Cybersecurity Governance

Step 8: Write the Policy Revisions Evaluation

Now that you have completed your analysis and revision of the three policies, provide a written evaluation of your organization’s cybersecurity policy to present at the next team meeting.

Your evaluation should examine the completeness and compliance of the organization’s cybersecurity policy. Consider your organization and organization-related interests as you create your evaluation, and consider other aspects, such as how to prevent the failure of the cybersecurity policy.

Complete the following tasks as you write your evaluation:

• Differentiate among the various concepts of enterprise cybersecurity.
• Develop a high-level implementation plan for enterprise cybersecurity policies.
• Assess the major types of cybersecurity threats faced by modern enterprises (assessing risk).
• Discuss the principles that underlie the development of an enterprise cybersecurity policy framework.
• Articulate clearly and fairly others’ alternative viewpoints and the basis of reasoning.
• Identify significant, potential implications, and consequences of alternative points of view.
• Evaluate assumptions underlying other analytical viewpoints, conclusions, and/or solutions.

Attach the cover letter, revisions, and Policy Changes Matrix, and submit.

Cybersecurity Governance

Write the Cover Letter

After completing the revision process of the acceptable use policy, the internet policy, and the privacy policy in the previous three steps, you will need to prepare a cover letter summarizing the justifications for your suggested modifications for the next team meeting. This cover letter (maximum two pages) will provide an explanation for the Policy Changes Matrix. Address the letter to the CEO, IT, and HR directors. Justifications should be in line with the business goals.

Submit your cover letter and table for feedback.

Cybersecurity Governance

Step 6: Rewrite the Current Company Privacy Policy

You have just revised the internet use policy, and now you will review and update the last of the three security policies for your organization. Review your organization’s current policies, with attention to its privacy policy. Determine what changes are necessary and note your suggested changes on the Policy Changes Matrix. Rewrite two to three sections of the privacy policy that may be in question and provide justification for your suggested modifications.

The new policy and the Policy Changes Matrix will be attached to the final assignment. Submit the new policy and table for feedback.

Cybersecurity Governance

Step 5: Rewrite the Current Internet Use Policy

In the previous step, you revised the acceptable use policy for your organization. Now, you will review and update the second of the three security policies for your organization. Review the details of your organization’s current policies, with attention to its internet use policy. Determine what changes are necessary and note your suggested changes on the Policy Changes Matrix. Rewrite two to three sections of the Internet use policy that may be in question and provide justification for your suggested modifications.

The new policy and the Policy Changes Matrix will be attached to the final assignment. Submit the new policy and table for feedback.

Cybersecurity Governance

Cybersecurity Governance

Project 1: Policy Analyses
Step 4: Rewrite the Current Acceptable Use Policy

In the first three steps, you reviewed the process of creating security policies, reviewed components of a proper policy, and identified evaluation criteria to measure against existing policies. Now, you are ready to analyze and revise your own organization’s policies. Such analysis is likely to be qualitative for some aspects, quantitative for other aspects, and a hybrid for still other aspects of the policy. As such, your choice of measures and analytical techniques must be reasonable and justifiable.

Begin reviewing and updating the first of three security policies for your own organization. Review your organization’s current policies, with attention to its acceptable use policy. Determine what changes are necessary and note your suggested changes on the Policy Changes Matrix. Rewrite two to three sections of the acceptable use policy that may be in question and provide justification for your suggested modifications.

The new policy and the Policy Changes Matrix will be attached to the final assignment. Submit the new policy and table for feedback.

 

Your Organization’s Current Policies

Below, you will find three policies that are currently used by your organization. You will review and revise these policies (one in each step during Steps 4, 5, and 6).

Acceptable Use Policy for Employee Technology: Your Company

Policy/Revision Date: 77.00/11-16-2016

Previous Policy/Date: 77.00/11-16-2010

Originator: Chief Information Officer, Chief Information Security Officer, Human Resource Director

1. Purpose
   Your Company has made a commitment to inform its employees of the proper guidelines to follow when using technology resources. Your company is also required by law to inform employees of these policies. These resources are offered to employees to help them represent this company in an appropriate manner and complete their work while operating with the highest level of professionalism and integrity. Applicable individuals should respect the rights of others, refrain from abusing these resources, and comply with associated policies, local laws, and federal laws.
2. Applicability
   Any and all employees who access and operate company-provided technology resources, or represent the company while accessing said resources, are required to adhere to this policy. Persons covered by this policy include, but are not limited to: employees or contractors of Your Company and sister companies or other affiliates, whose work may directly affect the view of our company’s moral standing.
3. Acceptable Use
   All applicable technology users must adhere to the following guidelines:
   1. Comply with applicable federal, state, and all other internal and external mandated laws, policies, rules, contracts, and licenses.
       
   2. Protect company technology accounts by securing passwords and not sharing account information with others.
       
   3. Access only his or her account and respect the privacy of others and their accounts. Note: If there is a concern about someone else’s security, notify your direct supervisor immediately.
       
   4. Use company resources for business purposes only. Personal use is at the discretion of each employee’s immediate supervisor and should not affect the performance of an employee.
       
   5. Use company-provided signatures and email templates. Respond with professional etiquette in emails at all times.
       
   6. Refrain from visiting or viewing inappropriate websites, including—but not limited to—pornography.
       
   7. Protect confidential and proprietary information from unauthorized persons and those outside of the company domain.
       
   8. Avoid participation in illegal actions at any time with technology resources.
       
   9. Observe the following policies of Your Company: 77.10 E-mail Guidelines, 77.20 Mobile Device Guidelines, 77.30 Participation in Social Media Guidelines, and 77.40 Web Search Guidelines.
       
4. Security and Privacy
   1. Employees and users of Your Company’s technology resources understand they give up the right of privacy in all said interactions with company resources.
   2. It is at the discretion and right of Your Company to investigate all technology resources it owns and communications made by its employees at any time.
       
   3. If it is suspected that a technology user at Your Company may be participating in illegal activity, potential harm of a person or operations, or other suspicious activity, Your Company may monitor usage and may do so without permission.
       
5. Enforcement of Improper Use
   1. Your Company’s technology user will be notified of their noncompliance with the Acceptable Use Policy.
   2. Violators and suspected violators of Your Company’s Acceptable Use Policy may be denied access to technology resources and disciplinary action may be taken, including possible termination, or other imposed penalties set by the company and civil or criminal statutes.
       
6. Related Policies
   1. Policy 77.10 – Email Guidelines
   2. Policy 77.20 – Mobile Device Guidelines
   3. Policy 77.30 – Participation in Social Media Guidelines
   4. Policy 77.40 – Web Search Guidelines.

Computer, Internet, and Email Usage Policy: Your Company

Policy

These guidelines are issued to protect and inform our personnel of the proper policies and procedures for accessing the Internet and using other technology resources on behalf of Your Company. Users are granted access to these technological resources to act as a representative of the company and must acknowledge and adhere to said usage requirements. Those who infringe upon these policies and procedures may face disciplinary action, up to termination and any legal action resulting from criminal offenses committed against the federal, state, and local laws.

Purpose

To define acceptable and unacceptable policies and procedures, relative to utilizing internet and network infrastructure while working for Your Company.

Scope

All employees with access to the internet, using technology resources, or acting on behalf of Your Company are responsible for complying with this policy and applicable procedures.

1. Acceptable Use
   1. Internet and technical applications should be utilized for official business purposes only.
       
   2. Business purposes consist of work-related activities, but educational, professional development, and research are also authorized.
       
   3. Personnel should contact their direct supervisor if there is any confusion as to what is acceptable use. Direct supervisors should use the services of the Technical Support Team if further clarification is needed.
       
2. Unacceptable Use
   1. Personnel should not use the internet for illegal, unlawful, or inappropriate purposes. Illegal, unlawful, or inappropriate categories include—but are not limited to—pornographic or obscene content, violent or threatening subject matter, fraudulent activity, or any other forms of related content.
       
   2. Email and messaging services are strictly intended for Your Company business purposes. Bullying practices, disruptive behavior, and other continued actions that will interrupt the productivity of daily business functions will not be tolerated.
       
   3. Internet use for private and entertainment purposes and for activities unrelated to Your Company duties should be avoided.
       
   4. Internet use should not be exploited for external commercial or political purposes.
       
   5. Company users should not access the network unless granted permission in an administration capacity.
       
   6. Employees should not access, transfer, store, or distribute illegal copyrighted materials or files on the company’s network or property.
       
3. Proper Internet and Email Conduct
   1. Email should reflect a professional tone, and the use of profane language is restricted.
       
   2. Personnel should seek the approval of management before divulging private or personal information.
       
   3. Users should act cautiously when handling sensitive information that will be sent via email and should only be shared with essential stakeholders.
       
   4. Your Company exercises the right to monitor and inspect any and all electronic activities that transpire on the company’s server.
       
4. Security Standards
   1. Potential and explicit security issues should be reported at once to the user’s direct supervisor and the Technical Support Team.
       
   2. Users should not share their passwords, allow another user to access their account, or perform operations under the account of another user.
       
   3. If Your Company personnel is found to be a security risk or has had repeated security issues, an immediate restriction may be placed on his or her account.
       
5. Disciplinary Action
   1. Violation of any of the abovementioned policies and procedures may result in immediate denial of access to the company network and corrective action up to termination.
       
   2. If a criminal offense has been committed, federal, state, and local law enforcement will assume responsibilities and press charges. Your Company will provide information and cooperate to the fullest extent.
       
6. User Consent
   1. I accept the terms and conditions within the Internet Use Policy and will respect these guidelines and procedures when utilizing the Your Company network and Internet.
       
   2. By signing the Internet Use Policy, I agree and will adhere to any and all guidelines.
       

Full Name Printed ______________________________

Signature ______________________________

Date ______________________________

Department ______________________________

Privacy Policy: Your Company

Customer Protection Obligation

Your Company assumes the responsibility to its customers to disclose our privacy policy and practices for www.YourCompany.com. This policy applies exclusively to information collected by the Your Company website. It will report the following information:

• process to revise correct and update your personal information
• options available to you concerning your personal information
• specific personal information that is collected through http://www.yourcompany.com
• security process in place that protects information from improper conduct

Information Distribution, Collection, and Usage

Your Company will only collect and access information that has been provided by you directly, voluntarily, in any and all methods you deem appropriate. We may contact you via the methods you supplied us, to communicate specials, products, or services, or changes to this policy. At any time, you may contact us to be removed from any of these lines of communication.

Once received, sole ownership of your personal information will remain with Your Company. We vow to not freely provide, sell, or rent your information to any third party person or business. This information should be used for the purposes to complete your request.

Information Access and Control

You may notify Your Company at any time via phone or email to change your communication preferences or opt out completely. You may take the following actions:

• inquire about and receive data we have on file about you, if any
• correct or update the contact information we have on record for you
• request to remove your data from our records
• address concerns and review our policies regarding use of your data

Personal Information Security

We ensure that all possible safeguards are taken to protect your information online and offline at Your Company. Encryption is introduced at collection and will remain during all phases of handling your sensitive information, such as, but not limited to, credit card data. If there is a question at any time, you may establish this security by confirming that your web page starts with “https.” Your information will only be available on a need to know basis and employees must be permitted to accept your information. Your personal information is housed within an environment of servers and computers that exemplifies the utmost level of security.

Privacy Policy Updates

Updates will be communicated on our website, and you may submit a written request for the current policy.

Note: Please contact us immediately via phone at 555-555-5555 or via email at policyconcerns@YourCompany.com if you believe you have witnessed instances where our privacy policy is not being followed.