Free Cyber Security Policy Template

Cyber Security Policy

[Insert your company/business name]

Effective date: [insert date]

1. Introduction and scope

1.1 This cyber security policy sets out the rules and standards that must be followed by all employees, contractors, and other personnel of [insert your company/business name] (the "Company") when using the Company's IT systems, networks, and data.

1.2 The purpose of this policy is to protect the confidentiality, integrity, and availability of the Company's information assets and IT infrastructure.

1.3 This policy applies to all employees, temporary workers, contractors, consultants, and any other individuals who have access to the Company's IT systems and data, whether on Company premises or remotely.

1.4 All personnel are required to read, understand, and comply with this policy. Failure to comply may result in disciplinary action, up to and including termination of employment or engagement.

2. Key contacts

2.1 The following individuals are responsible for overseeing cyber security within the Company:

(a) IT Security Manager: [name], [email address], [telephone number];

(b) Data Protection Officer: [name], [email address], [telephone number];

(c) Managing Director: [name], [email address], [telephone number].

2.2 All cyber security incidents and concerns should be reported to the IT Security Manager in the first instance.

2.3 In the absence of the IT Security Manager, reports should be made to the [Data Protection Officer / Managing Director].

3. Password security

3.1 All passwords used to access the Company's IT systems must:

(a) be at least [12 / 14] characters in length;

(b) contain a combination of upper-case and lower-case letters, numbers, and special characters;

(c) not include easily guessable information such as names, birthdays, or common words; and

(d) be unique to each system or service (i.e. the same password must not be used for multiple accounts).

3.2 Passwords must be changed at least every [90] days, or immediately if there is any suspicion that a password has been compromised.

3.3 Passwords must not be shared with any other person, written down, or stored in an unencrypted format. The use of an approved password manager is encouraged.

3.4 Where available, multi-factor authentication (MFA) must be enabled on all Company systems and accounts.

4. Security measures

4.1 All personnel must:

(a) lock their computer screens when leaving their workstation unattended, even for short periods;

(b) ensure that Company devices are stored securely when not in use;

(c) not disable, circumvent, or interfere with any security measures, including firewalls, antivirus software, and encryption tools, installed on Company systems.

4.2 All Company devices must have up-to-date antivirus and anti-malware software installed and running at all times.

4.3 Operating systems, applications, and firmware must be updated promptly when security patches or updates are made available.

4.4 Sensitive data must be encrypted when stored on portable devices or transmitted over external networks, using encryption methods approved by the Company.

5. Reporting security breaches

5.1 All personnel must report any actual or suspected cyber security breach or incident to the IT Security Manager immediately, and in any event within [24] hours of becoming aware of the breach.

5.2 A security breach includes, but is not limited to:

(a) unauthorised access to Company systems, data, or premises;

(b) loss or theft of Company devices, data, or documents;

(c) receipt of suspicious emails, messages, or communications (including phishing attempts);

(d) detection of malware, ransomware, or other malicious software on Company systems.

5.3 Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, certain personal data breaches must be reported to the Information Commissioner's Office (ICO) within 72 hours of the Company becoming aware of the breach.

5.4 Personnel must not attempt to investigate or resolve security incidents themselves unless expressly authorised to do so by the IT Security Manager.

6. Use of personal devices

6.1 The use of personal devices (including mobile phones, tablets, laptops, and USB storage devices) for Company business is [permitted only with the prior written approval of the IT Security Manager / not permitted].

6.2 Where personal devices are approved for use, the following conditions apply:

(a) the device must be protected by a password or biometric lock;

(b) the device must have up-to-date antivirus software installed;

(c) Company data must not be stored locally on the personal device unless encrypted;

(d) the Company reserves the right to remotely wipe Company data from the device if it is lost, stolen, or if the individual's employment or engagement is terminated.

6.3 Personal USB storage devices and external hard drives must not be connected to Company systems without prior authorisation.

7. Software installation

7.1 Personnel must not install any software, applications, or browser extensions on Company devices without the prior approval of the IT Security Manager.

7.2 Only software that has been approved and licensed by the Company may be installed on Company devices.

7.3 Personnel must not download or install software from untrusted or unverified sources.

7.4 The IT Security Manager will maintain a list of approved software, which will be made available to all personnel upon request.

8. Prohibited activities

8.1 The following activities are strictly prohibited when using the Company's IT systems:

(a) accessing, downloading, storing, or distributing any unlawful, offensive, obscene, or inappropriate material;

(b) using Company systems for any illegal or fraudulent activity;

(c) attempting to gain unauthorised access to any systems, networks, or data, whether belonging to the Company or any third party;

(d) introducing viruses, malware, or other malicious code into the Company's IT systems, whether intentionally or through reckless behaviour;

(e) sharing Company credentials or access tokens with unauthorised individuals.

8.2 The use of Company IT systems for personal purposes should be kept to a minimum and must not interfere with the performance of work duties.

9. System misuse

9.1 Any misuse of the Company's IT systems, whether intentional or through negligence, will be treated as a serious matter.

9.2 Examples of system misuse include, but are not limited to:

(a) using another person's credentials to access Company systems;

(b) deliberately accessing or modifying data without authorisation;

(c) sending bulk unsolicited emails or messages from Company systems;

(d) deliberately disrupting or degrading the performance of Company systems or networks.

9.3 System misuse may constitute a criminal offence under the Computer Misuse Act 1990 and may be reported to the relevant authorities.

10. Disciplinary consequences

10.1 Any breach of this policy may result in disciplinary action in accordance with the Company's disciplinary procedure.

10.2 Serious breaches of this policy may constitute gross misconduct, which may result in summary dismissal without notice.

10.3 Where a breach of this policy involves illegal activity, the Company reserves the right to report the matter to the relevant law enforcement authorities.

10.4 Contractors and other non-employee personnel who breach this policy may have their engagement terminated with immediate effect.

11. Changes to this policy

11.1 The Company reserves the right to amend this policy at any time. Personnel will be notified of material changes.

11.2 This policy will be reviewed at least [annually] to ensure it remains current and effective.

11.3 Any questions about this policy should be directed to the IT Security Manager using the contact details set out in Section 2 above.

This document was created using a free template from SEQ Legal.