Cyber Security Policy

What is a Cyber Security Policy?

A Cyber Security Policy is a document used by an employer or organisation, to outline their protocols, standards, and procedures for employees, contractors, consultants and other workers (which we'll just refer to as "employees") to follow in relation to cyber security, both during work hours and in their personal time.

In a Cyber Security Policy, the employer communicates the expectations and requirements of employees with regard to maintaining cyber security. This includes areas such as how and where to access their work devices outside the workplace, the correct storage of devices when not in use, the appropriate handling of sensitive data, reporting a loss or theft of a work device, procedures for system updates, measures to protect data on devices, security when using social media and email, minimum requirements for passwords and restrictions on the use of removable devices.

Apart from a Cyber Security Policy, what other employment policies does an employer need?

In addition to a Cyber Security Policy, there are various other employment policies that employers should consider, such as:

• Employee Handbook: which provides an overview of the employer's general rules, standards and expectations of employees.
• Social Media Policy: which outlines the employer's approach to use of social media by employees.
• Drug and Alcohol Policy: which outlines the employer's approach to drug and alcohol issues.
• Workplace Health and Safety Policy: which outlines the employer's approach to health and safety issues at the workplace.
• Discrimination Policy: which explains how bullying, harassment, victimisation and discrimination are treated by the employer.
• Remote Work Policy: which explains how the employer deals with employees that are working remotely.

Is it mandatory to have a Cyber Security Policy?

This depends on the nature of the organisation and the industry in which it operates. For organisations that operate in regulated industries such as critical infrastructure, financial services, health, or for government contractors, it is often mandatory that the organisation has a written Cyber Security Policy.

Even if it is not mandatory, is is strongly recommended for all businesses in Australia, given the increasing volume and complexity of cyber security risks.

Who is involved in a Cyber Security Policy?

Usually senior members of staff such as managers or directors will prepare the Cyber Security Policy. IT staff are also likely to be involved.

What can be the duration of a Cyber Security Policy?

There is no expiry date for a Cyber Security Policy so it can remain in place indefinitely.

However, it should be reviewed regularly to ensure that it is up to date with current laws and with the organisation's current practices.

What has to be done once a Cyber Security Policy is ready?

Once a Cyber Security Policy is ready, it should be printed and/or saved electronically and kept on file with the employer, and employees should be made aware of it. For example, any existing employees should be notified of it and given a copy of it. Many employers use a Letter to Employees about New or Updated Workplace Policies to do this. In addition, each time a new employee starts work with the employer, the new employee should be given a copy of the policy.

It is also a good idea to keep the policy in a place where it is easy for employees to refer to it - for example, physical copies could be kept in communal areas such as staff rooms. It could also be made available online, for example on the employer's shared drive.

If the employer is getting employees to sign this policy, the employer should get each employee to return a signed signature page, and should keep those signed pages on file.

From time to time, if the employer implements new rules or procedures, it may be necessary to update the policy. When this occurs, the employer may notify employees of the updates, and release a new version of the policy. The employer may ask employees to sign a new signature page at that time, to acknowledge the updated policy.

What must a Cyber Security Policy contain?

This document should be used by an employer wishing to outline their rules and practices concerning cyber security. The document can include information about:

• which workers the policy applies to.
• which kinds of work the policy applies to.
• who workers should report cyber security issues to.
• general security practices at the workplace (such as sharing account details, and updating software).
• password requirements.
• software and hardware requirements.
• security while using social media.
• handling and storing sensitive data.
• how to report and respond to a cyber security incident.

The employer must ensure the document truly represents their actual approach to these matters. The Australian Government's Business website provides useful guidance about cyber security. If in doubt, seek professional advice from lawyers and/or IT professionals.

Which laws are applicable to a Cyber Security Policy?

Cyber Security Policies may be influenced by various Australian laws. These include but are not limited to:

• Privacy Act 1988 (Commonwealth)
• Crimes Act 1914 (Commonwealth)
• Cybercrime Act 2001 (Commonwealth)
• Telecommunications (Interception and Access) Act 1979 (Commonwealth)
• State and Territory legislation related to criminal law and law enforcement
• Industry specific legislation, such as the Security of Critical Infrastructure Act 2018 (Commonwealth)

In addition, the Fair Work Act 2009 (Commonwealth) deals with other employment matters such as unfair dismissal.

Ordinary principles of contract law, as provided by the common law, may also apply to the general terms of the employee's employment.

How to modify the template?

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.