A manual developed to reflect stakeholder feedback across industries, delegations of authority, and region in your cybersecurity policy
The Cybersecurity Policy Primer is an interactive, customised toolkit
This toolkit is maintained using intelligence contributed from sources within the parameters you specify. In this demonstration, you're seeing extracts from the global policy. You're welcome to adopt that setting as your base, in which case you'll see the full spectrum of insights, from stakeholder perspectives, regional influences and industry trends as well as suggested policy segments using both prescriptive and descriptive styles.
For a more focused experience, apply your settings to filter insights to your stage of business growth, industry, approach to policy and other priorities. Develop your policy, and supplementary materials to support it, so affected users can be confident that they are making the right decisions.
Check in against the primer to evaluate your policy against the insights and conduct formal reviews with stakeholders who will be working with your policy.
Related policies:
As you work through the policy decisions in this tool, you will be presented with templated suggestions that you can adopt and customise to make your own, as well as a checklist of common issues that are addressed with policy, case studies, and insights from IT managers, and digital safety advocates to help inform your policy decisions.
This is a preview of the policy toolkit. The system has not customised the insights generated for you. Policy Quarter is not providing advice to you. You should seek your own legal advice before relying on any of the content generated by the toolkit. By interacting with the toolkit, Policy Quarter may review your interactions and use this information to improve the toolkit and the services we provide to you. Except for the preview, this toolkit is optimised for interaction with you. Let us know if suggestions are helpful or not. Share your feedback in the discord.
What to expect
This toolkit is designed to help you develop a Cybersecurity Policy, from scratch. Where you see underlined text, there are variables that you can change in your settings profile, to better customise this tool with more focused insights and parameters.
By the end of this process, you will have developed a Cybersecurity Policy, which you can circulate to your leadership team for comment and approval, and any subject matter experts from whom you may wish to seek advice, such as lawyers or internet safety managers.
Members who use this toolkit for the first time, spend approximately 2 hours interacting with the tools before generating the first version of a complete policy. The segments have been divided so that you can tackle them individually. You can choose to include or remove them from your policy, or mark them as lower priority considerations that you can address in a subsequent version of your policy.
About youEXAMPLE
You are the Chief Operating Officer of a domestic hotel company, incorporated in New South Wales, Australia. Your team has 300 people. You plan to start a loyalty program this year. Your company accommodated 6,000 guests, manages 25-50 corporate accounts, and hosted 250 functions in the last 12 months. You compete for business with Hilton Hotels. You have a dedicated information technology manager to support cybersecurity activities. Your goals are to become certified to ISO 27001 information security standards and to increase your business traveller base. 6% of total expenses incurred in the last financial year were spent on cyber risk management. You are uncertain about how or how much to invest in cyber risk management.
Let us get to know you a little betterEXAMPLE
Did your organisation make any changes, or review its cybersecurity policy, as a result of the Optus or Medibank data breaches?
Yes
No
Your Notebook
Your notebook has been generated with reference materials to guide your scoping process. Develop them as you work through this phase so that you can customise requests for feedback, such as surveys to send to relevant stakeholders to solicit feedback, and to evaluate your findings against relevant benchmarks and standards. It's interactive. As well as your direct authorship, you can tell us if you would like to see more or less of a particular type of content by clicking the thumbs up or thumbs down buttons.
Trends
Register to see more trends.
Key stakeholders
Chief Information Security Officers who will need to partner with their business counterparts in building digital resilience.Request feedback
Financial controllers who will need to reassess cybersecurity priorities in provisioning for enhanced requirements.Request feedback
Team leaders who will need to own responsibility for contextualising risk and raising awareness of cyber risk.Request feedback
Consumers who seek transparency around preparedness for managing cyber risk.Request feedback
Supply chain partners who will need to understand requirements for vendors in terms of procurement and compliance.Request feedback
Research
The Forum is a place to share research that may inform recruitment policy development. You may be interested to review:
The KPMG 2022 CEO Outlook which found that 24% of CEOs surveyed felt underprepared to address cybersecurity risks2022
This Australian judgment which shows tha the regulator's view is that a company's failure to implement adequate cybersecurity risk management systems can put it in breach of the conditions on which it is licensed to operate. Whilst the courts did not specify (and ASIC did not assert) what would be required to satisfy this threshold, it is clear that the expectation is that companies meet the challenges of cyber risk.2023
This outline which proposes an approach to determine how to spend cybersecurity budgets.2023
The World Economic Forum's Global Cybersecurity Outlook which identifies the importance of integrating cybersecurity across decision making processes 2023
Register to access The Forum to view and share research and insights related to recruitment policy.
Specific requirements
Legal due diligence on supplier contracts, to develop a matrix of data processing exposures and corresponding security measures.
Develop strategies to preserve the value of cyber insurance.
CISO to assess cyber vulnerabilities and develop recommended priorities for board approval.
Competitor analysis
The Martinique Hotel, part of Hilton’s soft brand Curio Collection, piloted Cyber Safe Travel, a program by risk management firm Cino Ltd, and StrikeForce Technologies.2022
Policy Designer
Your design feed is populated with template policy positions that have been generated using the profile settings and feedback you have provided. You can broaden the filter on each issue to see variations on the prescriptive and descriptive policy statements, which you can adopt or customise. You can also use them in preparing your own policy statement.
The example below shows the policy statement generator for the Incident Response section of the Cybersecurity Policy.
Section | Policy Issue | Context | Prescriptive Approach | Descriptive Approach | Insights | Resources | Notes |
---|---|---|---|---|---|---|---|
6 Part 1 - Directing data breach alerts | Incident response This policy addresses how cybersecurity alerts will be directed. Part 1 deals with data breaches. Part 2 deals with network and application security. Part 3 deals with other incidents. | LEGALMandatory reporting obligations exist where a data breach compromises personal information which is subject to the Privacy Act. COMMERCIALThe Board has prioritised vulnerabilities of guest data. | The Chief Information Security Officer (CISO) detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incident. False alarms are captured and referred for assessment to better develop resilience and alert systems. The CISO directs the recovery, containment and remediation of security incidents and may authorise and expedite changes to information systems necessary to do so. The CISO coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party. Third party support arrangements must be reviewed annnually and off schedule, in the event that a high-severity threat alert is detected. | Coming soon | VALUESThe continuing confidence of our stakeholders demands forthright transparency where a breach has occured. LEGALAustralian privacy law requires disclosure within 10 Business Days. | Case study on the Marriott hotel data breach. Checklist for developing data breach chain of command. Script for test policy application. | |
DYK?: SOC2 certification requires this policy to be documented against audit procedures? | Aside from internal concerns, the companies we partner with, inclduing airline and car rental booking providers, expect this policy to comply with standards they specify. | This is the template that is most commonly used. | We're still working on this template. Check back again soon. | A conversation about this topic is active in The Forum. Join in. | In deciding that a company did not satisfy the normal business standard expectation that was required for it to maintain a license to operate its business, an Australian regulator relied on the following issues: (a) no antivirus software; (b) emails were not filtered; (c) backups were not performed; and (d) poor password practices. 2022 | ||
Previous Section: Third party integrations | Next Section: Awareness and Training | ||||||
Carnegie Mellon's Incident Response Plan It has been 8 years since Carnegie Mellon last updated its incident response plan. In that time, the scope and efficacy of cyber threats has vastly improved. We'd suggest that regular (annual) scheduled reviews of this policy become part of the formal requirements for maintaining the policy, along with adhoc reviews where the severity level of any threat exceeds the level at which internal support teams are capable of protecting the infrastructure. This review was conducted by Alex from Policy Quarter by reference to the policy as published on 2 February 2023. |
Communicate with relevant stakeholders
Commuicate the policy requirements, and the role each relevant stakeholder has in upholding them, with consistency. Maintain a resource library of the communication materials you have created so they can be easily accessed and updated.
Reflect your brand values across the suite of communications materials you develop so that you can enable your colleagues to represent the team effectively.
The example below shows the communications register for the Cybersecurity Policy. When you join, you can customise these templates or create your own.
Element | Reference | Lead | Last reviewed | Notes |
---|---|---|---|---|
Policy | COO | October 2020 | ||
Training | CISO | December 2020 | ||
Factsheet for Suppliers | Procurement Manager | March 2021 | ||
Website copy | Communications Manager | July 2021 | ||
Legal due diligence | General Counsel | September 2022 | ||
Vulnerability matrix | CISO | April 2022 | ||
Business Case | CISO | July 2022 | ||
Essential 8 Framework | CISO | January 2022 | ||
Report to the board | CISO | July 2021 | ||
Fact sheet for corporate travel booking agents | Head of Sales | December 2021 | ||
Screen saver tip carousel | Training Manager | January 2022 | ||
Supplier terms | General Counsel | January 2022 | ||
Incident response flowchart | Training Manager | March 2022 |
Manage Policy Compliance
Customise compliance templates to stay on top of your organisation's policy commitments and collect information you need to generate to produce your reports.
From training schedules to attendance registers, infringement or audit requests you can collect and analyse data from your dashboard.
Get the feedback you need to hear to make your policy
Manage formal feedback sessions with relevant stakeholder groups. Collect feedback in your dashboard and use it to demonstrate to your affected staff, suppliers and shareholders that you have considered their views.
Badge your policies with statements to show your stakeholders how you are engaging them in policy development and in addressing their concerns.
Register to join your governance peers in addressing cybersecurity policy issues