First, a big shout out! OK-NouNou uses policy templates that were originally based on designs provided by the Centre for Internet Security (CIS), but have since undergone considerable customisation and development, and in some areas are complete ground-up rewrites of the originals. The great thing about having a foundation using CIS templates is they are constructed with compliance in mind. The OK-NouNou templates keep that compliance in-tact giving you GRC peace of mind.
We think it’s important to recognise the great work that the guys over at CIS provide.
Policy Examples
Acceptable Use Policy
The cornerstone of any corporate IT security framework starts with user buy-in to an AUP. By outlining the acceptable practices and defining the boundaries of technology use, AUPs empower us with the knowledge needed to navigate the digital landscape responsibly, while promoting cyber security, data privacy and a culture of respect.
Asset Management Policy
Asset management is the process of procuring, identifying, tracking, maintaining, and disposing of an asset owned by a business. This Asset Management Policies provide the rules for governing the asset life-cycle while a business is using an asset. An asset inventory list must be created and maintained to support asset management.
Asset & Data Secure Disposal
Information systems capture, process, and store information using a wide variety of media. This information is not only located on the intended media but also on devices used to create, process, or transmit this information. Any information device may require disposition to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality.
Cyber Security Awareness Training Policy
Cyber security awareness training is a proactive, crucial and proven measure to help protect data, prevent breaches, maintain compliance, and safeguard the organization’s reputation and operations in an increasingly digital and interconnected world. Modern Cyber Secuirty Frameworks require evidence that staff training takes place at least every 12 months.
Information Security Policy
The ISP is otherwise known as the MOAP (mother of all policies), and defines the mandatory minimum Information Security requirements for as defined in its Scope.This policy acts as an umbrella document to all other security policies and all associated standards. ISPs cover both an Information Risk Management function and and Information Technology Security function and requires the business to define both within it’s organisation.
Overseas Travel Policy
Cyber security travel policies offer guidance to travellers on how to protect your business data and information systems when travelling to, what could be considered, ‘high-risk’ countries. It should be assumed that, when travelling, your electronic devices may be accessed either physically or electronically, to steal information you have, or inject malware to gain remote access to your devices, and/or infect your organization’s network when you return.
Password Policy
Effective password policies are there to establish the rules and processes for creating, maintaining and controlling passwords – for the means of protecting your business systems and information.
Vulnerability Management Policy
The purpose of a Vulnerability Management Policy is to establish the rules for the review, evaluation, application, and verification of system updates, and to mitigate vulnerabilities in the IT environment and the risks associated with them. It addresses all systems, automated and manual, for which the business has administrative responsibility, regardless of the form or format, which is created or used in support of business activities.