Regardless of size, all businesses that use IT or online services should have a cyber security policy. It doesn’t even have to be a formal policy document, you simply need to choose the means and degree of formality that is right for your circumstances, as long as everyone who works for your business understands its key points.
Regardless of how you document and distribute your policy, you need to think about how it will be used. A cyber security policy has three main functions:
Your cyber security policy doesn’t need to be very long; most SMEs should be able to fit theirs onto a single sheet of paper. The most important thing is clarity. You need to explain:
A practical guide for IT security form the Information Commissioner's Office.
Download your copy of the report (PDF)
Not all your security controls will be IT controls. Many of them will relate to what your staff should and should not do. To avoid confusion and the possibility of later disagreement you need to define these practices and make sure your staff understand and follow them.
Larger businesses will want to document these practices, while smaller firms might use a less formal approach.
There are a number of staff practices that should always be documented, however simple your approach, these include:
You also need to ensure that you keep within the law, particularly the Data Protection Act, and any other regulations that apply.
Find out more about Data protection and other regulated activities at the Information Commissioner's Office.
4th Platform can help you ensure that your cyber security is as secure as possible.