"We go to great lengths to protect our computer systems and equipment from the threat of a cyberattack. Our comprehensive network is designed to protect us from both internal and external threats. We’ve expanded our use of next-generation intrusion detection and prevention tools to further protect our customers’ personal information. And we’re regularly training our employees to stay aware of potential cyber threats."
I confess to having been more than a little disappointed. This is more a statement of good intentions and practices than a policy. None of my expectations of a "policy" were met.
As both a practitioner of security and a customer of, and investor in, the enterprise, I would expect a policy, at a minimum, to:
- require that managers protect the assets that they control.
- express the organizations tolerance for risk or
- some measure of the level of security to be achieved, and
- require measurement and reporting of results, i.e, achievements and failures
The first and fourth bullets may be difficult to execute, while the second and third are difficult to express. Such expression should ensure:
- a consistent level of effective and efficient security across the enterprise,
- that precious resources get appropriate protection,
- while expensive measures are reserved only for those assets that require them.
Note that management's tolerance for cybersecurity will differ by industry, application, and maturity of the business. A "startup" may have a very high tolerance for cyber risk, in part because their business risk is high. A mature company in a sensitive industry, such as finance, transportation, or energy, might be far less tolerant.