End user cyber security policy (premium)
This cyber security policy is designed to regulate the use of company IT systems by employees and/or contractors.
This policy is intended for organisations that have a complex system user environment. It may be adapted to create a restrictive policy or a permissive policy, or one which mixes and matches restrictive and permissive provisions.
To increase the chances of the policy being read, understood and followed, it is relatively short, focusing upon the key issues. These key issues include the formulation of passwords, the circumvention of security software, keeping software up to date, reporting security breaches, use of personal devices for work purposes, use of work devices for personal purposes, portable storage media and public Wi-Fi networks.
In addition, the policy includes sections covering the training of personnel and the monitoring of IT systems.
This policy was created and is maintained by Emma Osborn of OCSRC (https://www.ocsrc.co.uk) in collaboration with SEQ Legal.Ask about this document
End user cyber security policy (premium) contents
- Introduction: employee and contractor contribution to security; concerns of company; the need for employees/contractors to be vigilant; providing information on how to keep the companysecure; implementation of the policy; contact for queries ; the policy is part of the contract.
- Cyber security requirements: rules about passwords; circumventing security measures; antivirus requirements; reporting of security breaches; no accessing work systems with personal devices; provisions for accessing companysystems using own devices; taking IT equipment off company premises; exchanging data; no use ofcompanyequipment outside network; no personal use ofcompanyequipment; use ofcompanydevices for personal reasons; use of public cloud services; removing data fromcompanypremises; installing software ontocompanycomputer or phone; administrator accounts; accessing inappropriate content; usecompanyVPN away from office; usecompanyVPN with public Wi-Fi; use of equipment in public Wi-Fi networks; use of removable storage.
- Training: cyber security training for employees handling personal data; cyber security awareness training for personnel; random testing of employee cyber security awareness.
- Monitoring: monitoring of IT systems; personal data logged by the system; keeping of system logs.
- Handling mistakes: handling mistakes in a timely manner; solving the problem; when to report a mistake; details of the mistake to give the security team; mistakes on own device while connected to company's systems; failing to report system misuse.
- Consequences of system misuse: actions considered to be misuse of IT systems; consequences of IT system misuse.
- Declaration: required permissions; signature; signature line: first.