skip to content
CyberTIP: Creating An Effective Cybersecurity Policy

CyberTIP: Creating An Effective Cybersecurity Policy


The Inside Perspective
(April 21, 2015)

Creating a culture of cybersecurity requires first implementing a clear and straightforward policy on the management of confidential information. There is not, however, one policy that "fits all." A cybersecurity policy must be personalized to comply with any applicable data breach laws, which can vary from state to state and from industry to industry.

Despite necessary variations due to industry and location, there are hallmarks of all effective policies.

TIP: Before drafting your company's cybersecurity policy or reviewing an existing policy for effectiveness, form a team that includes individuals who work in different departments of the company and can help identify what confidential data you have, where and how it is stored, who has access to it, and the sufficiency of current methods used to protect it.

First, cybersecurity policies need to be the product of a team approach, with involvement from company executives, managers from all business units, IT professionals, and HR leaders. Second, a good policy results from asking these types of questions:

  • what confidential data do you have;
  • where is that data stored;
  • who has access to the data;
  • what are the BYOD rules for employee-owned PC's, smartphones, and tablets;
  • how do employees maintain a division between business and personal information stored on computers and mobile devices;
  • what are the rules relating to use of passwords on computers and mobile devices;
  • what type of restrictions are there on the removal of confidential information from the workplace;
  • what are acceptable methods of remotely connecting to the company's internal network;
  • when and how are employees to use encryption;
  • what are the rules relating to employee use of social media;
  • what happens to confidential data when the employee's employment ends;
  • when and how is data to be destroyed by the company; and
  • what are the specifics of the detailed plan allowing for prompt response in the event of a data breach.

Overall, the goal should be crafting a policy that helps the company collect only that confidential information which is necessary to conduct business, keep only what must be kept, implement practical and realistic safeguards, train employees aggressively on how to handle confidential information and eliminate what is not needed, and continually re-examine and update compliance efforts.

Authors
Patti West Ramseur
T (336) 378-5304
F (336) 378-5400
Associated Attorneys
DISCLAIMER

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.