What it is
An online security policy should list all the things your business will do with regards to online security. All businesses should have one, no matter how big or small. It will help:
- your team understand how online security fits into your day-to-day work
- your customers know how you’ll look after the data they share with you.
You’ll need to create an internal version for your staff, and an external version for your customers.
An internal policy is more detailed than the external, and shouldn’t be available publicly. It explains what your internal processes are – such as who does what in the team, and what they’re responsible for – and may include sensitive information that you don’t want to make public, like password requirements.
The external policy is for your customers and should be available publicly – like on your website. It can be more of a 'light touch' policy compared to the internal version. It’ll cover things like how you’ll treat your users’ data, and what you’ll do if something goes wrong.
Having an online security policy available on your website can also be helpful if someone finds a bug or
A problem with a piece of software or hardware that could be used to gain access or control.
The policy needs to be specific to your business, and based on the kind of services you provide. For example, if your customers provide you with personal information – like their bank account details – you need to think about what you’ll do to protect that data, and document it in your cyber security policy.
Why it matters
Having a policy in place will mean that:
- you’re prepared for questions about online security (from both your customers and your staff)
- you and your staff will know who’s responsible for what
- you’ll have identified the risks for your business, and defined mitigations for them
- you’ll be ready in the event of a security incident.