SP DB

SEC 4303, IS Security Policy Analysis 1

Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to:

1. Discuss the life cycle of policy enactment. 1.1 Analyze the significance of policies within an organization. 1.2 Evaluate the role policy plays in a corporate culture. 1.3 Investigate how regulatory policies apply to organizations.

Reading Assignment Chapter 1: Understanding Cybersecurity Policy and Governance Unit Lesson In this unit lesson, the goal is to discuss the importance and use of policies within an organization. Organizations have many policies and procedures to follow; accordingly, these standards are known as common practices in business. This is part of the corporate culture and is usually supported by top management. As found in the textbook reading, Santos (2019) stated corporate cultures are often classified by how organizations treat employees but also can apply to the practices and behavior. Policies are often described in general language as the rights, responsibilities, and consequences of a specific behavior. The culture and market of an organization will dictate how often the policies are distributed throughout the environment. For example, if you work for a financial institution, then you are probably introduced to the financial policies along with laws and regulations early in your tenure at the organization. There is considerable liability with financial institutions; consequently, they have to ensure the policies and practices are regularly communicated to the employees. As for policies in general, we need to clarify the differences between traditional policies as compared to information systems (IS) or cybersecurity policies. As we will find, IS security policies focus on assets, software, hardware, physical, and data. This can sometimes be outside the knowledge area of the functional departments, but their involvement with IS security policy creation is critical. The email policy below illustrates a general policy to communicate the appropriate use for sending email through the organization. Example of an IS Security Policy An example of verbiage from a policy includes the following example from the SysAdmin, Audit, Network, Security Institute (SANS) (2013).

The email system shall not be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any employee should report the matter to their supervisor immediately. (para. 4.6)

Cybersecurity Policies According to Santos (2019), the difference between IS policy and cybersecurity policy is that cybersecurity focuses on the process of protecting, detecting, and responding to attacks. Therefore, this is a collective approach to build strategies and policies to find potential threats and allocate appropriate resources to address the concerns. The idea is that the cybersecurity policy is an additional component of the traditional IS security policy to include the prevention, detection, and corrective actions. Santos (2019) defines

UNIT I STUDY GUIDE History of Information Systems (IS) Security Policy

SEC 4303, IS Security Policy Analysis 2

UNIT x STUDY GUIDE Title

cybersecurity policy as the process of protecting information assets and information systems, ensuring compliance, and maintaining environments to support the guiding principles (p.4). This forces the organization to be proactive and accountable when it comes to cyberattacks. If the policy indicates a particular action by a department or team, then it is their responsibility to perform these tasks if the event occurs.

Laws and Regulations There are many federal laws that security models follow. These models are collections of rules that newly enacted policies must follow. In the textbook, Santos (2019) identifies two important federal laws that contain important security policies.

1. The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999. This act was implemented to protect customer information and unauthorized access with financial products. It is obvious these institutions need to implement sufficient IS security policies to protect the data, systems, and electronic transactions.

2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Most governments use similar policy models to ensure uniformity in confidentiality of important government information. Additionally, almost every medical facility has to adhere to these policies, or they can be fined, or have funds eliminated from their budgets. We also see many IS applications in the healthcare industry abiding by this regulation to ensure their clients are in compliance.

As we have heard before, a secure system is only as strong as the weakest link; each area must be secured using multiple layers to provide defense in depth. Each functional department considers the level of security in different terms and levels. Senior management sees policies as directives to create an IT security program, while systems engineers understand security policies as the specific security rules for particular systems. We also have differences when it comes to the personnel and teams of the organization. Think about the security policy for an engineer compared to that for a sales representative. An engineering security policy could focus on the proprietary designs of a custom product. If these designs and specifications are distributed to an organization’s competitor, then it could affect the leverage and success of the organization.

The purpose of a security policy is to provide a framework for best operational practices so that the organization is able to minimize risks and respond effectively to any security incidents that may occur. The process of building the policies helps ensure employees follow the appropriate internal practices and comply with external regulations and laws. Organizations need to consider how these policies are integrated into the workplace environment along with reviewing the policies compared to the organizational culture and goals. If

Cybersecurity policy question: What happens when a hacker gains access to the database and the IT department determines there has been a breach?

Roles and Security Responsibilities

SEC 4303, IS Security Policy Analysis 3

UNIT x STUDY GUIDE Title

the culture of the organization is to protect assets and proprietary processes, then the robust policies need to be created to address the expectations. Process for Creating Policies As found in the course textbook, Santos (2019) states policy life cycle should follow the process of develop, publish, adopt, and review. This process is different than we would see with another type of framework or software development methodology. In this case, we need to plan to develop the policy, communicate the policy to the users, make sure the organization adopts the concepts, and then continually review policies to make sure they are adequate for the business operations. Develop The process of developing a policy can be time- intensive and require resources. This is why many small- and medium-size businesses fail to produce sufficient IS policies. In this stage, the organization or IS team needs to identify key stakeholders to ensure the policies not only align with the organization, but also address any external regulations. Another important factor to consider is to ensure the policy has contributions from each functional department. If the team fails to reach out to the accounting department, there may be major accounting and financial gaps or vulnerabilities not addressed in the plan. Lastly, the dedicated resources need to ensure they work diligently to produce a document so the stakeholders can review and provide feedback. Publish The policies and procedures need to be communicated and publicized so each department can adopt them as the standard practice. We now know that many organizations use eLearning modules to solidify the points along with the standard documentation. This is an added benefit because it provides additional communication methods to distribute the policy. Think about the problems we may encounter if we create a standard security policy but fail to send the updates or revisions to the audience. Additionally, if we make the security policies difficult to retrieve, then we discourage the users or viewers from taking the time to review the content. It is within the publishing phase that we need to find the most efficient and effective way to ensure all users will receive regular updates and can access the content with ease. This is the perfect time to review the best strategies in terms of communication.

Adopt In the adoption phase, the organization has the final copy of the IS security policies and procedures so it can enforce the practices. If an employee violates a procedure, then there should be clear steps in which actions

How many times have you seen an IS policy or procedure within an organization? Unfortunately, communication on the IS and cybersecurity policies are often only sent out annually.

Life cycle of a policy

SEC 4303, IS Security Policy Analysis 4

UNIT x STUDY GUIDE Title

will be enforced for the violation. Remember, these IS security policies are in place to protect the customers, employees, and organization. Review The final phase of creating policies and procedures is the review phase. It is at this time that we can evaluate the new policies and procedures to ensure they are working as expected. However, there will be a need for modifications and adjustments so the individuals who developed the policies and procedures will need to make the necessary adjustments and then release the version back to the organization. Summary As you explore this course, you will learn the security within any organization starts with building a security policy, which is a centralized living document defining what is allowed and what is not. The aim of this course is to explore the history of policies and describe the process of building and implementing a successful information security policy in detail. In the remaining units, we will learn the best practices for communicating the policies to the different functional areas, including human resources. It is important to ensure the human resources department is fully aware of any new policies and modifications to the existing policies to reduce liability and provide cohesion.

References Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. SysAdmin, Audit, Network, Security Institute. (2013). Email policy [Template]. https://www.sans.org/security-

resources/policies/general/pdf/email-policy

SEC 4303, IS Security Policy Analysis 1

Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to:

1. Discuss the life cycle of policy enactment. 1.1 Analyze the significance of policies within an organization. 1.2 Evaluate the role policy plays in a corporate culture. 1.3 Investigate how regulatory policies apply to organizations.

Reading Assignment Chapter 1: Understanding Cybersecurity Policy and Governance Unit Lesson In this unit lesson, the goal is to discuss the importance and use of policies within an organization. Organizations have many policies and procedures to follow; accordingly, these standards are known as common practices in business. This is part of the corporate culture and is usually supported by top management. As found in the textbook reading, Santos (2019) stated corporate cultures are often classified by how organizations treat employees but also can apply to the practices and behavior. Policies are often described in general language as the rights, responsibilities, and consequences of a specific behavior. The culture and market of an organization will dictate how often the policies are distributed throughout the environment. For example, if you work for a financial institution, then you are probably introduced to the financial policies along with laws and regulations early in your tenure at the organization. There is considerable liability with financial institutions; consequently, they have to ensure the policies and practices are regularly communicated to the employees. As for policies in general, we need to clarify the differences between traditional policies as compared to information systems (IS) or cybersecurity policies. As we will find, IS security policies focus on assets, software, hardware, physical, and data. This can sometimes be outside the knowledge area of the functional departments, but their involvement with IS security policy creation is critical. The email policy below illustrates a general policy to communicate the appropriate use for sending email through the organization. Example of an IS Security Policy An example of verbiage from a policy includes the following example from the SysAdmin, Audit, Network, Security Institute (SANS) (2013).

The email system shall not be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any employee should report the matter to their supervisor immediately. (para. 4.6)

Cybersecurity Policies According to Santos (2019), the difference between IS policy and cybersecurity policy is that cybersecurity focuses on the process of protecting, detecting, and responding to attacks. Therefore, this is a collective approach to build strategies and policies to find potential threats and allocate appropriate resources to address the concerns. The idea is that the cybersecurity policy is an additional component of the traditional IS security policy to include the prevention, detection, and corrective actions. Santos (2019) defines

UNIT I STUDY GUIDE History of Information Systems (IS) Security Policy

SEC 4303, IS Security Policy Analysis 2

UNIT x STUDY GUIDE Title

cybersecurity policy as the process of protecting information assets and information systems, ensuring compliance, and maintaining environments to support the guiding principles (p.4). This forces the organization to be proactive and accountable when it comes to cyberattacks. If the policy indicates a particular action by a department or team, then it is their responsibility to perform these tasks if the event occurs.

Laws and Regulations There are many federal laws that security models follow. These models are collections of rules that newly enacted policies must follow. In the textbook, Santos (2019) identifies two important federal laws that contain important security policies.

1. The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999. This act was implemented to protect customer information and unauthorized access with financial products. It is obvious these institutions need to implement sufficient IS security policies to protect the data, systems, and electronic transactions.

2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Most governments use similar policy models to ensure uniformity in confidentiality of important government information. Additionally, almost every medical facility has to adhere to these policies, or they can be fined, or have funds eliminated from their budgets. We also see many IS applications in the healthcare industry abiding by this regulation to ensure their clients are in compliance.

As we have heard before, a secure system is only as strong as the weakest link; each area must be secured using multiple layers to provide defense in depth. Each functional department considers the level of security in different terms and levels. Senior management sees policies as directives to create an IT security program, while systems engineers understand security policies as the specific security rules for particular systems. We also have differences when it comes to the personnel and teams of the organization. Think about the security policy for an engineer compared to that for a sales representative. An engineering security policy could focus on the proprietary designs of a custom product. If these designs and specifications are distributed to an organization’s competitor, then it could affect the leverage and success of the organization.

The purpose of a security policy is to provide a framework for best operational practices so that the organization is able to minimize risks and respond effectively to any security incidents that may occur. The process of building the policies helps ensure employees follow the appropriate internal practices and comply with external regulations and laws. Organizations need to consider how these policies are integrated into the workplace environment along with reviewing the policies compared to the organizational culture and goals. If

Cybersecurity policy question: What happens when a hacker gains access to the database and the IT department determines there has been a breach?

Roles and Security Responsibilities

SEC 4303, IS Security Policy Analysis 3

UNIT x STUDY GUIDE Title

the culture of the organization is to protect assets and proprietary processes, then the robust policies need to be created to address the expectations. Process for Creating Policies As found in the course textbook, Santos (2019) states policy life cycle should follow the process of develop, publish, adopt, and review. This process is different than we would see with another type of framework or software development methodology. In this case, we need to plan to develop the policy, communicate the policy to the users, make sure the organization adopts the concepts, and then continually review policies to make sure they are adequate for the business operations. Develop The process of developing a policy can be time- intensive and require resources. This is why many small- and medium-size businesses fail to produce sufficient IS policies. In this stage, the organization or IS team needs to identify key stakeholders to ensure the policies not only align with the organization, but also address any external regulations. Another important factor to consider is to ensure the policy has contributions from each functional department. If the team fails to reach out to the accounting department, there may be major accounting and financial gaps or vulnerabilities not addressed in the plan. Lastly, the dedicated resources need to ensure they work diligently to produce a document so the stakeholders can review and provide feedback. Publish The policies and procedures need to be communicated and publicized so each department can adopt them as the standard practice. We now know that many organizations use eLearning modules to solidify the points along with the standard documentation. This is an added benefit because it provides additional communication methods to distribute the policy. Think about the problems we may encounter if we create a standard security policy but fail to send the updates or revisions to the audience. Additionally, if we make the security policies difficult to retrieve, then we discourage the users or viewers from taking the time to review the content. It is within the publishing phase that we need to find the most efficient and effective way to ensure all users will receive regular updates and can access the content with ease. This is the perfect time to review the best strategies in terms of communication.

Adopt In the adoption phase, the organization has the final copy of the IS security policies and procedures so it can enforce the practices. If an employee violates a procedure, then there should be clear steps in which actions

How many times have you seen an IS policy or procedure within an organization? Unfortunately, communication on the IS and cybersecurity policies are often only sent out annually.

Life cycle of a policy

SEC 4303, IS Security Policy Analysis 4

UNIT x STUDY GUIDE Title

will be enforced for the violation. Remember, these IS security policies are in place to protect the customers, employees, and organization. Review The final phase of creating policies and procedures is the review phase. It is at this time that we can evaluate the new policies and procedures to ensure they are working as expected. However, there will be a need for modifications and adjustments so the individuals who developed the policies and procedures will need to make the necessary adjustments and then release the version back to the organization. Summary As you explore this course, you will learn the security within any organization starts with building a security policy, which is a centralized living document defining what is allowed and what is not. The aim of this course is to explore the history of policies and describe the process of building and implementing a successful information security policy in detail. In the remaining units, we will learn the best practices for communicating the policies to the different functional areas, including human resources. It is important to ensure the human resources department is fully aware of any new policies and modifications to the existing policies to reduce liability and provide cohesion.

References Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. SysAdmin, Audit, Network, Security Institute. (2013). Email policy [Template]. https://www.sans.org/security-

resources/policies/general/pdf/email-policy