"We go to great lengths to protect our computer systems and equipment from the threat of a cyberattack. Our comprehensive network is designed to protect us from both internal and external threats. We’ve expanded our use of next-generation intrusion detection and prevention tools to further protect our customers’ personal information. And we’re regularly training our employees to stay aware of potential cyber threats."
I confess to having been more than a little disappointed. This is more a statement of good intentions and practices than a policy. None of my expectations of a "policy" were met.
As both a practitioner of security and a customer of, and investor in, the enterprise, I would expect a policy, at a minimum, to:
- require that managers protect the assets that they control.
- express the organizations tolerance for risk or
- some measure of the level of security to be achieved, and
- require measurement and reporting of results, i.e, achievements and failures
- other
The first and fourth bullets may be difficult to execute, while the second and third are difficult to express. Such expression should ensure:
- a consistent level of effective and efficient security across the enterprise,
- that precious resources get appropriate protection,
- while expensive measures are reserved only for those assets that require them.
Note that management's tolerance for cybersecurity will differ by industry, application, and maturity of the business. A "startup" may have a very high tolerance for cyber risk, in part because their business risk is high. A mature company in a sensitive industry, such as finance, transportation, or energy, might be far less tolerant.