InfoSec / Cyber

    You are here:  
  1. Home
  2. InfoSec / Cyber
  3. October 11. Policies and Procedures: Cyber Blueprint
"A graphic announcing 'October is Cyber Security Awareness Month,' with text explaining the importance of creating a cyber emergency contact list in preparation for a cyber attack. It also includes a 'Cyber tip' to assess passwords, turn on MFA, and review critical accounts, especially email. A shield icon with a checkmark and a lightbulb icon are visible."
Information/Cyber Security

October 11. Policies and Procedures: Cyber Blueprint

Cyber security has many levels; policies and procedures are about establishing clear rules, guidelines and processes that govern how information is handled within an organisation.  Well-defined policies and procedures serve as the blueprint for your cyber security program, ensuring consistent practices, reducing human error and providing a framework for accountability.

Key areas covered by cybersecurity policies and procedures often include:

  • Acceptable Use Policy (AUP): Defines how employees are allowed to use company IT resources (internet, email, devices).  DPE customers can access our Acceptable Use Policy template through our Knowledge Bank portal, along with many other templates for policies and procedures.

  • Password Policy: Dictates requirements for password length, complexity, change frequency, and the use of Multi-Factor Authentication (MFA).  Customers can review our Password learning nugget.

  • Data Handling Policy: Specifies how different types of data (e.g., sensitive, confidential, public) should be stored, transmitted, accessed, and disposed of.  DPE Customers can review our Retention Schedule, Data Classification learning nugget, we can also review as part of our data walks (Making the Rounds) or data protection audits.

  • Remote Work Policy: Outlines security expectations and requirements for employees working from home or other remote locations.  Customers can review our working from home learning nugget and template policies.

  • Incident Response Plan: Details the steps to be taken in the event of a security breach or cyberattack, including roles, responsibilities, and communication protocols.

  • Access Control Policy: Defines who has access to what systems and data, based on the principle of least privilege.

  • Software Installation Policy: Governs what software can be installed on company devices and by whom.

  • Mobile Device Policy: Addresses security requirements for smartphones and tablets used for work purposes.  Consider the use of mobile devices as part of multi factor authentication.

  • Physical Security Policy: Covers the protection of physical assets (e.g., servers, laptops) from unauthorised access.

For organisations, these policies are crucial for regulatory compliance, managing risk, and fostering a culture of security. They provide employees with clear expectations and guidelines, reducing ambiguity and promoting secure behaviour. Regularly reviewing and updating these policies is essential to adapt to evolving threats and technological changes.

Even for individuals, having personal "rules of thumb" or informal procedures – like "I always use a VPN on public Wi-Fi" or "I never open attachments from unknown senders" – can serve as a personal blueprint for safer online conduct.

Questions for SLT and the Governing Body:

  • Is there a Business Continuity Plan?
  • Is there a Cyber Incident Plan?
  • Do the staff know what to do in the event of a cyber attack?
  • Is there a policy specifying access control for all staff?
  • Is there a working from home/mobile working policy?
  • Is there an acceptable use policy?
  • Is there a loan agreement signed by staff when assigned school equipment?
  • Is there a written password policy?
  • Is there a written policy about removable media?

Review our Policies Page for up to date policy templates.

💡Today's Cyber Tip: Know your digital rules!

Take a moment to understand the rules for handling digital information.
At work, this means familiarising yourself with your company's cyber security and associated policies.

For personal use, it means setting your own clear habits—like deciding what personal data you'll share online or how you'll manage your passwords. Knowing these guidelines helps keep you and your data safe.


More questions like these are in our Information and Cyber Security Checklist (only viewable with a valid Data Protection Education ) subscription:

{module title="Checklist: Cyber Security"}

DPE Knowledge Bank Guidance and Support:


For schools and colleges, six of the DfE Digital Standards are now mandatory. We have a DfE Digital Standards Tracker tool help you track your cyber resilience and your progress: 

   

Review our Cyber Security Best Practice Area for micro learning, support, guidance and policies:



Why not have a look at our 'specialist' trainer Harry the Hacker :

©2025 Data Protection Education Ltd.

Search