The policy needs to be specific to your business, and based on the kind of services you provide. For example, if your customers provide you with personal information – like their bank account details – you need to think about what you’ll do to protect that data, and document it in your cyber security policy.
Why it matters
Having a policy in place will mean that:
- you’re prepared for questions about online security (from both your customers and your staff)
- you and your staff will know who’s responsible for what
- you’ll have identified the risks for your business, and defined mitigations for them
- you’ll be ready in the event of a security incident.
What goes into your internal policy
Break your internal policy down into different areas.
This should cover how you handle data safely and securely – both your business’s data and your customers’. Think about:
- what information you need to collect
- where you’ll store it (locally or in the cloud)
- how to protect it, for example encrypting both data at-rest (when stored) and in-transit (when communicating)
- how often you’ll back it up, and who’s responsible for doing backups.
Backups for your business
Keeping business data safe with encryption
Identify what systems you have, and which ones are critical to your work. Consider:
- setting some rules around updating, or patching, your systems – how to make sure they’re done regularly and who’s responsible for making sure it happens
- what systems your staff can use, including any cloud applications or software running inside your business’s network
- how much access your staff need to your systems. They should only have the minimum level of access they need to do their job. This is what’s called the 'principle of least privilege'.
Patching advice for IT staff – CERT NZ
Principle of least privilege – CERT NZ
Security and protection
Security and protection covers how your staff and customers access your systems and data. It means thinking about:
- how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN (virtual private network) with two-factor authentication (2FA)
- how they authenticate themselves on your system, including your password policy and use of 2FA
- what devices your staff can use at work – whether they can use personal devices for work, or if you’ll provide devices to them.
Create a password policy for your business
Protect your business with two-factor authentication (2FA)
People and users
Consider what is acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Be clear about:
- what their responsibilities are
- what kind of things they should report to you
- how you expect them to take ownership of their accounts and their devices.
Physical devices and systems
When you think about protecting your business’s devices and systems, make sure you cover both:
- protection against loss – if something is stolen, and
- protection against the environment – for example, if your business is flooded during a storm and your devices are water damaged.
You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. For example, you can require all staff to:
- have strong passwords on their devices
- use device encryption
- follow any rules about using devices outside the office.
Problems and incidents
You’ll need to define what you and your team will do when things go wrong. Set up logs to help monitor any unusual network events, and create an incident response plan to map out what you’ll do during, and after, a security incident.
Set up logs and monitoring for your website
Online security risk assessments for business
What goes into your external policy
The external version of your policy should only give your customers an overview of each of these things. Don't reveal any sensitive business information in it, like details of the technology you use.
The external policy should:
- explain how you’ll protect customer data. This could mean making sure you encrypt their data, back up their data, and define how long you’ll hold it for
- include making a security policy that’s available for them to view – on your website, for example. CERT NZ’s privacy and information statement includes details of our security policy. It’s a useful example of how you can show this kind of information on your website
- show how you’ll receive and manage any customer information securely – for example, by collecting information over HTTPS, and keeping it encrypted when you store it in the database
- describe how you’ll notify your customers of any problems that could affect them
- have a way for people to notify you of security problems. This could be used by customers when they notice bugs in your systems.
Own Your Online privacy and information statement
Implementing your cyber security policy
Don't just create a policy then never look at it again. Embed your security policies into:
- your day-to-day work
- the culture of your company
- how you manage your staff, and
- how you treat your customers.
That means you’ll need to instil the principles behind the policy in your staff too. Let them know they can ask questions about it, so they understand:
- the risks you face as a business, and
- the reasoning behind the policy decisions you’ve made.