Select the PDF attached to this assignment to download and read the Geoff Keston article titled ‘Developing A Security Communications Plan.’ According to Kes
Hello Class!
Welcome to Week # 4. This week's assignment will help you to fulfill the requirements for the fourth-course objective (CO-4)
Assignment Instructions:
Select the PDF attached to this assignment to download and read the Geoff Keston article titled "Developing A Security Communications Plan."
According to Keston (2013), "A mark of a mature security communications program is the shift away from one-time messages, such as ad hoc emails. Such messages are easily forgotten and are often hard to find after a few weeks. A good security communications plan will include sending updates and alerts as well as maintaining a repository of documentation. Creating such a repository (or a consolidated document) makes information easier to find, and it helps to link together disparate elements into a unified plan."
For the purpose of this assignment, you are tasked as the Cybersecurity Director to prepare a Security Communications Plan for execution at the program level. You are to develop a security communications plan for your organization that addresses the handling of all communications related to security. Follow the requirements below:
REQUIREMENTS:
- 4 – 6 Pages in length in APA format (not including a cover page and reference section)
- Cover Page
- Develop a comprehensive security plan that does the following:
- Identify archiving procedures
- Establish approval processes for sending communications
- Describe legal and regulatory requirements
- Define key terms
- Define severity levels and message types
- Using the definitions of severity levels and message types, diagram who receives messages and through what means they receive them (e.g., text messages)
- The plan will address the concerns of many constituents, including executives, IT staff members, and end users, as well as customers and partners. Each group has somewhat different needs, so it is helpful to structure a plan to protect sensitive information from the entire group and to make targeted information easy for its audience to find.
- Reference Section
MISCELLANEOUS:
- Your references should not be more than 5 years old
- Your assignment is due by Sunday, not later than 11:59 p.m. Eastern time.
CATEGORY
4
3
2
1
Multiplier
Total
Introduction
The introduction clearly states the main topic and previews the structure of the paper.
The introduction clearly states the main topic but only partially previews the structure of the paper.
The introduction states the main topic, but does not preview the structure of the paper.
There is no clear introduction to the main topic or structure of the paper.
X 2.5
Paragraph Construction
All paragraphs include the introductory sentence, explanations or details, and a concluding sentence.
Most paragraphs include introductory sentences, explanations or details, and concluding sentences.
Paragraphs included related information but were typically not constructed well.
The paragraphing structure was not clear, and sentences were not typically related within the paragraphs.
X 2.5
Sequencing
Details are placed in a logical order and correspond to the structure presented in the introduction.
Details are sometimes logically placed but do not correspond to the structure presented in the introduction.
Some details are not in a logical or expected order, distracting the reader.
Many details are not in a logical or expected order. There is little sense that the writing is organized.
X 2.5
Transitions
A variety of thoughtful transitions are used. They clearly show how ideas are connected.
Transitions clearly show how ideas are connected, but there is little variety.
Some transitions work well, but connections between other ideas are fuzzy.
The transitions between ideas are unclear or nonexistent.
X 2.5
Supportive Research
Supporting research studies and/or reports are research-based and accurately reported.
Supporting research studies and/or reports are not accurately reported.
Research studies and/or reports do not support the discussion.
Research studies and/or reports are limited and/or inaccurately reported.
X 2.5
Quality of Information
Information clearly relates to the main topic. It includes several supporting details and/or examples. The paper is in APA format, and the body of the paper is between 8 and 10 pages.
Information clearly relates to the main topic. It provides 1-2 supporting details and/or examples. The paper is not completely in APA format, and the body of the paper is between 8 and 10 pages.
Information clearly relates to the main topic. No details and/or examples are given. The paper is not completely in APA format, and the body of the paper is between 8 and 10 pages.
Information has little or nothing to do with the main topic. The paper is completely in APA format, and the body is between 8 and 10 pages.
X 2.5
Conclusion/
Recommendations
The conclusion effectively summarizes the discussion and provides at least two recommendations for further research.
The conclusion summarizes the paper but provides only one recommendation for further research.
The conclusion partially summarizes the discussion but provides no recommendations.
The conclusion is poorly constructed.
X 2.5
Sources
Citations
References
All sources (information and graphics) are accurately documented in APA. If you had a citation in the body of your work, you must have the appropriate reference in the reference section. (Provided at least 10 references)
Two sources are not documented in APA format. If you had a citation in the body of your work, you must have the appropriate reference in the reference section. (Provided at least 10 references)
Several sources are not documented in APA format. Not all citations match the reference in the reference section. (Provided less than 10 references)
Several sources are not documented in APA format. Not all citations match the reference in the reference section. Provided less than 5 references)
X 2.5
Mechanics
No grammatical, spelling, or punctuation errors.
One grammatical, spelling, or punctuation error.
Two grammatical, spelling, or punctuation errors.
More than two grammatical, spelling, or punctuation errors.
X 2.5
Timeliness
All late submissions have a 10 point (10%) deduction.
Developing A Security Communications Plan
by Geoff Keston Copyright November 2013, Faulkner Information Services. All rights reserved.
Inside this report …
A New Approach to Security Communications The Importance of Structure The Importance of Style The Communications Lifecycle Recommendations Resource File
A New Approach to Security Communications
[return to top of report]
An antiquated understanding of security communication views the practice's main question as: "what should IT announce to the rest of the company?" This perspective has given way to a multi-departmental approach that has each department sending and receiving information. In the old scenario, IT controlled information and decided whom to permit to have it. In the new scenario, each department defines what information it needs and, just as importantly, what information it needs to distribute to its constituents (e.g., customers, partners). After all, IT does not necessarily know who would be affected if a certain application is taken down for security reasons.
This new approach to security communication has become prevalent as more diverse technologies have been put to use by a wider range of departments: For instance, employees are accessing corporate networks with personally owned mobile phones and tablets as part of bring your own device programs, end users are provisioning their own services through automated programs, and social media and cloud services are being used for corporate purposes. At the same time, cyber threats have grown more diverse.
Collectively, these changes have created the need for more communication about security among a wider range of people across more channels. This increased burden is forcing enterprises to more comprehensively and carefully manage the delivery and organization of security information. Part of making this change is creating a detailed, formalized security communications plan.
The Importance of Structure
[return to top of report]
A mark of a mature security communications program is the shift away from one-time messages, such as ad hoc emails. Such messages are easily forgotten and are often hard to find after a few weeks. A good security communications plan will include sending updates and alerts as well as maintaining a repository of documentation. Creating such a repository (or a consolidated document) makes information easier to find, and it helps to link together disparate elements into a unified plan.
A comprehensive plan will do the following:
■ Identify archiving procedures
■ Establish approval processes for sending communications
■ Describe legal and regulatory requirements
■ Define key terms
■ Define severity levels and message types
■ Using the definitions of severity levels and message types, diagram who receives messages and through what means they receive them (e.g., text messages)
The plan will address the concerns of many constituents, including executives, IT staff members, and end users, as well as customers and partners. Each group has somewhat different needs, so it is helpful to structure a plan to protect sensitive information from the entire group and to make targeted information easy for its audience to find.
The Importance of Style
[return to top of report]
The challenges of planning communication flows and managing the technologies that disseminate messages across a dispersed, multi-platform environment can make enterprises lose sight of how the message is presented. But the style in which messages are delivered is crucial. "Unfortunately we the security community can be terrible communicators," says Lance Spitzner.1 "[A]s a result this is where many awareness programs quickly fall apart. If you present the content in a boring or hard to access fashion (especially for the YouTube generation) you program will be a failure. In addition, communication is exponentially more difficult for large or diverse organizations as you have to take into consideration a variety of cultural, national and linguistic differences."
To ensure that the style of security communications is effective, it can be helpful to rely on expertise from departments such as public relations or marketing, especially for messages to be sent outside the organization. Using templates and boilerplate language can further help, providing consistency and enabling the organization to deliver a message quickly, without having to repeat the time consuming process of writing, editing, and approving the text of a communication.
Tailoring messages to audiences based on their technical knowledge and other factors is also critical. "Some security awareness programs fail to adequately segment their audience and deliver appropriate messages," writes Chelsa Russell. "This is a very poor strategy that results in messages getting ignored. Users receive hundreds of messages every day from all different directions. It is critical to segment your audience and ensure that people only get the messages they need. A one-size-fits-all strategy may be easy on you, but it will not be effective."
The Communications Lifecycle
[return to top of report]
In a good, mature security environment, communication is not a one-time event that is completed when the IT department clicks "send" on a broadcast email. Instead, communication is a multi-stage, closed-loop process that starts with identifying the need to deliver a message and concludes with verifying that the message's content was well understood.
Communication is also a two-way process. Organizations need not only to send information, but also to receive feedback from users. "Listen to the stakeholders, understand their pain and problems, compile the details and verify your understanding of the problems before locking down the requirements," says project manager Wendy Woo.3 "You cannot understand the objectives and mission critical elements without connecting the dots and asking questions. You do not know if you are delivering the right solution without walking through the details and the intended outcome with the end users."
Feedback from all stakeholders is important. To encourage a dialogue, two processes are in particular useful:
■ Conduct Routine Audits – The audit process will gather information that might not otherwise come to the attention of the security planning team. During the audit, process activities will be analyzed, employees will be interviewed, and evidence such as customer messages will be inspected. All of this information will provide useful feedback.
■ Maintain a Continual Improvement Process – A formal process that lets users openly suggest changes or notify management of potential issues will help information security planners learn about problems at the operational level. This process is best managed as a closed-loop in which all suggestions are logged and evaluated and then action items are assigned to execute the recommendations that are approved. Standards such as ISO 27001 can help to structure such a process.
Recommendations
[return to top of report]
Integrate Security Communications with Other Processes
Security activities influence, and are influenced by, other corporate processes. Addressing these connected processes directly will strengthen a communications plan. In particular, the following processes relate closely to security:
■ An incident management process is the formal, often automated, handling of security issues. Some incidents are reported outages or failures, and others are alerts from a system such as a firewall. These
reports and alerts are part of incident management, but they are also forms of communication. Therefore, it is helpful to link incident management and communications policies.
■ Security concerns overlap with business continuity and disaster recovery. Many of the preventive and reactive actions of security plans are similar to those described in business continuity and disaster recovery plans.
■ Regulatory compliance is increasingly an IT function, due in part to regulations, such as HIPAA, that are heavily technology focused.
Develop Policies for Communicating with Third Parties
The need to communicate about security reaches across organizational boundaries. Organizations may tell customers about breaches of their confidential data, receive new security specifications from partners, or explain a change in their privacy policies to the media. Managing these external communications differs in many ways from handling internal communication. With third-party communications, organizations cannot dictate what processes and technologies are used. Instead, they must work with others to develop policies for communication. While some principles – like the importance of structure and style – still hold, at a tactical level, organizations would be wise to be flexible about how they share information with customers, partners, and the press.
Resource File
[return to top of report]
International Organization for Standardization (ISO): http://www.iso.org/
References
1 Spitzer, L. Security awareness – Hot to communicate. SANS: Security the Human. Jan 11. 2 Russell, C. Security awareness – Implementing an effective strategy. SANS Institute. Oct 02. 3 Woo, W. Ten communication failures that will sabotage your project. The Agilista PM. Available online from: http://www.agilistapm.com/10-comm-failures-sabotaging-projects/
About the Author
[return to top of report]
Geoff Keston is the author of more than 250 articles that help organizations find opportunities in business trends and technology. He also works directly with clients to develop communications strategies that improve processes and customer relationships. Mr. Keston has worked as a project manager for a major technology consulting and services company and is a Microsoft Certified Systems Engineer and a Certified Novell Administrator.
Site content copyright 2013, Faulkner Information Services. All rights reserved.
Return to Security Management Practices Home
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.