What is a cyber security policy?

A cyber security policy outlines:

  • technology and information assets that you need to protect
  • threats to those assets
  • rules and controls for protecting them and your business.

It’s important to create a cyber security policy for your business – particularly if you have employees. It helps your employees to understand their role in protecting the technology and information assets of your business.

When you prepare your policy, ensure it guides your employees on:

  • the type of business information that can be shared and where
  • acceptable use of devices and online materials
  • handling and storage of sensitive material.

When developing your cyber security policy consider the following steps.

1. Set password requirements

Your cyber security policy should explain:

  • requirements to create strong passphrases
  • how to store passphrases correctly
  • how often you need to update passphrases
  • the importance of having unique passphrases for different logins.

Learn more about creating strong passphrases and managing them.

Australian Cyber Security Centre

2. Outline email security measures

Include guidelines on:

  • when it’s appropriate to share your work email address
  • only opening email attachments from trusted contacts and businesses
  • blocking junk, spam and scam emails
  • identifying, deleting and reporting suspicious looking emails.

Know how to secure your email account and check if it has been compromised.

Australian Cyber Security Centre

3. Explain how to handle sensitive data

When it comes to handling sensitive data, outline:

  • when staff may share sensitive data with others
  • ways they should store physical files with sensitive data, such as in a locked room or drawer
  • ways to properly identify sensitive data
  • ways to destroy any sensitive data when it is no longer needed.

4. Set rules around handling technology

Rules around technology should include:

  • where employees can access their devices such as a business laptop away from the workplace
  • how to store devices when they aren’t in use
  • how to report a theft or loss of a work device
  • how system updates such as IT patches and spam filter updates will be rolled out to employee devices
  • when to physically shut down computers and mobile devices if not in use
  • the need to lock screens when computers and devices are left unattended
  • how to protect data stored on devices like USB sticks
  • restrictions on use of removable devices to prevent malware being installed
  • the need to scan all removable devices for viruses before they may be connected to your business systems.

5. Set standards for social media and internet access

The standards for social media and internet access may include:

  • what is appropriate business information to share on social media channels
  • what is appropriate for staff to sign when using their work email account
  • guidelines around which websites and social media channels are appropriate to access during work hours.

6. Prepare for an incident

If a cyber security incident occurs, you should minimise the impact and get back to business as soon as possible. You’ll need to consider:

  • how to respond to a cyber incident
  • what actions to take
  • staff roles and responsibilities for dealing with a cyber attack.

Prepare a cyber security incident response plan

An incident response plan helps you prepare for and respond to a cyber incident. It outlines the steps you and your staff need to follow. Consider the following stages when preparing a plan.

  • Prepare your business and employees to be ready to handle cyber incidents.
  • Develop policies and procedures to help employees understand how to prevent an attack and to identify potential incidents.
  • Identify the assets that are important to your business – financial, information and technology assets.
  • Consider the risks to these and the steps you need to take to reduce the effects of an incident.
  • Create roles and responsibilities so everyone knows who to report to if an incident occurs, and what to do next.

Check and identify any unusual activities that may damage your business information and systems. Unusual activity may include:

  • accounts and your network not accessible
  • passwords no longer working
  • data is missing or altered
  • your hard drive runs out of space
  • your computer keeps crashing
  • your customers receive spam from your business account
  • you receive numerous pop-up ads.

If you see a security incident, document any evidence and report it to either your IT section, a team member or to ReportCyber.

  • Find the initial cause of the incident and assess the impact so you can contain it quickly.
  • Determine the impact the incident has had on your business.
  • Determine its effects on your business and assets if not immediately contained.

  • Limit further damage of the cyber incident by isolating the affected systems. If necessary, disconnect from the network and turn off your computer to stop the threat from spreading.
  • Remove the threat.
  • Recover from the incident by repairing and restoring your systems to business as usual.

  • Identify if any systems and processes need improving and make those changes.
  • Evaluate the incident before and after, and any lessons learnt.
  • Update your cyber security incident response plan based on the lessons learnt so you can improve your business response.

Read more about protecting your business online to form your incident response plan.

Australian Cyber Security Centre

7. Keep your policy up-to-date

You should develop, review and maintain your cyber security policy on a regular basis.

Read next

Find out how to keep your business safe from cyber threats.

Cyber security checklist

Was this page helpful?

Thanks for sharing your feedback with us.

Why not?

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.