Cybersecurity Policy & The Role Of The Executive Team

Vendor Risk Management

Cybersecurity Policy & The Role Of The Executive Team
Written by Melissa Stevens June 16, 2016

One of the primary roles of senior executives—from the CISO to the general council and all the way up to the board of directors—is to ensure that an organization has policies set in place for cybersecurity.

There’s several reasons why this is important. First and foremost, the executive team

must approve company-wide cybersecurity policies to ensure that they’re relevant to the overall approach the company is taking to manage cybersecurity and cyber risk.

Additionally, it’s important for employees to know how executives view cybersecurity in the organization. If the executive team is involved with reviewing policies and setting them in motion, employees will not question whether or not cybersecurity is being taken seriously. Some organizations tie performance reviews into the successful adherence to cybersecurity policy, adding another layer of importance.

Below, we’ve detailed three cybersecurity policies your organization must be addressing. This list, of course, is not exhaustive or even comprehensive. But if you aren’t enacting these three policies, you’ll very likely regret it in the future.

1. Acceptable Use Cybersecurity Policy

An acceptable use cybersecurity policy spells out what employees may and may not do with the work-related devices they use. It should, among other things, detail:

  • Online browsing.
  • Music and movie downloads.
  • Other web-based downloads.
  • Email attachment downloads.
  • Acceptable software usage.

These corporate restrictions are critical for several reasons. First of all, if there’s something employees should be aware of, it should be clearly stated to them so they can avoid taking certain actions themselves and help police this internally. Additionally, if there isn’t a specific written policy in place, employees can’t be held accountable as easily for any downloads they may have initiated that introduced malware into your corporate network.

2. Remote Work & Travel Policy

This policy (which may be divided into many separate policies depending on your organization) should detail where and how employees should (or should not!) access their work-related electronic devices. For examples, an employee needs to know the answers to these hypothetical scenarios:

  • “Can I work at a coffee shop and use their Wi-Fi?”
  • “Do I need to use a personal Wi-Fi device or VPN if I work outside the office?”
  • “Can my work laptop leave the office?”
  • “I have a meeting in China—should I bring my laptop? What precautions should I use?”

Regardless of the types of scenarios you cover, the point should be to help employees avoid potentially risky behavior that they may not be aware of—and keep all employees in line with the organization’s cybersecurity strategy.

3. Employee Training Policy

It is just as critical—if not more so—to ensure your employees know how to enact your policies as it is to put them into place. Therefore, it’s important to both train employees on proper “cyber hygiene” and train them on it regularly. They should, among other things, be aware of:

  • How to use (and not use) company equipment.
  • Which email attachments they should and should not click on.
  • How they will be held accountable if they do something that results in a bad action.

This should all be spelled out both verbally and physically (in a cybersecurity policy document) so every employee is clear on his or her expectations.

Keep in mind...

There are hundreds—if not thousands—of policies an organization may put into place with regard to cybersecurity. Some will fall into “internal organization and engagement,” while others will specifically target “third-party engagement.” They may include:

Having a formalized set of cybersecurity policies is the best way to create a complete cybersecurity program—so if you’re implementing these steps, you’re taking a large step in the right direction.