IT Security

Cybersecurity Policies and Planning

What are Cybersecurity Policies and Plans?

To protect against cyberattacks, it is important for all organizations to develop cybersecurity plans and policies. Small businesses may think that such plans are overly elaborate or unnecessary, but every business with single computer or even one credit card terminal is vulnerable to serious cybersecurity threats and should have plans for preventing and addressing them. To this end, CISA and the FCC offer a Cyberplanner tool where small businesses can create customized security planning guides1. Using the tool, an organization can select which of the following sections to include in their generated planning guide. Each section represents an important aspect of cybersecurity management that could benefit any size or type of business. Previewing these aspects in cybersecurity planning can help you to determine which aspects may be applicable to your business and may help you to recognize areas of vulnerability that you have not sufficiently considered previously.

Privacy and Data Security

  • Establish security roles and responsibilities
  • Establish an employee internet usage policy
  • Establish social media policy
  • Identify potential reputation risks

Scams and Fraud

  • Train employees on social engineering
  • Protect against online fraud
  • Protect against phishing
  • Don’t fall for fake antivirus offers
  • Protect against malware
  • Develop a layered approach to guard against malicious software
  • Verify the identity of telephone information seekers

Network Security

  • Secure internal network and cloud services
  • Develop strong password policies
  • Secure and encrypt your company’s Wi-Fi
  • Encrypt sensitive company data
  • Regularly update all applications
  • Set safe web browsing rules
  • If remote access is enabled, make sure it is secure

Website security

  • Carefully plan and address the security aspects of the deployment of a public web server
  • Implement appropriate security management practices and controls when maintaining and operating a secure web server
  • Ensure that web server operating systems meet your organization’s security requirements
  • Ensure the web server application meets your organization’s security requirements
  • Ensure that only appropriate content is published on your website
  • Ensure appropriate steps are taken to protect web content from unauthorized access or modification
  • Use active content judiciously after balancing the benefits and risks
  • Use authentication and cryptographic technologies as appropriate to protect certain types of sensitive data
  • Employ network infrastructure to help protect public web servers
  • Commit to an ongoing process of maintaining web server security


  • Set up a spam email filter
  • Train your employees in responsible email usage
  • Protect sensitive information sent via email
  • Set a sensible email retention policy
  • Develop an email usage policy

Mobile devices

  • Use security software on all smartphones
  • Make sure software is up to date
  • Encrypt the data on mobile devices
  • Have users password protect access to mobile devices
  • Urge users to be aware of their surroundings
  • Employ strategies for safely emailing, texting, and social networking
  • Set reporting procedures for lost or stolen equipment
  • Ensure all devices are wiped clean prior to disposal


  • Develop a hiring process that properly vets candidates
  • Perform background checks and credentialling
  • Take care in dealing with third parties
  • Set appropriate access controls for employees
  • Provide security training for employees

Facility Security

  • Recognize the importance of securing your company facilities
  • Minimize and safeguard printed material with sensitive information
  • Ensure mail security
  • Dispose of trash securely
  • Dispose of electronic equipment securely
  • Train your employees in facility security procedures

Operational Security

  • Identity of critical information
  • Analyze threats
  • Analyze vulnerabilities
  • Assess risk
  • Apply appropriate OPSEC measures

Payment Cards

  • Understand catalog customer and card data you keep
  • Evaluate whether you need to keep all the data you store
  • Use secure tools and services
  • Control access to payment systems
  • Use security tools and resources
  • Remember the security basics

Incident Response and Reporting

  • Notify law enforcement if necessary
  • Work cohesively across technical and leadership teams to limit the damage
  • Begin recover effort
  • Hold a ‘lessons learned’ meeting

Policy Development and Management

  • Establish security roles and responsibilities
  • Establish an employee internet usage policy
  • Establish a social media policy
  • Identify potential reputation risks

1 FCC, 2022, ”Cyberplanner”