Businesses of all sizes that have employees need an employee handbook that includes specific rules regarding employee usage of business technology systems and data. If you hope to enforce effective cybersecurity policy, you’ll need to ensure that you have the appropriate rules in place and that employees are properly trained.
©Shutterstock/fizkes
The following are examples of rules and cybersecurity policies that businesses can implement to govern the use of company technology resources:
- Employees are expected to use technology responsibly, appropriately, and productively, as necessary to perform their professional responsibilities.
- The use of company devices, as well as company internet access and email, as provided to employees by the company, are for job-related activities. Minimal personal use is acceptable provided that an employee’s use does not violate any other of the company's rules and does not interfere with their work.
- Each employee is responsible for any computer hardware and software provided to them by the company, including for the safeguarding of such items from theft, loss, or damage.
- Each employee is responsible for their accounts provided by the company, including the safeguarding of access to the accounts.
- Employees are strictly prohibited from sharing any company-provided items used for authentication (passwords, hardware authentication devices, PINs, and so on) and are responsible for safeguarding such items.
- Employees are strictly prohibited from connecting any networking devices, such as routers, access points, range extenders, and so on, to company networks unless explicitly authorized to do so by the company’s CEO. Likewise, employees are strictly prohibited from connecting any personal computers or electronic devices — including any Internet of Things (IoT) devices — to company networks other than to the Guest network, under the conditions stated explicitly in the Bring Your Own Device (BYOD) policy.
- Employees are responsible to make sure that security software is running on all company-provided devices. The company will provide such software, but it is beyond the company’s ability to check that such systems are always functioning as expected. Employees may not deactivate or otherwise cripple such security systems, and must promptly notify the company’s IT department if they suspect that any portion of the security systems may be compromised, nonfunctioning, or malfunctioning.
- Employees are responsible to make sure that security software is kept up to date. All company-issued devices come equipped with Auto-Update enabled; employees must not disable this feature.
- Likewise, employees are responsible for keeping their devices up to date with the latest operating system, driver, and application patches when vendors issue such patches. All company-issued devices come equipped with Auto-Update enabled; employees must not disable this feature.
- Performing any illegal activity — whether or not the act involved is a felony, a misdemeanor, or a violation of civil law — is strictly prohibited. This rule applies to federal law, state law, and local law in any area and at any time in which the employee is subject to such laws.
- Copyrighted materials belonging to any party other than the company or employee may not be stored or transmitted by the employee on company equipment without explicit written permission of the copyright holder. Material that the company has licensed may be transmitted as permitted by the relevant licenses.
- Sending mass unsolicited emails (spamming) is prohibited.
- The use of company resources to perform any task that is inconsistent with the company’s mission — even if the task is not technically illegal — is prohibited. This includes but is not limited to the accessing or transmitting sexually explicit material, vulgarities, hate speech, defamatory materials, discriminatory materials, images or description of violence, threats, cyberbullying, hacking-related material, stolen material, and so on.
- The previous rule shall not apply to employees whose job entails working with such material, only to the extent that is reasonably needed for them to perform the duties of their jobs. For example, personnel responsible for configuring the company’s email filter may, without violating the preceding rule, email one another about adding to the filter configuration various terms related to hate speech and vulgarities.
- No company devices equipped with Wi-Fi or cellular communication capabilities may be turned on in China or Russia without explicit written permission from the company’s CEO. Loaner devices will be made available for employees making trips to those regions. Any personal device turned on in those regions may not be connected to the Guest network (or any other company network).
- All use of public Wi-Fi with corporate devices must comply with the company’s public Wi-Fi policies.
- Employees must backup their computers by using the company’s backup system as discussed in the company’s backup policy.
- Employees may not copy or otherwise back up data from company devices to their personal computers and/or storage devices.
- Any and all passwords for any and all systems used as part of an employee's job must be unique and not reused on any other systems. All such passwords must consist of three or more words, at least one of which is not found in the English dictionary, joined together with numbers or special characters or meet all of the following conditions:
- Contain eight characters or more with at least one uppercase character
- Contain at least one lowercase character
- Contain at least one number
- Not contain any words that can be found in an English dictionary
- Names of relatives, friends, or colleagues not to be used as part of any password
- Data may be taken out of the office for business purposes only and must be encrypted prior to removal. This rule applies whether the data is on a hard drive, SSD, CD/DVD, USB drive, or on any other media or is transmitted over the internet. Any and all such data must be returned to the office (or at the company’s sole discretion, destroyed) immediately after its remote use is complete or upon employee’s termination of employment, whichever is sooner.
- In the event of a breach or other cybersecurity event or of any natural or manmade disaster, no employees other than the company’s officially designated spokesperson may speak to the media on behalf of the company.
- No devices from any manufacturer that the FBI or other United States federal law enforcement and intelligence agencies have warned that they believe foreign governments are using to spy on Americans may be connected to any company network (including the guest network) or brought into the physical offices of the company.
It's a good idea to customize these policies to accommodate your organization and industry, but these will act as a good start as you get up and running with your cybersecurity efforts.