Assignment Task:
Before you start:
Attention should be focused when writing policies to make sure that they are effective and do not conflict. In order to make sure that your policies are effective, keep in mind the following secure design principles:
Mandatory Reading: Read The Security Principles of Saltzer and Schroeder (link) blog for a greater understanding.
Project Overview: This project includes the following tasks:
Review and prioritize scenario audit observations
Develop an information security policy and related procedure
Develop an implementation and dissemination plan
Objective: Developing Information Security Policies
A security policy is the document developed by an organization that formally states how it plans to protect its information and information systems. Organizations should treat a security policy as a "living document." This means that the organization continuously reviews and updates the document as technology and employee requirements change.
Organizations use several documents to support its policy infrastructure. In this project, you will be developing the following documents:
An Information Security Policy
A procedure to support the policy
An effective security policy references the standards and guidelines that exist within an organization. An information security policy contains high-level statements with the intent of protecting information and assets. It is the responsibility of senior management to develop security policies.
Standards are mandatory controls that enforce and support the information security policy. Standards are a collection of properties or rules that an organization formally adopts and recognizes. There are many standards organizations in the information technology field including IEEE, EIA/TIA, NIST and ISO.
Guidelines are recommended, non-mandatory controls that support standards and provide a foundation for the development of best practices.
Procedures are the systematic instructions used by employees within the organization that explain how to implement the controls defined in the policies, standards, and guidelines.
For example, a password policy states the standard for creating strong passwords and protecting passwords. A password construction guideline defines how to create a strong password and provides best practices recommendations. The password procedure provides the instructions on how to implement the strong password requirement. Organizations do not update policies as frequently as they update procedures within the information security policy framework.
Supplemental Materials
Information Security Policy - A Development Guide (link)
Technical Writing for IT Security Policies in Five Easy Steps (link)
Website Links
Information Security Policy Template (link)
Security Awareness Planning Toolkit (link)
YouTube Video: Information Security Policy (CISSP Free by Skillset)
Project Scenario:
ACME Healthcare is a healthcare company that runs over 25 medical facilities including patient care, diagnostics, outpatient care and emergency care. The organization has experienced several data breaches over the last five years. These data breaches have cost the organization financially and damaged its reputation. Need Assignment Help?
The executive leadership team recently hired a new Chief Information Security Officer (CISO). The new CISO has brought in one of the top cybersecurity penetration teams to perform a full security audit on the entire organization. This independent contractor conducted the audit, and found the following vulnerabilities:
Several accounts were identified for employees that are no longer employed by ACME.
Several user accounts allowed unauthorized and escalated privileges and accessed systems and information without formal authorization.
Several devices and systems allowed unsecure remote access.
Forty percent of all organization passwords audited were cracked within 6 hours.
Password expiration was not standardized.
Sensitive files were found unencrypted on user systems and laptops.
Several wireless hotspots used WEP for encryption and authentication.
Evidence indicates that sensitive e-mail was sent unencrypted to and from employee homes and mobile devices.
Intrusion detection logs were infrequently reviewed and analyzed.
Systems with sensitive company data were used by employees for private use.
Employee systems were left unattended and employees failed to logout of the company network and data systems.
Inconsistent system updates and configurations were performed.
Several firewall rules were set to permit all traffic unless specifically denied.
Company servers were not updated with the latest patches.
Intranet web server allowed users to change personal information about themselves, including contact information (address, phone number, etc.).
Policies, Procedures, and Guidelines: Overview the Scenario
Read over the scenario given above. Watch the Information Security Policy (video) . Differentiate the various levels and types of policies. (Describe at least 2 types and 2 levels of policies) Make sure you cite your sources.
Policies, Procedures, and Guidelines: Review and Prioritize Audit Findings
Review the security audit findings from the Project Scenario above.
Research the types of vulnerabilities listed and determine which pose the greatest threat.
Based on your research, select the top five security audit findings that ACME should address.
Create a Vulnerabilities Ranking Table, like shown below, and record your rankings in a table which lists the a) Vulnerabilities, b) the Recommended Policy to mitigate this vulnerability, and c) your Justification.
Remember to cite your justifications using footnotes.