Cyber Security Policy

An organization’s Cyber Security policy is a document that is tailored to its unique security needs, approved by management and distributed to all employees and partners in a form that is relevant, accessible and understandable to the intended reader. This policy document should address the following:

• A definition of information security including a statement of management commitment and how information security objectives align with business strategy and objectives.
• A framework for setting security control objectives and security controls, including the structure of risk assessment and risk management.
• A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including:
  • compliance with legislative, regulatory, and contractual requirements
  • security education, training, and awareness requirements
  • business continuity management and disaster recovery requirements
  • consequences of information security policy violations
• A definition of general and specific responsibilities for information security management, including reporting information security incidents.
• References to documentation which may support the policy
• The information security policy should be communicated throughout the organization to users