Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose – this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board.
Writing good cybersecurity policies will require these as foundation:
- The policy maker must understand the business model, what outcomes to be delivered
- What are the risk appetite the organization willing to take, after all, there won’t be 100% secure business in the world
- How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber
- What are peers or the industry doing, is the bar setting too high or too low
That said, don’t just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule.