Protecting your business from cyber threats is a daunting task that requires ongoing constant attention, however having a cybersecurity policy is the best place to start. This free policy well help set your business on a path towards better cybersecurity. Note: Do a find and replace for %COMPANY_NAME% with the name of your business
%COMPANY_NAME% Cyber Security Policy
Intent and Scope
This cybersecurity policy provides the basis of cybersecurity management within %COMPANY_NAME%.
This policy applies to all of %COMPANY_NAME% employees, contractors, volunteers, vendors and anyone else who may have any type of access to %COMPANY_NAME% systems, software and hardware.
Effective protection of business information creates a competitive advantage, both in the ability to preserve the reputation of %COMPANY_NAME% and in reducing the risk of the occurrence of negative events and incidents.
%COMPANY_NAME% should have all accounts managed through a centralised Active Directory or Azure AD environment.
Auditing should be configured and enabled in all directory systems.
Access to data and systems should be governed by granular controls defined by group membership.
All users should have their own accounts. Shared resources should have delegated access to individual accounts.
Accounts with administrative privileges must not be used for daily systems use.
Use of administrative accounts should be audited monthly.
All systems, processes, procedures, documents and other data created by a %COMPANY_NAME% employee is wholly owned by %COMPANY_NAME% and must be stored in compliance with this policy.
Data must only be stored on the %COMPANY_NAME% file server in folders with appropriate security for the data sensitivity level.
Data must not be stored on users computers unless the requirement for local storage is identified and approved by %COMPANY_NAME% senior management.
Data must not be stored on USB thumb drive, external HDD or other external media, except for the purposes of backup as defined below.
All %COMPANY_NAME% systems must be backed up every 24 hours.
Backups should be stored in at least two locations, with one copy stored offline.
Backup copies of data may be stored on private or public cloud, or to external meia.
All backups must be encrypted. If in the event a copy of backed up data is lost, it is not accessible by unauthorised parties.
A random copy of a backup should be manually verified at least once per month. This process should include a test restore of random data.
Disaster Recovery and Business Continuity
All systems. data and other digital assets should be considered along with physical assets, sites and roles when planning for disaster recovery and business continuity.
A Disaster Recovery policy and procedure should be developed and documented.
All passwords should be unique. Password reuse is the single greatest source of password compromise based attacks.
All passwords should be a minimum of 8 characters in length, however longer passwords are more secure and recommended where possible.
Do not write down password and leave it unprotected
Do not exchange credentials with a third party, trusted or otherwise, by electronic means.
Avoid using shared passwords when possible.
The use of an enterprise password manager is advised, as it mitigates employee behaviour and avoids password reuse.
The password manager should have encryption in transit and encryption at rest.
The password manager must have auditing enabled.
Recommended password managers include:
- Bitwarden (self hosted\private cloud\public cloud)
- LastPass (public cloud)
- HUDU (private cloud)
2nd Factor Authentication
2nd factor authentication (2FA) using an authenticator app is highly recommended whenever possible for all applications.
Second factor authentication must be used with any public cloud hosted applications.
SMS based authentication is not allowed due to the risk of SIM swapping.
Biometric 2FA such as fingerprints are recommended, but not essential.
Facial recognition systems are not recommended due to flaws in the current technology implementation.
Passwords only need to be changed when they do not meet the security requirements outlined above. As such there is no policy to change a password on a schedule.
Emails can contain malicious content and malware. In order to reduce harm, employees should employ the following strategies:
- Do not open attachments or click any links where content is not well explained
- Check the email addresses and names of senders.
- Search for inconsistencies
- Block junk, spam and scam emails
- Avoid emails that contain common scam subject lines such as prizes, products and money transfers
If an employee is not sure that an email, or any type of data is safe, the employee should contact Riverina DIgital.
A suitable email spam filtering solution must be configured to reduce spam exposure.
Spam filtering includes (but is not limited to):
- Spam Hero
- TrendMicro HES
- Barracuda Mail filter
- Spam Titan
Email security training
Note: All users should complete Riverina Digital’s Cyber Security training as part of their induction. This can be delivered directly by Riverina Digital staff, or from a suitable %COMPANY_NAME% employee who has received the training previously.
Patching and Updates
All %COMPANY_NAME% devices must be kept updated with the latest updates for the operating system and installed software.
It is recommended that %COMPANY_NAME% hardware is managed by Riverina Digital, and updates and maintenance are performed and reported on by Riverina Digital.
All devices should be running the m