CYBER RISK AND LIABILITIES
Cyber Risk And Liabilities
POLICIES TO MANGE RISK All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information , protecting their reputations and discouraging inappropriate behaviour by employees .
Many companies already have these types of policies in place , but they may need to be tailored to reflect the increasing impact of cyber risk on everyday transactions , both professional and personal . As with any other business document , cyber security policies should follow good design and governance practices — not so long that they become unusable , not so vague that they become meaningless , and reviewed regularly to ensure that they stay pertinent as your business ’ needs change . ESTABLISH SECURITY ROLES AND RESPONSIBILITIES . One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain . Many systems are designed to provide for strong role-based access control ( RBAC ), but this tool is of little use without well-defined procedures and policies to govern the assignment of roles and their associated constraints . At a minimum , such policies need to clearly identify company data ownership and employee roles for security oversight and their inherent privileges , including :
• Necessary roles , and the privileges and constraints accorded to those roles
• The types of employees who should be allowed to assume the various roles
• How long an employee may hold a role before access rights must be reviewed
• If employees may hold multiple roles , the conditions defining when to adopt one role over another
Depending on the types of data regularly handled by your business , it may also make sense to create separate policies governing who is responsible for certain types of data . For example , a business that handles large volumes of personal information from its customers may benefit from identifying a chief steward for customers ’ privacy information . The steward could serve not only as a subject matter expert on all matters of privacy , but also as the champion for process and technical improvements to handling of personally identifiable information ( PII ).
DEVELOP A PRIVACY POLICY . Privacy is important for your business and your customers . Continued trust in your business practices , products and secure handling of your clients ’ unique information impacts your profitability .
YOUR PRIVACY POLICY IS A PLEDGE TO YOUR CUSTOMERS THAT YOU WILL USE AND PROTECT THEIR INFORMATION IN WAYS THAT THEY EXPECT AND THAT ADHERE TO YOUR LEGAL OBLIGATIONS .
Your policy should start with a simple , clear statement describing the information you collect about your customers ( physical addresses , email addresses , browsing history , etc .) and what you do with it .
It ’ s important to create your privacy policy with care and post it clearly on your website . It ’ s also important to share your privacy policies , rules and expectations with all employees and partners who may come into contact with that information . Your employees need to be familiar with your privacy policy and what it means for their daily work routines .
ESTABLISH AN EMPLOYEE INTERNET USAGE POLICY . The limits on employee Internet usage in the workplace vary widely from business to business . Your guidelines should allow employees the maximum degree of freedom they require to be productive ( for example , short breaks to surf the Web or perform personal tasks online have been shown to increase productivity ). At the same time , rules for behaviour are necessary to ensure that all employees are aware of boundaries , both to keep themselves safe and to keep your company successful . Some guidelines to consider :
• Personal breaks to surf the Web should be limited to a reasonable amount of time and to certain types of activities .
• If you use a Web filtering system , employees should have clear
30