new things
Whatnow
p1scenario.docx
Project Scenario
After introducing yourself as the newly hired cybersecurity analyst, you look around the conference table at the others in your meeting. This multidisciplinary policy development team includes employees from HR, IT, finance and legal. After introductions are complete, Brian, an attorney from the legal department, begins to speak: "Upper management has tasked this team with reviewing the Internet usage policy, acceptable usage policy, and privacy policy. These are the types of policies that we encounter when we are required to sign or click the 'I Agree' box as we turn on our business computers or purchase software."
Brian continues, "We will each need to consider our perspectives and roles on this team throughout the policy development process. We need to balance the writing of the revised policies from the standpoint of the customer and/or user while considering business goals.
"This also means that we will each need to keep in mind aspects such as protecting corporate data, ensuring customer privacy, corporate due diligence, and legal or regulatory compliance respective to our areas of expertise."
Brian turns to you and says, "Since these three policies are focused on cybersecurity, you will conduct the initial review. Begin by evaluating and rewriting each policy. Then prepare a cover letter summarizing the justifications, including your written evaluation. Please have this ready for our next meeting one week from today."
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
Policy Components
Cybersecurity policies are critical to establishing and maintaining security of networks and data, communicating expectations to employees, and determining consequences for actions. Such policies represent an expression of expectations. Here are the key elements of a good cybersecurity policy:
· Definitions, which explain terms in the context of the organization's mission and culture.
· Access to computers and data, which explains the processes for gaining access privileges and approvals, and the expectations regarding use of company IT assets. Password expectations would also be established herein.
· Use of external (e.g., mobile) devices, to include any restrictions on use of outside devices on internal company IT assets.
· Security procedures, explaining the reporting requirements should malicious acts be discovered.
· Internet use, to include acceptable use policy and what, if any, filtering might be used. This policy also explains personal use of the Internet on work-related computers.
· Data storage and recovery, defining storage requirements (length of time, type of data to be stored), and the expectations regarding recovering from unexpected outages or losses.
· Remote access, which explains expectations regarding remote access to company IT assets, and expectations regarding that privilege.
· Auditing, which describes frequency and type of review for cybersecurity and IT assets.
· Training, which explains requirements for maintaining or learning skills or policies needed for cybersecurity.
