This week’s topic, information security policies, is perhaps the most important topic that a Business major can take from this course. This is the governance layer that lays the bedrock for your organization’s security posture. Sure, the technical folks are responsible for executing on that policy but this is where the leaders of a business get together, reach agreement, at times do a sanity check on what is enforceable in the organization, and draft the rules that will make sure the organization is secure.
This is not an exercise in putting down whatever “sounds” good in order to check the box and claim that your organization has policies. It takes a realistic perspective and evaluation on what is needed, what is possible, and what is enforceable. It is typically better to a have a weak policy that is enforced than to have a strong policy that is ignored.
The resources provided include three articles on approaches to drafting and information security policy. Among the steps is to select a framework or set of standards. These could include “best practice” frameworks such as ISO 27001, NIST SP 800 Series, COBIT, ITIL, or similar guidelines. Depending on the industry, this will likely also include “compliance” standards such as PCI-DSS, HIPAA/HITECH, SOX, FISMA, GLBA, or other legal and regulatory obligations. The resources provided include the NIST CyberSecurity Framework as an example of best practice frameworks and the PCI-DSS compliance standards for those who process credit cards. Both of these will include specific elements or policies that should be included in your overall policy set.
Additionally, I have included links to the Greater Houston Partnership’s Cybersecurity Assessment Tool, the FCC’s CyberPlanner Tool, and the Traveler’s Insurance Cyber Risk Pressure Test. These tools can help you evaluate your organizations current posture. Such evaluations can help to flesh out the organizations policies much like the best practice standards. Additionally, from a learning standpoint, they are a bit easier to go through than something like the full PCI-DSS standard.
Last, but definitely not least, I have included a link to the SANS security policy template library. When it comes to actually drafting policies. These or similar “out-of-the-box” policy templates can provide a good start and help to understand the level of detail needed. Remember that details are important, but it should not be so complicated that it must be updated constantly or that it becomes unmanageable. This includes considering how much time you have available for dealing with policy issues.
This is a lot of information. My primary concern this week is that you take the time to review the resources. It would be impractical to have you draft a policy or try to regurgitate all of what you see here. Read the articles, skim the frameworks and standards, tinker with some of the assessment/planning tools.
For your web project, I’d like you to pick three things that stood out to you. This could relate to the process of drafting the policies, the contents of the frameworks or standards, the usefulness of the assessment/planning tools, the format/contents/level of detail in the policy templates, etc. Just choose any three things you learned and share your thoughts about them in about 500 words. This is an informal assignment. Citations are not necessary unless you are quoting, but may be useful to indicate what you are referencing.