Protecting your business from cyber threats is a daunting task that requires ongoing constant attention, however having a cybersecurity policy is the best place to start. This free policy well help set your business on a path towards better cybersecurity. Note: Do a find and replace for %COMPANY_NAME% with the name of your business
%COMPANY_NAME% Cyber Security Policy
Intent and Scope
This cybersecurity policy provides the basis of cybersecurity management within %COMPANY_NAME%.
This policy applies to all of %COMPANY_NAME% employees, contractors, volunteers, vendors and anyone else who may have any type of access to %COMPANY_NAME% systems, software and hardware.
Effective protection of business information creates a competitive advantage, both in the ability to preserve the reputation of %COMPANY_NAME% and in reducing the risk of the occurrence of negative events and incidents.
Privilege Management
%COMPANY_NAME% should have all accounts managed through a centralised Active Directory or Azure AD environment.
Auditing should be configured and enabled in all directory systems.
Access to data and systems should be governed by granular controls defined by group membership.
All users should have their own accounts. Shared resources should have delegated access to individual accounts.
Accounts with administrative privileges must not be used for daily systems use.
Use of administrative accounts should be audited monthly.
Data Governance
All systems, processes, procedures, documents and other data created by a %COMPANY_NAME% employee is wholly owned by %COMPANY_NAME% and must be stored in compliance with this policy.
Data must only be stored on the %COMPANY_NAME% file server in folders with appropriate security for the data sensitivity level.
Data must not be stored on users computers unless the requirement for local storage is identified and approved by %COMPANY_NAME% senior management.
Data must not be stored on USB thumb drive, external HDD or other external media, except for the purposes of backup as defined below.
Data backup
All %COMPANY_NAME% systems must be backed up every 24 hours.
Backups should be stored in at least two locations, with one copy stored offline.
Backup copies of data may be stored on private or public cloud, or to external meia.
All backups must be encrypted. If in the event a copy of backed up data is lost, it is not accessible by unauthorised parties.
A random copy of a backup should be manually verified at least once per month. This process should include a test restore of random data.
Disaster Recovery and Business Continuity
All systems. data and other digital assets should be considered along with physical assets, sites and roles when planning for disaster recovery and business continuity.
A Disaster Recovery policy and procedure should be developed and documented.
Password Management
All passwords should be unique. Password reuse is the single greatest source of password compromise based attacks.
All passwords should be a minimum of 8 characters in length, however longer passwords are more secure and recommended where possible.
Do not write down password and leave it unprotected
Do not exchange credentials with a third party, trusted or otherwise, by electronic means.
Avoid using shared passwords when possible.
Password Manager
The use of an enterprise password manager is advised, as it mitigates employee behaviour and avoids password reuse.
The password manager should have encryption in transit and encryption at rest.
The password manager must have auditing enabled.
Recommended password managers include:
- Bitwarden (self hosted\private cloud\public cloud)
- LastPass (public cloud)
- HUDU (private cloud)
2nd Factor Authentication
2nd factor authentication (2FA) using an authenticator app is highly recommended whenever possible for all applications.
Second factor authentication must be used with any public cloud hosted applications.
SMS based authentication is not allowed due to the risk of SIM swapping.
Biometric 2FA such as fingerprints are recommended, but not essential.
Facial recognition systems are not recommended due to flaws in the current technology implementation.
Password Schedule
Passwords only need to be changed when they do not meet the security requirements outlined above. As such there is no policy to change a password on a schedule.
Email Security
Emails can contain malicious content and malware. In order to reduce harm, employees should employ the following strategies:
- Do not open attachments or click any links where content is not well explained
- Check the email addresses and names of senders.
- Search for inconsistencies
- Block junk, spam and scam emails
- Avoid emails that contain common scam subject lines such as prizes, products and money transfers
If an employee is not sure that an email, or any type of data is safe, the employee should contact Riverina DIgital.
Spam Filtering
A suitable email spam filtering solution must be configured to reduce spam exposure.
Spam filtering includes (but is not limited to):
- Spam Hero
- TrendMicro HES
- Barracuda Mail filter
- Spam Titan
- Mailguard
Email security training
Note: All users should complete Riverina Digital’s Cyber Security training as part of their induction. This can be delivered directly by Riverina Digital staff, or from a suitable %COMPANY_NAME% employee who has received the training previously.
Patching and Updates
All %COMPANY_NAME% devices must be kept updated with the latest updates for the operating system and installed software.
It is recommended that %COMPANY_NAME% hardware is managed by Riverina Digital, and updates and maintenance are performed and reported on by Riverina Digital.
All devices should be running the most up to date version of it’s operating system.
Antivirus
All %COMPANY_NAME% devices must be running an antivirus product.
Windows Defender is included with WIndows 10 and is a very capable security product and in the majority of cases is suitable for maintaining device security.
Antivirus products must be business or enterprise grade. Not home or personal.
Devices must not have free or trial antivirus products installed at any time.
Device Security and Using Personal Devices
Employees must agree that logging in to any work accounts for personal devices such as mobile phones, tablets or laptops, can put %COMPANY_NAME% data at risk.
%COMPANY_NAME% does not recommend accessing any %COMPANY_NAME% data from personal devices. However, if this cannot be avoided, employees are obligated to keep their devices in a safe place and not exposed to anyone else.
Access to %COMPANY_NAME% systems and data from personal devices must use an authorised remote access method, even when the devices are used while onsite at %COMPANY_NAME%.
Employees are required to follow these best practice steps:
- Keep all electronic devices’ passwords secure and protected
- Logging into accounts should only be performed through safe private networks
- Install security updates on a regular basis
- Upgrade antivirus software on a regular basis
- Never leave devices unprotected and exposed
- Lock computers when leaving the desk
Physical Device Security
- All %COMPANY_NAME% computer devices must have encrypted disk drives. In the event of loss or theft of the device the data will not be recoverable without the correct passkey, preventing unauthorised access to company data.
- Mobile devices with access to %COMPANY_NAME% data or email, must not have any data stored locally. In the event of loss or theft of the device it must be possible to remove access to company data remotely.
Theft or Loss of a %COMPANY_NAME% device
In the event a device is presumed lost or stolen, the Greatcell employee must report the device to
Software
Only approved software should be installed on %COMPANY_NAME% devices.
Approved software is software listed as part of the Standard Operating Environment
Working Remotely
When working remotely, all the cybersecurity policies and procedures must be followed.
Remote access to %COMPANY_NAME% systems and data must only be by approved remote methods including
- Secure certificate based VPN
- HTTPs encrypted web portal to remote desktop server
Teamviewer, Anydesk and other remote support tools are not suitable for remote access by %COMPANY_NAME% employees.
Acceptable Use
User accounts on work systems are only to be used for the business purposes of %COMPANY_NAME% and not to be used for personal activities.
Employees are responsible for protecting all confidential information used and/or stored on their accounts. This includes their user logins and passwords. Employees are prohibited from making unauthorised copies of such confidential information and/or distributing it to unauthorised persons outside of %COMPANY_NAME%.
Employees must not purposely engage in any activity with the intent to: harass other users; degrade the performance of the system; divert system resources to their own use; or gain access to %COMPANY_NAME% systems for which they do not have authorisation.
Security Requirements
Employees must not install unauthorised software.The company may at any time introduce a whitelist of approved/trusted programs. If this occurs then only these programs may be used by employees.
Employees should perform daily backups of important new/changed data, software and configuration settings.
Employees must not use unauthorised devices on their workstations, unless they have received specific authorisation from Riverina DIgital.
Employees must not attempt to turn off or circumvent any security measures.
Employees must report any security breaches, suspicious activities or issues that may cause a cyber security breach to Riverina DIgital.
Disciplinary Action
If this policy is breached, one or more of the following disciplinary actions will take place:
Incidents will be assessed on a case-by-case basis
In case of breaches that are intentional or repeated or cases that cause direct harm to %COMPANY_NAME%, employees may face serious disciplinary action
Subject to the gravity of the breach, formal warnings may be issued to the offending employee