Digital2Law Guest Post: Things to consider when drafting a cyber security company policy

Companies relying more and more on technology to collect, store and manage information become, at the same time, more vulnerable to security breaches. These may have a string of causes – either external (hacker attacks, human errors) or internal (badly designed systems), and although not all are predictable, a proper security procedure can help avert many negative effects of cybersecurity breaches.

Any policy drafting should start taking into account if any standard policies, guidelines or procedures are applicable in the field of activity of the company.

Some industry associations may have best practices relative to security policies and data protection that you should be aware of. Another preliminary step is identifying the assets which are core to your activity – this usually includes infrastructure and any pieces of software the failure of which would involve major financial damage to your business and/or your clients. Drafting the policy means working backward from what needs to be protected at all costs. Although each company has its particularities, you don’t need to start from scratch – for instance, the SANS Institute has some free templates to start with.
The policy should address rights and obligations for all types of employees and collaborators that may gain access to your assets during their regular course of activity. It is advisable to have a standard policy for everybody and carve-outs that arise from a particular set of individuals’ position in the company. Having said that, the large part of your company should only have very broad duties, and usually informative in nature, to limit any asset tampering or human error.

Rights of access are an important part of tech companies.

You should be very clear about who has the right to access certain data or systems, how is the access being made and in what cases accessing certain data or systems is required. The policy should include information about ways in which access surveillance is being made and any sanctions for breach of access rights. If you want to include manual oversight as well, it is best to follow the standard organisational chart of the company in order to assign a responsible person for each department, as people would naturally report any misconduct or malfunction to their immediate superiors in any case.
The mixing and matching of the work and private spaces is commonplace today, so an important issue to address is using external software – social media, IM or other applications, whether mobile or desktop. You can go from explicit banning of all external software to allowing access to personal terminals only from networks external to the workplace. Intrusion into personal correspondence of an employee should be limited as much as possible, since the latter could claim a violation under local or even regional regulations (such as EU laws or the European Convention on Human Rights).

Make it clear for everybody reading the policy what is mandatory

And what serves only as a recommendation, and what are the consequences of each action taken in accordance with or in spite of the policy.
A best practice is to also come up with an FAQ alongside the policy, updated from time to time. However, make sure the tone used is appropriate and friendly, since a great policy is one that is as clear and in as many layman terms as possible.

Finally, you should name one executive or senior IT personnel as the point-of-contact on any aspects unclear or misunderstood by others in relation to the policy.

The IT department has a critical role on how well received the policy will be, and they should be involved both in software acquisition and implementation process, as well as in holding regular meetings with personnel to discuss planned updates on policies and any incidents that may have appeared inside the company or in the industry.
Digital2Law is the go-to flexible and affordable legal partner for entrepreneurs, startups and companies building tech products and proprietary technology, and a network of experts & know-how adapted to the current and future state of the workplace.

    Related articles​

    DefCamp 2024 highlights: over 2,000 infosec ..

    BY Adina Harabagiu
    DefCamp 2024 wasn’t your average conference. It was two packed days of cybersecurity action, held in ..

    “Bad actors will begin using massive A.I. to ..

    BY Adina Harabagiu
    Edition #14 of DefCamp is just around the corner, and the excitement is building! With less than a week to go,..

    DDoS Protection Solutions by Orange

    BY Adina Harabagiu
    Protect your company’s data against DDoS (Distributed Denial of Service) attacks.