This week’s topic, information security policies, is perhaps the most important topic that a Business major can take from this course. This is the governance layer that lays the bedrock for your organization’s security posture. Sure, the technical folks are responsible for executing on that policy but this is where the leaders of a business get together, reach agreement, at times do a sanity check on what is enforceable in the organization, and draft the rules that will make sure the organization is secure.
This is not an exercise in putting down whatever “sounds” good in order to check the box and claim that your organization has policies. It takes a realistic perspective and evaluation on what is needed, what is possible, and what is enforceable. It is typically better to a have a weak policy that is enforced than to have a strong policy that is ignored.
The resources provided include three articles on approaches to drafting and information security policy. Among the steps is to select a framework or set of standards. These could include “best practice” frameworks such as ISO 27001, NIST SP 800 Series, COBIT, ITIL, or similar guidelines. Depending on the industry, this will likely also include “compliance” standards such as PCI-DSS, HIPAA/HITECH, SOX, FISMA, GLBA, or other legal and regulatory obligations. The resources provided include the NIST CyberSecurity Framework as an example of best practice frameworks and the PCI-DSS compliance standards for those who process credit cards. Both of these will include specific elements or policies that should be included in your overall policy set.
Additionally, I have included links to the Greater Houston Partnership’s Cybersecurity Assessment Tool, the FCC’s CyberPlanner Tool, and the Traveler’s Insurance Cyber Risk Pressure Test. These tools can help you evaluate your organizations current posture. Such evaluations can help to flesh out the organizations policies much like the best practice standards. Additionally, from a learning standpoint, they are a bit easier to go through than something like the full PCI-DSS standard.
Last, but definitely not least, I have included a link to the SANS security policy template library. When it comes to actually drafting policies. These or similar “out-of-the-box” policy templates can provide a good start and help to understand the level of detail needed. Remember that details are important, but it should not be so complicated that it must be updated constantly or that it becomes unmanageable. This includes considering how much time you have available for dealing with policy issues.
This is a lot of information. My primary concern this week is that you take the time to review the resources. It would be impractical to have you draft a policy or try to regurgitate all of what you see here. Read the articles, skim the frameworks and standards, tinker with some of the assessment/planning tools.
For your web project, I’d like you to pick three things that stood out to you. This could relate to the process of drafting the policies, the contents of the frameworks or standards, the usefulness of the assessment/planning tools, the format/contents/level of detail in the policy templates, etc. Just choose any three things you learned and share your thoughts about them in 300-400 words. This is an informal assignment. Citations are not necessary unless you are quoting, but may be useful to indicate what you are referencing.
Additional resources for assignment
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more