Cybersecurity Law and Policy
1. Classify the vulnerabilities in the information technology (IT) security policy framework definition. 2. Assess an acceptable use policy implementation plan for an organization. 3. Outline a risk assessment policy defining a separation of duties to deter fraudulent actions within the
seven domains and policy definitions. 4. Analyze a security awareness training policy for new and existing employees at an organization. 5. Examine a computer incident response policy (CIRP). 6. Plan an organization-wide cybersecurity policy to ensure compliance within the seven domains of the
information technology (IT) infrastructure. Required Unit Resources Chapter 13: IT Security Policy Implementations Chapter 14: IT Security Policy Enforcement Unit Lesson
IT Security Policy Implementation In the past few units, the information technology (IT) security culture has been discussed. If an organization is just starting out and has new employees, it is easy to see the security culture mature. This is a result of the new organization starting fresh with policies and procedures that everyone must learn and adhere to; however, when the organization has been around for a long time during which employees come and go, the security culture is more of a behavioral adaptation. The new employees just do what other employees do. This unit lesson will look into implementing a security policy to affect an organizational culture that resists changes.
Target States A target state is a future state where the organization’s goals and objectives have been achieved utilizing the necessary tools, processes, and resources (Johnson & Easttom, 2022). While it is possible to describe policy goals and objectives in a variety of ways, one of the more effective is to think of them in terms of the following.
• Business risk explains how the policy decreases risk to an acceptable level. • Compliance is how the policy safeguards compliance with laws and regulations. • Threat vectors include how the policy will avoid, alleviate, or distinguish IT threats.
Whatever method is used, it is important to describe the target state in terms of necessary technology, tools, and resources needed for implementation.
The Implementation Process The ability to change an organization’s culture when implementing an IT security policy can be a tough sell to the employees. To do so, the employees must first understand the business strategy of the company and a means of collaborating among themselves in small steps when implementing security policies. Johnson and Easttom (2022) state three common themes for defining the needs for security policies.
UNIT VIII STUDY GUIDE Information Technology Security Policy Implementation and Enforcement
CYB 4304, Cybersecurity Law and Policy 2
UNIT x STUDY GUIDE Title
• Personal accountability: Every employee must be accountable for his or her actions, and the security policy is that steering mechanism for keeping employees compliant. Any break in this policy could mean a loss of data, information, or assets. The most important issue to identify is the noncompliance with the security policy.
• Directive and enforcement: How the policy is directed and enforced is up to management. This means enforcement directives must be known to all employees within the organization. There should be a zero-tolerance in failing to follow security policies.
• Valuable tool: By identifying and managing the risks by both management and employees, security policies are an intricate tool in preventing further damage from security breaches.
Awareness and Training
Once the organization understands the need for security policies, management must provide a means of security awareness throughout the organization (Johnson & Easttom, 2022). Security breaches happen because employees are not educated in security awareness. Some of the reasons for security breaches include
• zero training or poor training in security awareness, • lack of motivation or lack of understanding of the policies, • intentional acts or disgruntled employees, • poor management and user decisions, and • poorly written security policy.
To help eliminate these breaches, management must provide security awareness training so employees understand there is a policy and the importance of the security policy and directives. In addition, employees need security training by the experts so the employees will have the necessary skills to help prevent further damage from security breaches (Johnson & Easttom, 2022). Everyone should attend security awareness training. Those attending the training should include new employees, contractors, individuals promoted into new positions, and vendors as define by the contract. At minimum, refresher security awareness training should be conducted annually. The ultimate goal of conducting security awareness is not to have employees repeat the things they have heard but to achieve authentic learning that builds knowledge and skills that enable them to perform their duties to protect assets and adhere to the policies. The measure of success in these trainings is how effectively workers will be able to apply their lessons to their work life (Johnson & Easttom, 2022).
Enforcement and the Role of Executive Management It does not matter how much effort is put into creating a policy and perfecting it if it is not going to be followed. Therefore, a compliance program must also be created to ensure the value of the security policy is delivered. Executive management helps guide the organization in the right direction to achieve a specific goal (Johnson & Easttom, 2022). Since employees look to the executives for guidance, the executives must first set the example and follow the same policies and rules as all the organization’s other employees. The chief information security officer (CISO) assists the executives in directing and enforcing the security awareness program within the organization. By all means, the CISO works for the executives in that the CISO receives additional guidance from the executives. It is important to note that there is a zero tolerance for not following the security policies and that all violations of the security policies will be taken very seriously by the executives.
A Hierarchical Approach to Security Policy Implementation The organization itself has a role in enforcing security policies. Within the hierarchical organization, there are several committees that assist in the enforcement of security policies. These are known as gateway committees, and their main job is to monitor the risks and enforce the policies for the organization. The roles and responsibilities are varied. According to Johnson and Easttom (2022), these are some of the varied roles and responsibilities.
CYB 4304, Cybersecurity Law and Policy 3
UNIT x STUDY GUIDE Title
• Project committees review the project concepts, designs, and testing phases within the project life cycle. To reduce cost, the committee will identify risks early in the project and stop the project if it notes noncompliance to policy.
• Architecture review committees encourage strict standards for technology and architecture in which architectural models are used and embedded in the security design policy. The committee can stop a project if it fails to meet the technical standards.
• External connection committees handle the monitoring of third-party connections to the organization network. It ensures the security and reliability of the data transmitted in and out and enforces security compliance of the policy. It ensures that all communications and encryption security policies have been enforced. No connections are approved if they violate the security policy.
• Vendor governance committees have two roles, the business role for vendor relation oversight and the technical role in ensuring the vendor complies with the vendor contractor policies.
• Security compliance committees have many roles, though the most important is to ensure there are no violations of the policies that are put forth within the organization. This committee focuses on the common controls entrenched in the different systems, applications, and operations in which users are involved. They have an effect on the security pervasive control that must comply with the organization’s policies.
• Operational risk committees provide oversight and approve any risk tolerance that affects the business of the organization.
Each of these committees has a line of sight into the organization relating to projects and initiatives. Although they all view security from a different light, they are all ultimately responsible for enforcing policies.
Law Versus Policy An organization must ensure that its policies are followed and stay informed on levels of compliance. Security policies themselves are not laws but rather an interpretation of the law and its requirements. A law is a rule prescribed under the authority of a government entity, whereas a regulation is a stricture that is developed from a law under the authority of an agency (Johnson & Easttom, 2022).
IT Culture, Revisited Each organization has a unique IT security culture. Senior management along with IT professionals must ensure that policies, documentation, security awareness, and procedures are updated and enforced. The CISO must work in tandem with the CIO or CEO to help move the organization to a feasible security culture that will not interrupt the organization’s daily business.
Reference Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
