It is a commonplace that human behaviour is the weakest link in organisations' cyber security strategies. The more freedom staff have to use IT systems, the more scope there is for a security breach. But locking down IT systems is not usually the answer: the less freedom staff have, the less useful the IT systems will be.
All organisations must decide where to draw the line. But whether staff are subject to loose or stringent IT system controls, mechanisms to discourage high risk behaviour will always have a part to play. A carefully tailored end user cyber security policy is one such mechanism.
The default text in this cyber security policy template includes both general and specific prohibitions on the use of organisation IT systems. For example, the use of company devices for private use may be prohibited. Similarly, the use of private devices for company business may be prohibited.
The policy comes in standard and premium versions, with the former being a shortened version of the latter. The key provisions omitted from the standard policy cover BYOD, monitoring, training requirements and permissive provisions on use of company devices.
This policy may be used in relation to employees, non-employed contractors or both.
This end user cyber security policy was created and is maintained by Emma Osborn of OCSRC (see https://www.ocsrc.co.uk/).