The objective of implementing policies and procedures is to help organizations stay consistent and hold employees accountable. Having documented policies surrounding cybersecurity can help with assessing risk in regards to any compliance work. Well documented policies and procedures should be clear, concise, and accessible to all staff. Policy and procedures ensure consistency in your work place. When employees know what is expected of them, then work performance will be consistent.
A good place to start is to see if any cybersecurity regulations affect the nature of your business. For example, if your business is in healthcare, it most likely has to follow HIPAA. Understanding the regulations and guidelines laid out within HIPAA could be a helpful road map when developing cybersecurity policies and procedures.
Your policies could be a simple one sheet, or a robust booklet. No matter what choose, it's important to know your audience: your staff. If your staff isn't exactly tech savvy, it may be worth spelling out some of your procedures.
Here are some common cybersecurity measures to get you started, no matter what industry you're in:
Employee Internet usage policy - puts limits on employee internet usage. Many employers use web filtering to block employees from accessing certain sites, for example, music streaming sites. It would be worth explaining why any sites are blocked (security measures, bandwidth, etc) and what is deemed acceptable for employees accessing the internet.
Social media policy - social media sites pose a number of risks. Phishing scams are one, but many organizations have implemented rules around what is deemed appropriate when discussing any work-related matters. Larger corporations have explicitly requested employees state that their opinions are not a reflection of their employer.
Password policy - we've gone over this before in another blog post. It would be worth implementing these procedures to protect your data.
Removable device policy - consider implementing a removable device (disks, tapes, CDs, flashdrives, etc) to minimize risk of infecting devices with malware or letting protected health information go out.
Email usage policy - address what employee email should be used for and acceptable use.
Here are some procedures and plans of action to consider:
Train employees on phishing/social engineering/scams.
Train employees on safe website navigation.
Define what an employee should do if they come across a suspicious email.
If your business has to follow FERPA, HIPAA, or any other government regulations, implement a procedure on next steps in the event there is a breach of PII.
Finally, when developing and implementing policies and procedures surrounding cybersecurity, it's important to review them yearly to stay current. Hackers are always developing ingenious ways to steal personal information. SANS is a good resource for information security policy templates.