������Ƶ

A Cybersecurity Policy outlines how an organization protects its digital assets, data, and systems from security threats. It sets clear rules and procedures for staff to follow when handling sensitive information, using company networks, and responding to security incidents - all aligned with NZ's Privacy Act 2020 and other relevant regulations.

Think of it as your organization's digital security playbook - it covers everything from password requirements and access controls to data backup procedures and incident reporting. For Kiwi businesses, these policies help demonstrate compliance with privacy laws while protecting against cyber threats like ransomware, data breaches, and unauthorized access.

Your organization needs a Cybersecurity Policy before handling sensitive customer data or connecting systems to the internet. This foundational document becomes essential when scaling operations, pursuing government contracts, or working with partners who require proof of security measures - especially under NZ's Privacy Act requirements.

Put your policy in place when onboarding new staff, introducing remote work options, or upgrading IT systems. It's particularly crucial before storing personal information, health records, or financial data. Many insurance providers also require a documented Cybersecurity Policy before offering cyber insurance coverage to Kiwi businesses.

• Basic Enterprise Policy: Core cybersecurity rules covering password standards, access controls, and incident reporting - ideal for small to medium NZ businesses
• Comprehensive Framework: Detailed policies aligned with international standards, featuring risk assessment matrices and compliance tracking for larger organizations
• Industry-Specific Policy: Tailored requirements for sectors like healthcare (handling patient data) or finance (meeting RBNZ guidelines)
• Cloud-First Policy: Focused on securing cloud services, remote access, and third-party integrations
• IoT Security Policy: Specialized guidelines for organizations managing connected devices and sensor networks

• IT Security Teams: Draft and maintain the Cybersecurity Policy, implement technical controls, and monitor compliance
• Senior Management: Approve policy content, allocate resources, and ensure organizational alignment with security goals
• Employees: Follow security procedures, complete required training, and report potential incidents
• Legal Teams: Review policy alignment with NZ Privacy Act and other regulations
• External Auditors: Assess policy effectiveness and compliance during security reviews
• IT Vendors: Adhere to security requirements when accessing company systems or handling data

• Asset Inventory: List all digital systems, data types, and network infrastructure that need protection
• Risk Assessment: Document potential threats, vulnerabilities, and impact levels specific to your organization
• Legal Requirements: Review NZ Privacy Act obligations and industry-specific regulations affecting your data handling
• Access Levels: Map out who needs access to what systems and under which conditions
• Incident Response: Plan your breach notification process and recovery procedures
• Training Needs: Identify required staff education and awareness programs
• Policy Generation: Use our platform to create a customized, legally-sound policy that covers all essential elements

• Purpose Statement: Clear objectives and scope of the policy, aligned with NZ Privacy Principles
• Access Controls: Rules for authentication, authorization, and password management
• Data Classification: Categories of information and their required protection levels
• Incident Response: Mandatory breach reporting procedures under Privacy Act 2020
• User Responsibilities: Staff obligations for device usage and data handling
• Compliance Measures: Monitoring and enforcement procedures
• Review Schedule: Timeline for policy updates and assessments
• Legal Framework: References to relevant NZ regulations and standards

A Cybersecurity Policy differs significantly from a Data Breach Response Policy. While both deal with digital security, they serve distinct purposes in your organization's security framework.

• Scope and Purpose: A Cybersecurity Policy covers comprehensive security measures across all IT operations, while a Data Breach Response Policy focuses specifically on actions taken after a security incident occurs
• Timing of Application: Cybersecurity Policies work proactively to prevent incidents, whereas Data Breach Response Policies activate reactively when breaches happen
• Content Focus: Cybersecurity Policies outline daily security practices, access controls, and system protections. Data Breach Response Policies detail notification procedures, damage control steps, and recovery protocols
• Legal Requirements: Under NZ's Privacy Act 2020, organizations need both - Cybersecurity Policies for ongoing compliance and Data Breach Response Policies for mandatory breach reporting