Project 4 Enterprise Cybersecurity Program Step 18 Record the Presentation

profilejay662
Project4ComposetheCybersecurityPolicyReportUR.edited.docx

1

7

Urie L. Reed

Cybersecurity Policy Report

Dr. Roger Ward

CMP 640 Cyber Security Program Development

University of Maryland Global Campus

Cybersecurity Policy Report

Cybersecurity policies are a vital component of the organization's cybersecurity architecture and cybersecurity program, and they should not be overlooked. The proposed framework, based on a NIST Cybersecurity Framework, is the foundation of the entire cybersecurity framework. Employee behavior and organizational processes are governed by cybersecurity policies, which allow the organization to set expectations, guidelines, and boundaries for how the employees should behave and how the organization will conduct its organizational processes and enforce the components of the core cybersecurity framework. Following the successful implementation and ongoing enforcement of the already proposed framework, it is essential to implement the necessary supporting documents that outline the company’s procedures and processes to defend the organization from cyber-threats successfully and to ensure the company complies with the regulations that are dictated for the financial organization, such as GDPR, SOX, GLBA, PCI-DSS, and other similar laws.

Policies

The Acceptable Use Policy, which describes the employees' activities on the corporate devices or network, is a fundamental and critical policy for all firms. This policy explains the behaviors that are prohibited, as well as the ramifications of failing to comply with the policy's requirements. When the employees use business devices and networks, the acceptable use policy benefits the organization by articulating their behavior. It gives the company the power to penalize or discourage undesirable behavior (Bryan & Larsen, 2017). It establishes the expectations and standards for the employees. It provides the company with a system for punishing those who violate the rules and ensuring the safety and security of the company’s network. The permissible use policy may have a detrimental influence on the organization's culture and harm the employees' work. It can cause some of the employees to change the way they go about their daily routines and their jobs at the organization. In their everyday tasks, some employees may require access to sites and processes that it is already prohibited. In this case, it is essential to identify these individuals and offer them other means and procedures to perform their business.

The Mobile Device Management Policy is the second policy crucial in today's world and significant. This policy describes the generally accepted method of using mobile devices and the recommendations for the use of possible devices when accessing the company’s networks and data sources. In addition, the policy specifies the technical guidelines that must be followed to connect to or access outbound networks or data. These guidelines may include requirements such as two-factor authentication or authentication software that must be downloaded and used to access the network or data (Bryan & Larsen, 2017). If an employee wishes to bring their device to work, the policy will also address the issues of data ownership and privacy expectations that should be considered. In addition to helping to safeguard and protect the organization, a Mobile Device Management policy provides the employees with the potential advantage of doing their daily business on a device that they are already familiar with and enjoy using. Because of the policy, the organization will be better protected against cyber threats and vulnerabilities. The mobile devices will be as secure as we can make them when used within the firm. The possible drawback of this strategy is the administrative burden that will be imposed on the organization to oversee the usage of personnel devices and the software and security measures required to ensure that they are used securely. Downtime may also occur during the transition of users to their own devices and during the period of adjustment in processes and procedures, which may result in downtime while users download and install the necessary access controls and set up their devices for usage on the networks. Additionally, it requires the monitoring and maintaining of the security of these new gadgets, which is something that the company might not be equipped to do as of now.

The policy on system and software upgrades is critical for the company’s security but is primarily focused on its information technology (IT) group. Specifically, it outlines the requirements to ensure that the company’s network and its components are up to date with the most recent security patches and versions to ensure that we have as few vulnerabilities as possible within our organization that cyber threats can take advantage of to negatively impact our business operations (Bayuk, Healey, Rohmeyer, Sachs, & Schmidt, 2012). This policy will specify the requirements for penetration and vulnerability testing within the organization and the frequency with which such testing will be carried out. Also included will be a description of the procedures to be followed for testing and approval of all network updates and patches. This policy will also detail the requirements for any third-party software vendors to guarantee that their products are compliant with ISO 27001 before they may be used. This will verify that the software the company acquires is being built in the correct environment. Still, it may limit the number of suppliers available and increase the cost of the software. The advantage of having this type of policy is that it ensures that the company is appropriately patched, that the company’s upgrades have been tested and approved, and that the software acquired by the company is constructed in a safe and regulated manner, all of which are important (Rauscher, 2012). The disadvantage is that there may be a rise in the cost of software and the product's price, but it is a required expenditure to ensure that the product is secure. There may also be an administrative burden associated with testing and approving updates and ensuring that the most recent patches are in place. Still, it is a vital investment to protect our networks' organization and data.

The Access Policy is critical to protecting the company’s assets and information. The organization's access policy, which describes the access controls, is vital to preserving the company’s networks and communication (Vaseashta, Susmann, & Braman, 2014). They ensure that access is allowed only to those who require it, and I would recommend that this be accomplished through a role-based access control policy, which provides that only those assigned to a role that requires access are granted access. In addition to protecting the company’s assets and data, the policy restricts access to only those individuals who have a legitimate need to know about the business operations. As a financial institution, it will also aid in the organization's compliance with all of the restrictions that have been imposed on the company (Richet, 2015). However, like with any policy, there is the possibility that an employee will take advantage of the advantages that the company grants them. It is vital to continue auditing and monitoring the situation to maintain compliance. This can be expensive, and it may necessitate the purchase of additional software and the skills to run the software and evaluate the results to verify that the company’s network and data are protected.

After everything is said and done, the regulations stated above are important to ensure that the company successfully implement its cybersecurity framework and program; employee behavior and organizational processes are governed by cybersecurity policies, which allow the company’s management to set expectations, guidelines, and boundaries for how its employees should behave, as well as how the organization will conduct its organizational processes and enforce the components of the core cybersecurity framework.

References

Bayuk, J. L., Healey, J., Rohmeyer, P., Sachs, M. H., & Schmidt, J. (2012). Cyber security policy guidebook. John Wiley & Sons.

Bryan, E., & Larsen, A. (2017). Cybersecurity policies and procedures. The Cyber Risk Handbook, 35-65. doi: 10.1002/9781119309741.ch4

Rauscher, K. F. (2012). Fresh tracks for cybersecurity policy laterals. 2012 Third Worldwide Cybersecurity Summit (WCS). doi:10.1109/wcs.2012.6780877

Richet, J. (2015). Cybersecurity policies and strategies for cyberwarfare prevention. IGI Global.

Vaseashta, A., Susmann, P., & Braman, E. (2014). Cyber security and resiliency policy framework. IOS Press.