Cyber Security Policy

The cyber security sector, which comprises a wide spectrum of people, businesses, government agencies and more, generates a significant amount of news on any given day. The Washington Post, for example, published no fewer than 500 articles on cybersecurity between October 2018 and October 2019. Some publications, like CSO, only write about cybersecurity. Others, like Wired, offer some of the best coverage of cyber security and cyber security policy. Our goal at Journal of Cyber Policy is to curate this news deluge and offer you a selection of articles, industry news announcements and expert insights into the news.


What is cyber security policy?

The term “cyber security policy” refers to a broad collection of corporate rules, laws, compliance regulation and international norms that govern—or at least try to govern—the activities of people and organizations tasked with protecting digital assets. Many, if not most, organizations have some form of cyber security policy. The maturity of these policies and their respective degrees of implementation varies widely.

To understand what cyber security policy stands for, it’s useful to compare it to its predecessor, information security (InfoSec) policy. InfoSec was (and still is, to a great extent) a set of practices and rules that dictated how a corporation or public sector organization would protect its networks, computer systems and data. The guiding principles of InfoSec were aimed at ensuring the availability, integrity and confidentiality of these digital assets.

Cyber security policy also exists to guard the availability, integrity and confidentiality of networks, systems and data. What’s different? The differences have to do with the expanding scope of cyberspace. A generation ago, in the early 2000s, corporate InfoSec teams could be reasonably confident they were protecting their organizations’ digital assets by keeping intruders outside the network perimeter with good firewall policies, access control policies and so forth. This is no longer a good assumption.

There is no more perimeter. Corporate data, along with access-bearing endpoints, are strewn across the world. Data and applications reside in the cloud. Employees carry mobile devices with enterprise network access anywhere they go. Wireless connectivity is ubiquitous on corporate campuses.

What’s also changed is the nature of the threats and the threat actors. Hacking of corporations by nation state actors was less common in the 1990s than it is today. It went on, but it was certainly a lot less noisy and catastrophic. Today’s CISO must worry about attacks from Russia, China, Iran, North Korea and other malicious nation state actors. These countries are interested in disrupting American industry and society while they go about stealing valuable corporate data, American citizens’ information and intellectual property (IP).

Cyber security policy is thus an upgrade from the more localized InfoSec policies of a generation ago. The goals are similar, but the scope is vastly expanded. The perimeter is global. The attackers are stealthy and incredibly well-prepared and funded.

cyber security policy

Elements of cyber security policy

Cyber security policy encompasses a wide variety of rules and related organizational doctrines. For example, one of the most visible changes in the last few years has been the elevation of cyber security policy to a board-level responsibility. Through the early 2000s, security was typically a branch of the IT department. Now, large organizations often have a board member or board committee devoted to the issue. This function may also deal with compliance and business continuity, which are also rooted in the same information technologies as cyber security.

Other key elements of cyber security policy include:

  • Hardware security rules, e.g. working with vendors who have “secure silicon” policies
  • Cyber hygiene, e.g. employee practices and related cyber hygiene training
  • Application security policies
  • Data security policies, e.g. encryption at rest
  • Access control policies, e.g. strong passwords, Multi-Factor Auth (MFA)
  • Network security policies’
  • Cloud security policies
  • Privileged Access Management (PAM)
  • Continuous monitoring policies
  • Endpoint hardening policies
  • Endpoint detection and response
  • AI-based security monitoring as a policy, e.g. it must be done at all times
  • Disaster Recovery (DR) policies

Photo by