ISSC499 final
2
Security Communications Plan
Cristian DeWeese
ISSC499
American Military University
07/01/2024
Introduction: Security communication is an important segment of any organization that is used to enhance security and attain organizational objectives (Da Veiga et al., 2020). This document describes the handling of all matters bearing security features at the program level with regard to communication. It makes sure that all the stakeholders get accurate and timely information to guarantee the needed security. In focusing on the automated service desk, the plan resolves issues of the executives and the IT staff, end users and customers, and business and technology partners.
Archiving Procedures: To ensure the retention and accessibility of all security communications, the following archiving procedures will be implemented:
Central Repository: The security communications such as the emails, alerts, and updates that are used will be well stored in a secure common database (Siam et al., 2021). This repository is going to be work in a secured network, whereby access to the structure will only be granted to authorized people only, and the structure adopted will enable easy retrieval of stored information.
Indexing and Searchability: The repository will contain documents; however, the documents are to be indexed and the search facility will enable users to search for documents of their interest easily.
Archival Process: At the close of every year, the document that is more than five years old will be transferred to the long-term storage archive (Solovyev, 2020). It will be saved and updated just like the main repository, with the same stringent security measures.
Backup Procedures: A daily, weekly, or monthly backup of the repository will be produced to avoid loss of information. These backups shall be kept in a secondary location different from the main backup store.
The approval processes for sending out communications: To ensure the accuracy and consistency of security communications, the following approval processes will be established:
Initial Review: All communications drafts will be checked by the Cybersecurity Director or any other officer authorized by that person.
Content Verification: The first filter will check the relevance and the conciseness of the self-generated communication content.
Legal Review: Any communication relating to legal and or regulatory matters will be forwarded to the legal division for scrutiny.
Legal Assessment: The legal aspect will be evaluated by the legal department to look for any legal issues that may be encountered in its implementation and to get confirmation that the communication meets legal requirements.
Executive Approval: Messages or communication notifications classified as high severity or intended for the heads of departments will need approval from the CIO or the CEO (Cotton, 2022).
Legal and Regulatory Requirements: The security communications plan will comply with the following legal and regulatory requirements:
General Data Protection Regulation (GDPR): To guarantee all the correspondence processing the personal data meets the requirements of the GDPR (Kuner et al., 2021).
Data Protection Impact Assessment (DPIA): Pre-DPIAs will be undertaken for communications that are perceived to use a large number of personal data to conform to GDPR regulations.
Health Insurance Portability and Accountability Act (HIPAA): Privacy and confidentiality of information in communication, particularly that involved in the health sector (Semantha et al., 2020).
Protected Health Information (PHI) Handling: Any communications that include the PHI shall be done via encrypted media and only accessed by persons with the right permission in accordance with HIPAA regulations.
Sarbanes-Oxley Act (SOX): The continuous provision of adequate information on both financial and security affairs of the business to its stakeholders (Phillips-Pakkianathan, 2022).
SOX Compliance Audits: Special attention will be paid to compliance with financial and security communications with the SOX requirements with the help of regular audits.
Incident: Any occurrence which may result into uncontrolled change of information’s integrity, loss of confidentiality or accessibility.
Alert: An alert that can be the possibility of a security threat or actual occurrence.
Update: Updates on new developments in the security environment and or changes in the security policies.
Repository: A central site within which all documents and Messages are collected and actively processed.
Data Breach: Any unauthorized access to information that is sensitive, protected or confidential leading to vulnerability of its security (Shukla et al., 2022).
Encryption: This can be defined as the act of putting information or data into a form that cannot be understood by anyone without a decryption tool.
Two-Factor Authentication (2FA): An identity verification method where the user is required to give two dissimilar elements of identification.
There are three severity levels and four message types that have been identified as significant in the evaluation of a system. It is essential to know the correlation to understand the assessment of a system. Messages will be categorized based on severity levels and types to ensure appropriate and timely communication:
Critical: Actions prescribed: identifying content items and closing accounts; possible consequences: large loss of work.
Example: A data breach involving a customer's sensitive information.
High: There is always a need for an immediate response; a particular business division or organizational operation functionality will be severely affected.
Example: A serious network weakness in the company’s network communication has been identified.
Medium: Action that needs to be taken soon; moderate risk.
Example: General amendments of security measures that impact various sectors of the organization.
Low: Information only or low consequence; no direct response needed.
Example: Bi-monthly security policy revision.
Alerts: A text message alert that contains information on security threats or any occurrence of an incident.
Content: A brief description of the threat and action to be taken, along with the person to contact in case of an emergency.
Frequency: When felt necessary by the different authorities ranging from the national level and below, depending on threat levels (Rattay et al., 2021).
Updates: Periodic updates on its policies, alterations, or improvements to the customers.
Content: Specific information on where policies are proposed, when they will be implemented and how they will affect the business operations.
Frequency: On a monthly basis or when thought necessary.
Reports: Maintenance of other forms of records that may be related with security issues, reviews, or assessments.
Content: The report has detailed coverage of the event and incident descriptions, audit conclusions and suggestions.
Announcements: Awareness of information on security programs/activities (Wang & Lund, 2020).
Content: Main characteristics and features of new security measures, advantages of participation, and further requirements.
Communication Flow Diagram: Diagram made with the below coding:
· "Executives": (1, 2),
· "IT Staff": (1, 1),
· "End Users": (2, 1),
· "Customers": (1, 0),
· "Partners": (2, 0),
This diagram shows how security-related information is passed within an organization, starting with the Cybersecurity Director, who sends emails with information and occasionally sends text messages to the executives, uses an internal portal to pass information to the IT staff whilst passing information to the end users, customers as well as partners by sending emails to them. Moreover, IT Staff interacts with End Users, Customers and Partners using the internal portal, thus conveying safety matters to all interested parties in a timely manner and through proper channels.
Conclusion: This is where the importance of an organization's security communications plan comes into play: it establishes structures for coordinating and distributing important security messages. Thus, having outlined the mentioned measures, procedures and protocols of the organization, the legal requirements can be met and the security threats and incidents disseminating between the employees and other stakeholders can be prevented.
Cotton, S. (2022). Experience and Qualifications Required for a Chief Information Security Officer: An e-Delphi Study (Doctoral dissertation, University of Phoenix). https://search.proquest.com/openview/22b738fd51899b61936981ae8d1f0845/1?pq-origsite=gscholar&cbl=18750&diss=y
Da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, 92, 101713. https://repository.up.ac.za/bitstream/handle/2263/76240/DaVeiga_Defining_2020.pdf?sequence=1
Kuner, C., Bygrave, L. A., Docksey, C., Drechsler, L., & Tosoni, L. (2021). The EU general data protection regulation: A commentary/update of selected articles. Update of Selected Articles (May 4, 2021). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3839645
Keston, G. (2013). Developing a Security Communications Plan. Faulkner Information Services.
Phillips-Pakkianathan, G. (2022). The Effectiveness of Sarbanes-Oxley Act 2002 in Combating Corporate Frauds (Doctoral dissertation, Northcentral University). https://www.proquest.com/openview/2f93fa6d3377c2b48dac456594105d19/1?pq-origsite=gscholar&cbl=18750&diss=y
Rattay, P., Michalski, N., Domanska, O. M., Kaltwasser, A., De Bock, F., Wieler, L. H., & Jordan, S. (2021). Differences in risk perception, knowledge and protective behaviour regarding COVID-19 by education level among women and men in Germany. Results from the COVID-19 Snapshot Monitoring (COSMO) study. Plos one, 16(5), e0251694. https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0251694
Siam, A. I., Almaiah, M. A., Al-Zahrani, A., Elazm, A. A., El Banby, G. M., El-Shafai, W., ... & El-Bahnasawy, N. A. (2021). Secure health monitoring communication systems based on IoT and cloud computing for medical emergency applications. Computational Intelligence and Neuroscience, 2021(1), 8016525. https://onlinelibrary.wiley.com/doi/full/10.1155/2021/8016525
Solovyev, A. V. (2020). Long-term digital documents storage technology. In Advances in Automation: Proceedings of the International Russian Automation Conference, RusAutoCon 2019, September 8-14, 2019, Sochi, Russia (pp. 901-911). Springer International Publishing. https://link.springer.com/chapter/10.1007/978-3-030-39225-3_97
Semantha, F. H., Azam, S., Yeo, K. C., & Shanmugam, B. (2020). A systematic literature review on privacy by design in the healthcare sector. Electronics, 9(3), 452. https://www.mdpi.com/2079-9292/9/3/452
Shukla, S., George, J. P., Tiwari, K., & Kureethara, J. V. (2022). Data security. In Data Ethics and Challenges (pp. 41-59). Singapore: Springer Singapore. https://link.springer.com/chapter/10.1007/978-981-19-0752-4_3
Wang, T., & Lund, B. (2020). Announcement information provided by United States’ public libraries during the 2020 COVID-19 pandemic. Public Library Quarterly, 39(4), 283-294. https://www.tandfonline.com/doi/abs/10.1080/01616846.2020.1764325