There are three types basic types of organizations:
Choose an organization type and consider that the basis of your scenario. Imagine you are creating information technology security policies in this scenario. You will create a short paper describing the relevant needs and issues, the recommended structure, and how security policies should be implemented. See the outline below for specific content requirements.
There is a word limitâ€”1000-1500 words is the target. It will be difficult to fully address each topic in the outline in a short way, but keeping writing concise and organized is an important workforce skill. To keep within the target word-count range, limit yourself to 100-150 words per section of the outline. An exception is outline #6, which would require 300 or more words.
Outline of Paper, with Specific Content Requirements:
- Identify the relevant business driversfor your chosen scenario. A business driveris something that affects whether an organization can be successful. The textbook lists things like cost and customer satisfaction. Consider especially business drivers relevant to IT security, like mitigating risk exposure, mitigating liability of the organization, etc.
- For each of the laws in chapter 3, first identify whether the law must be applied to your scenario, and second why or why not this law is relevant. Consider especially industrial standards, like PCI DSS, No. 16 (SSAE16), and ITIL.
- Discuss the Seven Domains of IT Responsibility and their application. Identify which domains are MOST applicable and explain why. If that domain is not very applicable, explain why not.
- Identify what policy implementation issues may affect your scenario, such as motivation, leadership, values, whether the organization is likely hierarchical or flat, etc.
- Every business is a little different, so for this item on the outline, review chapter 6 and select which framework aspects you would focus on for that scenarioâ€™s security policy. Identify and justify based on the scenario the appropriate type of IT security policy frameworks that should be implemented. Also include information assurance considerationsâ€”confidentiality, integrity, and availability.
- Identify how to design, organize, implement, and maintain appropriate IT security policies. Since there are so many policies possible, choose just 4-5 policies to focus on for this section. Also include how you would organize the document of policies. For reference, see pages 182-190 for guidelines of what would be included in a policy and how it would be organized. Do not write the polices themselvesâ€”you do not have detailed information about the scenario to enable you to do that. Just briefly explain the process. Possible policies:
- Acceptable Use
- Access Control
- Asset Protection/Management
- Continuity & Disaster Recovery
- Data Classification Standard & Encryption
- Internet Ingress/Egress Traffic
- Mandated Security Awareness Training
- Production Data Backup
- Remote Access
- Vulnerability Management & Vulnerability Window
- Threat Assessment & Management
- WAN Service Availability
- Identify the IT security policy framework approach you would use and why. Also include the User domain policy you would use and the most appropriate IT infrastructure security policy.
- For a Risk Management policy and Incident Response Team (IRT) policies, identify the type of policy you would select for each and justify why.
- Discuss the appropriate method to implement and maintain the IT security policy framework, including compliance technologies needed.
There are usually multiple ways apply the course content to your scenario. You will be graded on how well you explain and justify your choices based on the needs of your scenario.