<Company Name>

HR Policy

IT Cyber
Security Policy
Policy Effective Date: <DD/MM/YY>

No part of this documentation may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying or recording, for any purpose without express written permission of
the CEO of <Company Name Here>.
© 2021, <Company Name Here>. All Rights Reserved

Revision History
Ver Change Description Prepared By Reviewed By Approved By Date
No.

Table Of Contents
1. Objective 3
2. Scope and Applicability 4
3. Definition/Glossary 4
4. Policy/Process 4
4.1. Understand Risk 4
4.2. Understand consequences 4
4.3. Understand systems and data 5
4.4. Regular cyber hygiene 5
4.5. Redundancy, backup systems and response plans 5
4.6. Proprietary malware protection systems 5
4.7. Access professional expertise 6
4.8. Continuous investment 6
4.9. The human factor 6
4.10. Report breaches 7

5. Special Circumstance and Exception 7

6. Non-compliance and Consequence 7

1.Objective
To be successful, companies need to embrace a concept of holistic cyber
resilience, which improves their chances of resisting threats from both internal
and external sources and managing those risks effectively.

2.Scope and Applicability

This policy applies to all Company employees.

This policy is owned by <Name of the Person> and reachable @ <Contact

Number> and <email address>
3.Definition/Glossary

Term / Abbreviation Definition / Expansion

4.Policy/Process
4.1. Understand Risk
Cyber resilience must be a primary focus of boards and senior management. It is
not something that can be left solely to the chief information officer. As strategic
risk managers, board members need to take personal legal, ethical, and fiduciary
responsibility for the company’s exposure to cyber compromise, regularly
addressing the risk of cyber failure, and ensuring that cyber resilience is built into
all aspects of their business and operating models.

4.2. Understand consequences

We can all comprehend how a prolonged breakdown of cybersecurity in the
telecommunication sector, the banking industry, or an airline could be
catastrophic on a national scale. At the small and medium-size business level,
cyber disruption could be equally disastrous both for the business and for the
customers who had placed their trust in it. For any enterprise, the failure or
disruption of operating systems or the compromise of intellectual property,
commercially sensitive information, or data held in trust for customers (such as
personal and credit card details) will be reflected in the company’s reputation,
credibility, and, ultimately, its profitability.

4.3. Understand systems and data

Accurate assessment of risk and the consequences of failure is facilitated by a
clear understanding of a company’s IT systems and the data it holds. If boards
and senior management understand the value of their data to those of malicious
intent, if they know where that data is, how it is protected, and who has access to
it (including external sub-contractors), then they are in a stronger position to
implement a cyber resilient business model.

4.4. Regular cyber hygiene

While some regulations are complicated and need the support of technical
specialists, just four strategies (regular proprietary patching of software, as well
as of operating systems; minimising the number of systems administrators with
privileged access; and application white-listing) will help mitigate about 85% of
the current panoply of malicious intrusions.

4.5. Redundancy, backup systems and response plans

There have been enough publicised instances of malicious destruction of data, or
denial of access to data (as with ransomware), not to mention human errors
causing system failure or data loss, to make it axiomatic that companies build in
system redundancy and regular real-time backing up of data and records.

Redundancy and backup systems will be essential to recovery after a successful

attack. Boards also need to ensure that their enterprise war-games and regularly
exercised response plans can be implemented immediately if an attempted
attack is detected. Boards need to be proactive in ensuring these elementary
measures are implemented assiduously.

4.6. Proprietary malware protection systems

There is a growing range of off-the-shelf proprietary anti-malware systems
available to the ordinary cyber consumer. Cybersecurity technology companies
are developing solutions that have moved beyond the concept of ever-higher
digital firewalls, necessary as those are, into exciting new realms of predictive
and intuitive digital analysis, providing deeper layers of security. Major consulting
companies now promote one-stop-shop cybersecurity management packages
tailored to the needs of a particular enterprise.

4.7. Access professional expertise

Cybersecurity technology is now so complex that few companies can afford the
expertise and resources to achieve cyber resilience on a solely in-house basis.
Access to regular, independent, professional advice on cybersecurity is essential,
as attack methodologies proliferate in depth and breadth. Increasingly niche
cybersecurity providers, in addition to the larger business consulting firms, have
the expertise and access to sophisticated protective cyber security systems that
will assist boards to support their CIOs with professional advice and customised
software solutions. What can never be outsourced, however, is ultimate
responsibility for cybersecurity within an enterprise.

4.8. Continuous investment

The tools of cyber offence are developing so rapidly that the tools of defence are
constantly struggling to keep up. For this reason, investment in cybersecurity can
never be a one-off activity. Effective cyber resilience requires continuous
investment in the upgrading and refining of protective systems as a normal cost
of business.

4.9. The human factor

While the vast majority of cyber-attacks emanate from outside the enterprise,
human error within the organization, including through a lack of security
awareness, is an important contributor to security breaches. Cyber resilience
requires the active participation not simply of the company’s systems
administrators, but of all staff who access the system and who, as normal human
beings, are tempted to click on spam or open unverified email attachments.
Without regular staff training and security skills upgrading, company expenditures
on the most sophisticated protection systems will be less effective. A strong
culture of cybersecurity resilience, including an informed and committed staff,
creates an environment where peer behaviour reinforces positive security
practices.

In my experience, staff react positively to examples-based cybersecurity training.

They lap up the narrative of cybersecurity incidents. They are intrigued by the
technology of cyber offence and defence, and they respond well to being
included as partners within the enterprise’s cybersecurity effort. Cybersecurity
can be professionally rewarding and fun. For some, however, it is more than fun.
Another source of cyber-attack is the trusted insider, a person who uses access
to the company IT system either to steal proprietary information or to vent a
grievance by disrupting or disabling the system. A combination of strong security
controls, including access and usage monitoring, together with sound staff
management practices, can help mitigate this threat.
 4.10. Report breaches
While it is up to stock exchanges and governments to set rules for company
reporting of significant cybersecurity breaches, it is important that anti-malware
service providers and government cybersecurity agencies be informed of the
nature and extent of cyber-attacks. Timely reporting assists the anti-hackers to
develop and deliver new solutions to manage and neutralise malicious intrusions.
In this sense, breach reporting is both an act of self-help and an important
element of cyber resilience.

5.Special Circumstance and Exception

There is no exception to this policy.
Any Deviation to this policy has to be approved by <IT Director>. Any changes to
the policy has to be approved by Legal and Compliance.

6.Non-compliance and Consequence

Any non-compliance of the policy must be brought to the notice of the IT Security
team and the Manager immediately with as much evidence as possible. Any
such violations of the policy will be dealt with accordingly as appropriate by the IT
Security team along with the Manager and HR.
This template is brought to you by

www.greythr.com