“Most people know better than to use hotel wifi for anything other than checking the weather, but we want to cater for our business travellers. That means providing and promoting effective security practices.”

Kara Rovelli, COO at The HotelCo

Make policy that aligns with your values

A manual developed to reflect stakeholder feedback across industries, delegations of authority, and region in your cybersecurity policy

The Cybersecurity Policy Primer is an interactive, customised toolkit

This toolkit is maintained using intelligence contributed from sources within the parameters you specify. In this demonstration, you're seeing extracts from the global policy. You're welcome to adopt that setting as your base, in which case you'll see the full spectrum of insights, from stakeholder perspectives, regional influences and industry trends as well as suggested policy segments using both prescriptive and descriptive styles.

For a more focused experience, apply your settings to filter insights to your stage of business growth, industry, approach to policy and other priorities. Develop your policy, and supplementary materials to support it, so affected users can be confident that they are making the right decisions.

Check in against the primer to evaluate your policy against the insights and conduct formal reviews with stakeholders who will be working with your policy.

  • Identity and access management
  • Network security
  • Application security
  • Continuity
  • Third party integrations
  • Incident response
  • Awareness and training
  • Audit and compliance
  • Approved risk tolerance levels
  • Mitigation strategies
  • Insurance

Related policies:

  • Data security
  • Privacy
  • Procurement

As you work through the policy decisions in this tool, you will be presented with templated suggestions that you can adopt and customise to make your own, as well as a checklist of common issues that are addressed with policy, case studies, and insights from IT managers, and digital safety advocates to help inform your policy decisions.

This is a preview of the policy toolkit. The system has not customised the insights generated for you. Policy Quarter is not providing advice to you. You should seek your own legal advice before relying on any of the content generated by the toolkit. By interacting with the toolkit, Policy Quarter may review your interactions and use this information to improve the toolkit and the services we provide to you. Except for the preview, this toolkit is optimised for interaction with you. Let us know if suggestions are helpful or not. Share your feedback in the discord.

Overview

Overview

What to expect

This toolkit is designed to help you develop a Cybersecurity Policy, from scratch. Where you see underlined text, there are variables that you can change in your settings profile, to better customise this tool with more focused insights and parameters.

By the end of this process, you will have developed a Cybersecurity Policy, which you can circulate to your leadership team for comment and approval, and any subject matter experts from whom you may wish to seek advice, such as lawyers or internet safety managers.

Members who use this toolkit for the first time, spend approximately 2 hours interacting with the tools before generating the first version of a complete policy. The segments have been divided so that you can tackle them individually. You can choose to include or remove them from your policy, or mark them as lower priority considerations that you can address in a subsequent version of your policy.

About youEXAMPLE

You are the Chief Operating Officer of a domestic hotel company, incorporated in New South Wales, Australia. Your team has 300 people. You plan to start a loyalty program this year. Your company accommodated 6,000 guests, manages 25-50 corporate accounts, and hosted 250 functions in the last 12 months. You compete for business with Hilton Hotels. You have a dedicated information technology manager to support cybersecurity activities. Your goals are to become certified to ISO 27001 information security standards and to increase your business traveller base. 6% of total expenses incurred in the last financial year were spent on cyber risk management. You are uncertain about how or how much to invest in cyber risk management.

Let us get to know you a little betterEXAMPLE

Did your organisation make any changes, or review its cybersecurity policy, as a result of the Optus or Medibank data breaches?

Yes

No

Scoping

Your Notebook

Your notebook has been generated with reference materials to guide your scoping process. Develop them as you work through this phase so that you can customise requests for feedback, such as surveys to send to relevant stakeholders to solicit feedback, and to evaluate your findings against relevant benchmarks and standards. It's interactive. As well as your direct authorship, you can tell us if you would like to see more or less of a particular type of content by clicking the thumbs up or thumbs down buttons.

Trends

  1. Hotel companies are attractive targets to attackers because they are usually behind on cyber security, so they're considered low hanging fruitJune 2022
  2. It took an average of 277 days—about 9 months—to identify and contain a breach2022Read more
  3. Regulators are becoming increasingly intolerant of data breaches.June 2022
  4. Companies expect to increase annual cyber security investment by 12%.2021Read more
  5. The cyber insurance market is characterised by higher premiums, reduced limits, more restrictive coverage, and more frequent claim denials.January 2023Read more

Register to see more trends.

Key stakeholders

  1. Chief Information Security Officers who will need to partner with their business counterparts in building digital resilience.Request feedback

  2. Financial controllers who will need to reassess cybersecurity priorities in provisioning for enhanced requirements.Request feedback

  3. Team leaders who will need to own responsibility for contextualising risk and raising awareness of cyber risk.Request feedback

  4. Consumers who seek transparency around preparedness for managing cyber risk.Request feedback

  5. Supply chain partners who will need to understand requirements for vendors in terms of procurement and compliance.Request feedback

Research

The Forum is a place to share research that may inform recruitment policy development. You may be interested to review:

  1. The KPMG 2022 CEO Outlook which found that 24% of CEOs surveyed felt underprepared to address cybersecurity risks2022

  2. This Australian judgment which shows tha the regulator's view is that a company's failure to implement adequate cybersecurity risk management systems can put it in breach of the conditions on which it is licensed to operate. Whilst the courts did not specify (and ASIC did not assert) what would be required to satisfy this threshold, it is clear that the expectation is that companies meet the challenges of cyber risk.2023

  3. This outline which proposes an approach to determine how to spend cybersecurity budgets.2023

  4. The World Economic Forum's Global Cybersecurity Outlook which identifies the importance of integrating cybersecurity across decision making processes 2023

Register to access The Forum to view and share research and insights related to recruitment policy.

Specific requirements

  1. Legal due diligence on supplier contracts, to develop a matrix of data processing exposures and corresponding security measures.

  2. Develop strategies to preserve the value of cyber insurance.

  3. CISO to assess cyber vulnerabilities and develop recommended priorities for board approval.

Competitor analysis

The Martinique Hotel, part of Hilton’s soft brand Curio Collection, piloted Cyber Safe Travel, a program by risk management firm Cino Ltd, and StrikeForce Technologies.2022

Policy

Policy Designer

Your design feed is populated with template policy positions that have been generated using the profile settings and feedback you have provided. You can broaden the filter on each issue to see variations on the prescriptive and descriptive policy statements, which you can adopt or customise. You can also use them in preparing your own policy statement.

The example below shows the policy statement generator for the Incident Response section of the Cybersecurity Policy.

SectionPolicy IssueContextPrescriptive ApproachDescriptive ApproachInsightsResourcesNotes

6

Part 1 - Directing data breach alerts

Incident response

This policy addresses how cybersecurity alerts will be directed. Part 1 deals with data breaches. Part 2 deals with network and application security. Part 3 deals with other incidents.

LEGALMandatory reporting obligations exist where a data breach compromises personal information which is subject to the Privacy Act.

COMMERCIALThe Board has prioritised vulnerabilities of guest data.

The Chief Information Security Officer (CISO) detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incident.

False alarms are captured and referred for assessment to better develop resilience and alert systems.

The CISO directs the recovery, containment and remediation of security incidents and may authorise and expedite changes to information systems necessary to do so.

The CISO coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party. Third party support arrangements must be reviewed annnually and off schedule, in the event that a high-severity threat alert is detected.

Coming soon

VALUESThe continuing confidence of our stakeholders demands forthright transparency where a breach has occured.

LEGALAustralian privacy law requires disclosure within 10 Business Days.

Case study on the Marriott hotel data breach.

Checklist for developing data breach chain of command.

Script for test policy application.

DYK?: SOC2 certification requires this policy to be documented against audit procedures?

Aside from internal concerns, the companies we partner with, inclduing airline and car rental booking providers, expect this policy to comply with standards they specify.

This is the template that is most commonly used.

We're still working on this template. Check back again soon.

A conversation about this topic is active in The Forum. Join in.

In deciding that a company did not satisfy the normal business standard expectation that was required for it to maintain a license to operate its business, an Australian regulator relied on the following issues: (a) no antivirus software; (b) emails were not filtered; (c) backups were not performed; and (d) poor password practices.

2022

Previous Section: Third party integrations

Next Section: Awareness and Training

Carnegie Mellon's Incident Response Plan

It has been 8 years since Carnegie Mellon last updated its incident response plan. In that time, the scope and efficacy of cyber threats has vastly improved. We'd suggest that regular (annual) scheduled reviews of this policy become part of the formal requirements for maintaining the policy, along with adhoc reviews where the severity level of any threat exceeds the level at which internal support teams are capable of protecting the infrastructure.

This review was conducted by Alex from Policy Quarter by reference to the policy as published on 2 February 2023.

Communication

Communicate with relevant stakeholders

Commuicate the policy requirements, and the role each relevant stakeholder has in upholding them, with consistency. Maintain a resource library of the communication materials you have created so they can be easily accessed and updated.

Reflect your brand values across the suite of communications materials you develop so that you can enable your colleagues to represent the team effectively.

The example below shows the communications register for the Cybersecurity Policy. When you join, you can customise these templates or create your own.

ElementReferenceLeadLast reviewedNotes

Policy

COO

October 2020

Training

CISO

December 2020

Factsheet for Suppliers

Procurement Manager

March 2021

Website copy

Communications Manager

July 2021

Legal due diligence

General Counsel

September 2022

Vulnerability matrix

CISO

April 2022

Business Case

CISO

July 2022

Essential 8 Framework

CISO

January 2022

Report to the board

CISO

July 2021

Fact sheet for corporate travel booking agents

Head of Sales

December 2021

Screen saver tip carousel

Training Manager

January 2022

Supplier terms

General Counsel

January 2022

Incident response flowchart

Training Manager

March 2022

Compliance

Manage Policy Compliance

Customise compliance templates to stay on top of your organisation's policy commitments and collect information you need to generate to produce your reports.

From training schedules to attendance registers, infringement or audit requests you can collect and analyse data from your dashboard.

Feedback

Get the feedback you need to hear to make your policy

Manage formal feedback sessions with relevant stakeholder groups. Collect feedback in your dashboard and use it to demonstrate to your affected staff, suppliers and shareholders that you have considered their views.

Badge your policies with statements to show your stakeholders how you are engaging them in policy development and in addressing their concerns.

Join the Cybersecurity Policy Forum

Register to join your governance peers in addressing cybersecurity policy issues