies or organizations that operate in regulated industries such as healthcare, finance, or insurance. These organizations run the risk of large penalties if their security procedures are deemed inadequate.
Even small firms not subjected to federal requirements are expected to meet minimum standards of IT security and could be prosecuted for a cyberattack which results in loss of consumer data if the organization is deemed negligent. Some states, such as California and New York, have instituted information security requirements for organizations conducting business in their states.
Cybersecurity policies are also critical to the public image and credibility of an organization. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.
Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security. Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the “roles and responsibilities” or “information responsibility and accountability” section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The SANS Institute provides examples of many types of cybersecurity policies. These SANS templates include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
Organizations in regulated industries can consult online resources that address specific legal requirements, such as the HIPAA Journal’s HIPAA Compliance Checklist or IT Governance’s article on drafting a GDPR-compliant policy.
For large organizations or those in regulated industries, a cybersecurity policy is often dozens of pages long. For small organizations, however, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personal identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data