Security Presentation 1623, Assignments of Computer Science

Security Presentation 1623 - Security

Typology: Assignments

2019/2020

Uploaded on 09/07/2021

fg-hcm-le-vo-hong-ngoc
fg-hcm-le-vo-hong-ngoc 🇻🇳

4.8

(8)

4 documents

1 / 32

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Assignment Brief 2 (RQF)
Higher National Certificate/Diploma in Computing
Student Name/ID Number:
Unit Number and Title:
Unit 5: Security
Academic Year:
2021 2022
Unit Assessor:
Van Ho
Assignment Title:
Security Presentation
Issue Date:
April 1st, 2021
Submission Date:
Internal Verifier Name:
Date:
Submission Format:
Format:
The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs and subsections as appropriate, and all work must be supported with research
and referenced using the Harvard referencing system. Please also provide a bibliography using the
Harvard referencing system.
Submission
Students are compulsory to submit the assignment in due date and in a way requested by the
Tutor.
The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/.
Remember to convert the word file into PDF file before the submission on CMS.
Note:
The individual Assignment must be your own work, and not copied by or from another student.
If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you
must reference your sources, using the Harvard style.
Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply
this requirement will result in a failed assignment.
Unit Learning Outcomes:
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20

Partial preview of the text

Download Security Presentation 1623 and more Assignments Computer Science in PDF only on Docsity!

Assignment Brief 2 (RQF)

Higher National Certificate/Diploma in Computing

Student Name/ID Number:

Unit Number and Title: Unit 5 : Security

Academic Year: 2021 – 2022

Unit Assessor: Van Ho

Assignment Title: Security Presentation

Issue Date: April 1st, 2021

Submission Date:

Internal Verifier Name:

Date:

Submission Format:

Format:

● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system.

Submission

● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS.

Note:

● The individual Assignment must be your own work, and not copied by or from another student. ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. ● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment.

Unit Learning Outcomes:

LO 3 Review mechanisms to control organizational IT security.

LO 4 Manage organizational security.

Assignment Brief and Guidance:

Assignment scenario

You work for a security consultancy as an IT Security Specialist.

A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called your company to propose a Security Policy for their organization, after reading stories in the media related to security breaches, etc. in organizations and their ramifications.

Task 1

In preparation for this task, you will prepare a report considering:

 The security risks faced by the company.  How data protection regulations and ISO risk management standards apply to IT security.  The potential impact that an IT security audit might have on the security of the organization.  The responsibilities of employees and stakeholders in relation to security.

Task 2

Following your report:

 You will now design and implement a security policy  While considering the components to be included in disaster recovery plan for Wheelie good, justify why you have included these components in your plan.

Task 3

In addition to your security policy, you will evaluate the proposed tools used within the policy and how

they align with IT security. You will include sections on how to administer and implement these policies.

Contents

Assignment Brief 2 (RQF) .....................................................................................................

Higher National Certificate/Diploma in Computing ...........................................................

P5 Discuss risk assessment procedures: .................................................................................

P6 Explain data protection processes and regulations as applicable to an organization: .........

M3 Summarize the ISO 31000 risk management methodology and its application in IT security: .............................................................................................................................

D2 Consider how IT security can be aligned with organizational policy, detailing the security impact of any misalignment: ...............................................................................................

P7 Design and implement a security policy for an organization:...........................................

P8 List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion: ..........................................................................................................

M5 Discuss the roles of stakeholders in the organization to implement security audit recommendations ...............................................................................................................

D3 Evaluate the suitability of the tools used in an organizational policy: ..............................

References ..........................................................................................................................

P5 Discuss risk assessment procedures:

Risk assessment is a technique for identifying and addressing risks proactively in all settings. It is an essential tool for effective risk management in the context of health and safety management and risk management in all other arrangements throughout the Trust (including clinical risks, financial risks, environmental risks and others). The Trust has a legal obligation to carry out risk assessment to protect employees under Health and Safety in the Employment Act; In addition, it is an important building block of the Focusing approach to governance and risk management.

While recognizing that risks cannot be eliminated, the effective channelling of resources to identify and mitigate risks is good business and healthcare practices, and offers protection to staff and patient assets. The objective of risk assessment is to reduce and / or eliminate the consequences of the risks realized thereby reducing accidents, harm, loss or interruption to the service.

Effective risk assessment is based on several steps, involving identifying risks, assessing the extent of risk, determining whether actions should be taken to mitigate risks, and then take action and evaluate the outcome of action.

The purpose of the procedure

 To ensure that consistent approaches to the application of risk assessment techniques apply to all services within the Trust.  Creating and maintaining a risk awareness culture within the Trust, which is reflected in both business planning and operations management.  Promote risk-aware organizations through risk assessment and proactive risk management across all services.  Provide training and support available to employees performing risk assessments.

Risk assessment benefits

 Optimal productivity - when you eliminate obstacles faced by employees while trying to complete their tasks and provide them with the right tools to complete tasks, productivity and workmanship will be higher. When employees are forced to deal with damaged tools or systems, they waste time to improve the situation, causing the company's time and money to be wasted. Invest in better facilities, create an ergonomic workspace and train employees how to do their job safely to set optimal levels of productivity.  Better worker - when people decide where to work, businesses known for their commitment to safety at work may be a more attractive option. SITI NORHADIAYT  Positive Images - avoiding negative publicity is good for your public image, but it also increases opportunities for your company. When you are seen to be committed to security, other businesses will want to be associated with your brand.

The process involves 5 steps as shown below

Step 1 - Identify hazards:

 Walk around the workplace  View work activity, location, equipment used, exposure to materials  Speak to staff, managers and students  Consider accidents / incidents recently.

Step 2 - Decide who can be harmed and how:

P6 Explain data protection processes and regulations as applicable to an organization:

Data protection is the process of protecting data, involving the collection and dissemination of data and technology, public perception and privacy expectations, and the relationship between political and legal policies surrounding data. It aims to balance individual privacy rights while still allowing data to be used for commercial purposes. Data protection should always be used for all forms of data, whether it is personal data or company data. It involves data integrity, prevention of damage or errors, and data privacy, which can only be accessed by people with access rights. Data protection environments are different, and their methods and levels are also different. Data protection at the level of individuals, companies, or public entities, as well as highly confidential data, so that it will not fall into the hands of anyone other than its owner, in other words, top secret.

The importance of data protection increases as the amount of data created and stored continues to grow at an unprecedented rate. There is also a bit of tolerance for downtime that can make it impossible to access important information. As a result, most data protection strategies ensure data can be recovered quickly after any bribe or loss. Protecting data from compromise and ensures data privacy is a key component of data protection. Data availability ensures that users have the data required to run a business even if the data is corrupted or lost.

Governance and the primacy of law

All users are required to use, lawfully at all times company sites, services, facilities and resources provided or managed by IT Services. When using IT, we remain subject to the same laws and regulations as in the physical world. Specifically, it is the individual user's responsibility to comply with all applicable legislation, including:

 The Computer Misuse Act (1990)  The Data Protection Act (1998)  The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (which comes into effect on 25 May 2018)  The Copyright, Designs and Patents Act (1988)  The Obscene Publications Acts (1959, 1964  The Telecommunications Act (1984) Information Technology Regulations  The Telecommunications (Fraud) Act 1997  The Race Relations Act (1976, 2000 Amendment)  Regulation of Investigatory Powers Act (2000) - (Communications Data) (Additional Functions and Amendment) Order 2009  Users may not use the IT facilities of the organization to hold or process personal data except in accordance with current data protection laws. Anyone who wishes to use the facility for that purpose is required to register this intention with Information & Compliance

Management. For contact details, please see section 17 below. A user must comply with any restrictions imposed on the manner in which the data may be held or processed and legally liable for any liability arising from failure to comply with the provisions of the current data protection legislation.  It is hoped that your conduct will be valid. Furthermore, ignorance of the law is not considered adequate defence for illicit conduct. When accessing services from other jurisdictions, you must comply with all applicable local laws, as well as with respect to those location of the service.  You are bound by the general rules of the organization when using IT facilities.  You must comply with the rules that apply to any other organization whose services you access.  Any violation of any applicable law or regulation of the third party will be considered to violate this IT regulation.  Consumers are reminded that many aspects of electronic communications are protected by intellectual property rights being violated by downloading, uploading, publishing, copying, possessing, processing and distributing material from the internet.

Authority

These regulations are issued under the authorization of the board of directors, and the board of directors is also responsible for their interpretation and implementation, and can also delegate this power to others. As an organization user, suppose you use the facility under the management of this rule. You may not use IT facilities in any way that violates these rules or uses other policies issued by subsidiaries and organizations. You must comply with any reasonable written or oral instructions issued by those authorized to support this rule..

Identity

You must take reasonable precautions to protect any IT qualifications granted to you (for example, usernames and passwords, email addresses, smart cards or other identity hardware). You must not allow others to use your IT credentials. No one has the right to ask for your password, and you cannot disclose it to anyone. You cannot try to obtain or use the qualifications of others. When using IT facilities, you cannot imitate others or hide your identity. The Chief Information Officer reserves the right to pay for any services or activities provided by IT Services at any time without notice. All users must carry a valid ID when using the organization’s facilities and must use it to access people who need secure entry. The card must be submitted at the request of the staff. If the picture is not clear, additional confirmation is required. External users must present two forms of identification, one is a photo and the other is a proof of address..

An example of The General Data Protection Regulation (GDPR)

These rules significantly increase the obligations and responsibilities of employers regarding the ways in which personal data is collected, used, and protected. Employees must understand their responsibilities under the data protection law, and employers need to have adequate data protection policies and procedures. It is important for organizations to inform their employees of the GDPR and provide training on the new rules. The following describes some of the main responsibilities of employers and outlines the rights of workers.

Rules

Main GDPR terms include:

 Personal data: data is related to or may identify a living person, either by themselves or along with other available information. Examples include a person's name, phone number, bank details and medical history.

 Processing is necessary to comply with the important interests of workers. (For example, where a person's medical history is exposed to a hospital that treats them after a serious road accident)  For the purposes of legitimate legal interests.  Consent Consent is a legitimate reason for processing employee data and you should get consent, if none of the other legal grounds above apply. You need to be aware of your obligations when requesting consent from employees. The GDPR states that consent must be 'freely given, specific, informed and unambiguous'. This means that the data subject must be aware that they are consenting to have their data processed and should not be forced into giving consent. Before an employee gives consent to have their data processed, the employer must show that they told employees why their personal data is being collected, and how it will be used and handled. Silence, pre-ticked boxes or inactivity cannot be taken as consent. A data subject can withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.  Training and communication of GDPR with workers and prospective employees As an employer, you must inform the employee about:  What personal data will you collect (or if it will be quoted by a third party)  How data will be processed  Why data will be processed You may have a Data Protection Notice displayed at your office to fulfill this obligation. You must also have a place of data protection in place and provide training to employees at the GDPR. The GDPR requires certain information that must be provided to potential employers, before their personal data is collected and processed. This information must be clear and accessible and may be a privacy notice on the website and letter to a candidate. Employee training on data protection policies occurs when potential employees are employed

 Data Subject Request (DSAR)

Employers must have procedures to respond to requests for personal data access from employees within 1 month. This can be extended by 2 months if the request is complex or many.

 Safety obligations

Data must be protected by 'appropriate technical and organizational measures'. Data should be stored securely, for example, by using anonymization, encryption, anti-virus security measures, or by backing up the data. Employers must test these security measures and demonstrate that they have complied with GDPR's security obligations.

 Preservation of records and the right to remedy

Organizations may only retain data as long as necessary to complete the task assigned to, or as required by law. Employers must have a retention basis and can provide reasons why data is stored. Employees have the right to know the data that their employers have about them and they also have the right to correct this data. What happens to employee data when a contract of employment is terminated should be documented in HR policy.

 Sharing and transferring personal data

Organizations that use third parties, such as hiring agencies or pay providers to process employee data, are responsible for ensuring that third parties are compliant with GDPR and they must have an appropriate agreement. You must also comply with GDPR's obligations regarding transfers of data outside of the company.

 Data protection officer Under

GDPR some organizations must appoint Data Protection Officers, for example authorities and public bodies, government departments, organizations involved in large-scale data processing, and organizations that process sensitive or special category data.  Report violation You must report the data breach to the Data Protection Commission (DPC) within 72 hours after becoming aware of the violation. If you do not inform the DPC within 72 hours, you must provide a reason for the delay. Violations that could endanger the data subject, for example, identity theft, should also be reported to the person concerned.  Penalty It is important that you comply with the law and provide adequate policies and procedures. Your organization can be examined and can face significant penalties if your practice violates the GDPR.

M3 Summarize the ISO 31000 risk management methodology and its application in IT

security:

ISO 31000 is an international standard designed to help organizations of any size and type effectively manage risk. ISO 31000 is known as a practical document that helps organizations develop their own risk methods. It provides general principles, frameworks and processes to manage any type of risk in a transparent and systematic way. ISO 31000 can be used for "any public, private or community enterprise, association, group or individual enterprise". The risks that affect the organization have an impact on economic performance and professional reputation, as well as environmental performance, safety, and society. Therefore, risk management effectively helps organizations perform well in an environment full of uncertainty. ISO 31000, including guidelines, provides principles, frameworks and processes for managing risk. Regardless of size, activity or department, any organization can use it.

In IT security the organization used ISO 31000 which is how to manage the risk also helping the organizations to increase the likelihood of achieving goals, identification of opportunities, threats, effectively allocating and utilizing resources for risk treatment. However, ISO 31000 cannot be used for certification purposes, but provides guidance for internal or external audit programs. The organizations can use it to compare their risk management practices to internationally recognized benchmarks, providing strong principles for effective management and corporate governance.

How does ISO 31000 determine the risk?

While risks are often defined in terms of negative or harmful effects, ISO 31000 sees risks as exposure to uncertainty, positive or negative consequences. Risk management is identifying variations from what is planned or required, and managing such risks to maximize opportunities, minimize losses, and improve revenue.

How does ISO 31000 relate to certain risks?

ISO 31000 cannot be seen as a substitute for predetermined international standards that are successfully used to manage certain risks in sectors such as machine security, transport, energy, IT and environment, instead, it should be seen as the highest-level document supporting existing standards.

What does ISO 31000 mean to help organizations?

 Increase the likelihood of achieving the goal.  Promotes proactive management.

stage: communication and consultation, and monitoring and survey. The organization conducting the assessment should ensure that stakeholders are informed throughout the process and monitor to ensure that the process is effective.

The two main components of the ISO 31000 risk management process

 Framework: The ISO 31000 Framework reflects the plan, do, check, act (PDCA), which is common to all management system designs. However, those standardized countries, "This Framework is not intended to set management systems, but to assist organizations to integrate risk management into its overall management system". This fact should encourage the organization to be flexible in combining the elements of the framework as needed.  Process: After setting up the Risk Management Framework, the organization is prepared to develop the Process. The process, as defined by ISO 31000, is "multi-step and iterative, designed to identify and analyse risks within the context of the organization."

Benefits of using ISO 31000 in IT

 It can increase its competitive advantage by adopting globally accepted risk management standards.  It will raise awareness and understanding of organizational risk especially in IT.  It increases the reduction, reducing and / or removal of IT risks.  recognizing that identified risks are within the organization's risk criteria and tolerance.  increase customer trust / stakeholder trust.

In conclusion, the ISO 31000 framework is an excellent reference for organizations designing their risk assessment process. It offers a useful approach to self-assessment as well as regulated by regulatory requirements. Overall, the risk management principles and processes described in ISO 31000 and supported by ISO / IEC 31010 guides provide a robust system that enables organizations to plan and implement programs that are repetitive, proactive and strategic. The design of certain program elements depends largely on the goals, resources and circumstances of individual organizations. Apart from the implementation stage, the management's involvement in setting direction and always reviewing the results should be part of each program, which will not only enhance risk management, but also ensure appropriate treatment based on organizational objectives and long-term strategy

M4 Discuss possible impacts to organizational security resulting from an IT security audit:

IT security audits are a good defense system against cyber-crime and other security vulnerabilities for in-depth assessment of IT infrastructure and the role of company staff. Typically, auditors handle staff interviews, vulnerability scans, and tests to evaluate your security plan. You can request outsourcing service providers to implement your IT security audit, which can give you an overview of strategic solutions on how to improve your entire IT system and operations. With services to handle your security audit, your organization can have a more powerful IT system in place. The IT security audit function may consist of database management for resource planning and chain organization networks, along the way to other key areas of your business.

How often is IT security auditing required?

Given that technology is constantly evolving and software is constantly updated, it is worthwhile to invest in audits every year. Waiting until you think you have been attacked to get professional help is not good, therefore the damage may have been done and on an irreparable scale. You may also be eligible to accredit if you have recently undergone a major adjustment to your IT hardware or infrastructure, or have integrated a new system into your network. It is not possible, such a change of

magnitude may have unexpected consequences that cannot be seen, having a major internal effect that requires addressing.

The impact of IT security audit to organizational

It evaluates the flow of data in your business: Data is one of your primary assets that requires top-level security controls. The IT security auditor determines the type of information you have, how it flows in and out of your organization, and who has access to such information. All technologies and processes related to your anti-data breach measures are reviewed to ensure that no data will be lost, stolen, misused, or purged. Otherwise, you risk managing legal disputes with your customers or other parties involved. The audit team may also lay the foundation for any improvement or enforcement required in this area.  It identifies weak points and problems: The IT system is extensive with several components including hardware, software, data, and procedures. Outsourcing of IT services can determine whether there are any problems with your system in some way. They can check whether your hardware or software tool is configured and working properly also retrace security incidents from the past that may have exposed your security vulnerabilities. Audit on site is focused on conducting tests in terms of network vulnerabilities, operating systems, access controls, and security applications.  It determines whether you should change the security policy: The auditing process starts with pre-audits, where auditors obtain documentation relating to previous audits, as well as copies of current policies and procedures. After that, they analyze and test your entire system on this site. During the auditing process, the auditors documented everything they discover about the security and effectiveness of your IT system. By the time they complete the audit, they will have a clear assessment if you have adequate security measures implemented consistently in your organization. For example, they may encounter examples of wireless networks that can cause a risk beyond acceptable levels.  It recommends leveraging on information technology in your business security: The technology you use corresponds to the level of security required by your business. Therefore, part of the IT security audit function is to help you understand how to choose the right security tool for your organization. The auditor can be able to determine whether you should focus your security solution on all devices or use specific software for each risk area. An auditing security expert can also advise you if you are disabled or invest in your IT system, so you can properly allocate your security resources. They can prevent you from trying to secure every server or app if they feel the risk level does not hurt them.  It provides in-depth analysis of your internal and external IT systems: Your IT security audit report contains a detailed list of auditing team findings, complete with executive summary, support data, and attachments. It highlights the areas of problem and proposed solutions in risk areas, compliance with industry standards, security policies, and so on. For example, a section of the report can discuss the quality of your security controls. You may have set up a firewall on your server, but if your internal control is weak or corrupted, then you are still putting your important data at risk.  It will reduce the risk and secure the data: Planning and implementing IT audits comprises of IT risk assessment and identification in any organization. Typically, IT audits include risks related to integrity, confidentiality, and availability of information technology infrastructure and processes. Some additional risks include the efficiency, effectiveness, and reliability of IT. Therefore, when risk is assessed, a clearer vision of the path to take to reduce risk and control risks or accept the risks that are part of the operating environment. So, systems that have gone through IT audits are expected to instill confidentiality, availability and data integrity. This means that sensitive information

success, protect your valuable business data, and empower your staff with great user experience and you can make your company a success.

D2 Consider how IT security can be aligned with organizational policy, detailing the

security impact of any misalignment:

How IT security can be aligned with organizational policy:

Create the right policy: This involves a collaborative approach that leverages stakeholders not only from IT groups and Security Operations but also Laws, Human Resources and Operations and ensuring their needs are also addressed. The policy is only as an ability to monitor and enforce. Policies affecting the ability of any organization to carry out their tasks will quickly be discarded, opening the door to domino effect security issues. In addition, this collaboration should address the organization's dynamics including core services, internal customers and, where applicable, external partners or businesses that may require access.  Promoting Continuous Communication: Often, the organization is through a big and ambitious goal-setting process but then does not discuss the goal once again for a quarter or even a year. Consider harnessing one of the rising technology solutions to prevent this from happening within your organization. There are many solutions that automatically send reminders to managers and employees when it's time to update progress towards goals. By systematically checking staff, teams and departments systematically and measuring their progress towards their goals and goals, you will inculcate a responsive and involved work environment and create a culture of goal-setting and achievement.  Process: Adopting a strategic process approach, such as an ISMS set by ISO 27001 or ISO 31000, to a security management program. It establishes the ability to evaluate, develop and implement security solutions when and is required by the business, rather than enforcing the baseline of controls "one size in accordance with all".  Planning: The strategic and tactical planning activities of information security organizations provide ample opportunity to streamline projects and actions that are achieved with real business needs. For example, the main strategy is to harness the principles of enterprise architecture in the safety planning practice.  Conduct risk assessment and analysis: Conducting an assessment and analysis of IT security risk is essential to building processes that deal with the most vulnerable systems and processes. We can then formulate a corrective action plan that addresses not only current needs but expects future needs. As part of the Business Continuity Planning program, risk assessments provide insights to avoid security and governance concerns before they actually become "issues". Examples are the development of your Disaster Recovery Plan. Determining critical systems and requirements for warm and cold site requirements due to detailed risk analysis will save you hours when working to rebuild critical system data.

Impact of any misalignment:

There is a lack of clarity of responsibility: When responsibilities are not clearly defined, no one is responsible, or a responsible person who may not be the right person, or some who are struggling to control it. This scenario has different effects on the bottom of the company. When the results are good, people tend to

compete for credit. If the results are bad, people may be involved in fingerprints and blame each other.  Decision making takes too long: Slow decision-making decreases the momentum needed for growth and puts your company at a competitive disadvantage, especially when you're up against aggressive competitors and more agile organizations. While there are legitimate reasons for taking time to make decisions, if the slow pace is caused by lack of clarity as to who should make the decision, or poor understanding of the vision and strategy of the organization, then these conditions inhibit action and indicate a lack of alignment.

P7 Design and implement a security policy for an organization:

1. Security policy:  Define: Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people

 The objectives of an IT security policy is the preservation of confidentiality, integrity, and availability of systems and information used by an organization's members. These three principles compose the CIA triad:

  • Confidentiality: involves the protection of assets from unauthorized entities.
  • Integrity: ensures the modification of assets is handled in a specified and authorized manner.
  • Availability: is a state of the system in which authorized users have continuous access to said assets.  Example:  Acceptable Use Policy (AUP): An AUP stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet. It is standard onboarding policy for new employees. They are given an AUP to read and sign before being granted a network ID. It is recommended that and organizations IT, security,

2. Thing to consider when creating policies:  Ensure that there is a policy on policies: It sounds a little redundant, but it's important to work within a predefined and agreed upon framework even when it comes to policy formation. Creating a simple policy on policies that defines the organization's process for creating new policies is an important first step in maturing policies. This "meta policy" should include guidance as to what situations constitute the need for a new policy, the format that new policies should use, and the process that needs to be followed for a new policy to be approved. If you don't have a process and framework around policy formation, you risk having significant inconsistency in the outcomes and inconsistency in the creation, which can lead to poor or difficult enforcement..  Identify any overlap with existing policies: This one is simple. Before you create a new policy, check to see if the policy you're planning to create already exists or if portions of it exist in other policies. If so, consider revising existing policies rather than creating a brand new one.  Don't develop the policy in a vacuum: I've seen individuals sit behind their desks and create policies that they felt were necessary and that were developed wholly on their own. Most often, this has happened in organizations lacking any kind of policy governance structure. In most cases, the policies lacked key factors and were slanted in ways that were not positive for the organization. As you might expect, the policies did good things for the person developing them, though.  Step back and consider the need: Are you creating a policy because one is needed or because someone did something you didn't like? There is a big difference and, again, I have seen policies put into place out of spite and as retribution. Obviously, that kind of activity wouldn't happen in a reasonable organization. But it also won't happen in one that has a strict policy on policies, as the policy will generally go through multiple levels for approval and somewhere along the way, someone will step back and ask the question, "Why do we need this?"  Define policy maintenance responsibility: Most policies require periodic review to ensure their continued applicability. Further, as questions are raised about the policy, someone needs to be able to provide clarifying information. Make sure that you always identify the office -- not the individual person -- that is responsible for the policy. You don't identify individuals since they come and go.  Establish a policy library with versioning: There are all kinds of tools out there these days, such as SharePoint, that enable you to store versions of documents. Every employee should be able to access all appropriate policies all the time. If employees can't get access to policies, how can they be expected to follow them? When it comes to versioning, as policies evolve, it's good to see their history to track what has changed over time. 3. Step to design a policy:  Step 1: Identify your risks: A good way to identify your risks can be through the use of monitoring or reporting tools. Many vendors of firewalls and Internet security products allow evaluation periods for their products. If those products provide reporting information, it can be helpful to use these evaluation periods to assess your risks. However, it's important to ensure that your employees are aware that you will be recording their activity for the purposes of risk assessment, if this is something you choose to try. Many employees may view this as an invasion of their privacy if it's attempted without their knowledge.  Step 2:

Learn from others: There are many types of security policies, so it's important to see what other organizations like yours are doing. You can spend a couple of hours browsing online, or you can buy a book such as Information Security Policies Made Easy by Charles Cresson Wood, which has more than 1,200 policies ready to customize. Also, talk to the sales reps from various security software vendors. They are always happy to give out information.  Step 3: Make sure the policy conforms to legal requirements: Depending on your data holdings, jurisdiction and location, you may be required to conform to certain minimum standards to ensure the privacy and integrity of your data, especially if your company holds personal information. Having a viable security policy documented and in place is one way of mitigating any liabilities you might incur in the event of a security breach.  Step 4: Level of security = level of risk: Don't be overzealous. Too much security can be as bad as too little. You might find that, apart from keeping the bad guys out, you don't have any problems with appropriate use because you have a mature, dedicated staff. In such cases, a written code of conduct is the most important thing. Excessive security can be a hindrance to smooth business operations, so make sure you don't overprotect yourself  Step 5: Include staff in policy development: No one wants a policy dictated from above. Involve staff in the process of defining appropriate use. Keep staff informed as the rules are developed and tools are implemented. If people understand the need for a responsible security policy, they will be much more inclined to comply.  Step 6: Train your employees: Staff training is commonly overlooked or underappreciated as part of the AUP implementation process. But, in practice, it's probably one of the most useful phases. It not only helps you to inform employees and help them understand the policies, but it also allows you to discuss the practical, real-world implications of the policy. End users will often ask questions or offer examples in a training forum, and this can be very rewarding. These questions can help you define the policy in more detail and adjust it to be more useful.  Step 7: Get it in writing: Make sure every member of your staff has read, signed and understood the policy. All new hires should sign the policy when they are brought on board and should be required to reread and reconfirm their understanding of the policy at least annually. For large organizations, use automated tools to help electronically deliver and track signatures of the documents. Some tools even provide quizzing mechanisms to test user's knowledge of the policy.  Step 8: Set clear penalties and enforce them: Network security is no joke. Your security policy isn't a set of voluntary guidelines but a condition of employment. Have a clear set of procedures in place that spell out the penalties for breaches in the security policy. Then enforce them. A security policy with haphazard compliance is almost as bad as no policy at all.  Step 9: Update your staff: A security policy is a dynamic document because the network itself is always evolving. People come and go. Databases are created and destroyed. New security threats pop up. Keeping the security policy updated is hard enough, but keeping staffers aware of any changes that might affect their day-to-day operations is even more difficult. Open communication is the key to success.  Step 10: Install the tools you need: Having a policy is one thing, enforcing it is another. Internet and e-mail content security products with customizable rule sets can ensure that your policy, no