How to create an information security policy for your NSW business.

The digital age has made a robust and dedicated data security plan more valuable than ever. Sixty three cyber security breach cases were reported among Australian businesses through the Notifiable Data Breaches scheme between January and March this year, according to the Office of the Australian Information Commissioner.

In order to meet this data threat, everyone in your chain of command should be on the same page about how to protect yourself from cyber issues that can affect your NSW business or customers.

One effective means of addressing online threats to your data is to develop an information security policy, which will help bring everyone in line with how to tackle cyber security issues. Here’s a step-by-step guide on how to create and implement one in your NSW business.

What’s an information security policy?

This document is a set of policies issued by a business to ensure all data users and procedures within the enterprise network adhere to information security guidelines. These rules are established in order to better protect commercial or customer data stored digitally within the enterprise network or bounds of the organisation’s authority.

With the amount of information shared between modern businesses and their customers increasing by the day, and this data becoming accessible from multiple devices and networks, one central handbook for the dos and don’ts of business data security is vital.

It’s vital that everyone in your business is on the same page about accessing and securing company data.


Step One: Know the must-haves

A robust information security policy needs to cover a number of important bases. The Department of Industry established the key information you need to include:

Handling sensitive data – identifying sensitive data, when and how you share this company or client information, appropriately storing and securing digital files and ensuring data security compliance, especially in response to cyber breaches.

Using company technology – clearly stating company computer and mobile device terms of use, including using passwords and security programmes, checking for malware or other cyber issues and establishing what kinds of websites and applications employees can access on these devices.

Accessing social media and online applications – what non-workplace platforms staff can use and best practice for reducing on the risk of exposure to online threats when online. This should also detail what information employees can publish in a public forum.

Step Two: Scale your information security policy to your operations

It’s very important when drafting an information security policy that you scale the guidelines to reflect your current business enterprise and technology. If you miss any details, you may be unhappy with how your employees fill in the gaps themselves!

What’s nearly as important as matching your security controls to your capacity is to plan for the future. The best information security policies also account for future growth opportunities and how these will affect your amount of stored data, network infrastructure and technology used. Consider how your business may change over the next five years when drafting these security controls.

Risk assessment is a vital part of an information security policy.

Step Three: Consider risk assessment and response

Risk assessment is a vital part of your security controls. Without it, your enterprise will be unable to check for ongoing data security concerns and identify opportunities to strengthen your information security policy. For a thorough IT risk assessment, consider seeking the help of managed IT professionals such as Biztech.

A coherent response to cyber security breaches is also vital to effectively addressing data threats. The most essential element here is ensuring any affected suppliers or customers are aware of the issue. This notification process is mandated by the Notifiable Data Breaches scheme – failure to follow this process is punishable with severe fines and other penalties.

Your information security policy should also identify who deals with cyber security issues, how they do so and what measures need to be taken to recover compromised data.

Step Four: Get experts involved

An information security policy that ticks all the right boxes, establishes scalable security controls and takes into account risk management and response is hard to get right. If you need help creating or implementing an information security policy or have other network security concerns, contact the team at Biztech today.