Reference no: EM133862240

Assessment - Essay critique on cybersecurity policy

Context: You are an information security manager who has been approached by an organization to help them improve their Security Policies and Standards. You need to provide a thorough review of the current Policies and Standards Document, identify the weaknesses, and recommend areas for improvement. All your recommendations should be based on solid research and clearly express the rationale behind the recommendation.

For this task we have provided Nine Policy documents adopted from SANS Information security templates repository. You need to select one policy document and select one of the fictional companies below:

1. Australian Financial institution with both online and physical service outlets.

2. Global Professional Services provider (e.g., Consultancy) offering professional services to organizations all over the world.

3. Global Charity organization providing support for causes all around the world.

4. Australian Healthcare provider providing health services to people in Australia and within the different states.

You need to understand the mission and business model for each in order to reflect that on the policies provided. It is acceptable to look at examples from existing organizations to under mission and business model and reference that as part of the work.

The requirements:

Review the requirement template provided in relation to the business you have selected and provide the following:

Question 1. Explain why the Policy document template provided could not be used as is. Make sure you draw relation to the usecase and do not only provide generic answer. Feel free to reference the organization mission and the business model if appropriate.

Question 2. Review the policy template provided and add tags between two square brackets of what you are doing for each policy statement or within each section paragraph. The tags to be used are [Add], [Delete], [Edit], [Accept] followed by the explanation. The [accept] tag is to be used if you agree that a certain statement should be used as is, but you also need to provide explanation why you reached this conclusion. Look at the examples below:

4.1.1 All "high" and "Critical" vulnerabilities discovered in any system, shall be remediated in two weeks.[Edit] I have replaced the world ‘can' in the original statement and replaced by ‘must' which is more in line with formal policy language

4.1.2 No system shall be allowed to be released in production before going through security testing. [Add] I have added this statement since it is more aligned with the business model of the organization which is committed to insure all systems offered to end users are secure.

4.1.3 Accepting the risk for the system to be released in production while a ‘critical' or ‘high' vulnerability is not remediated, is only to be authorized by the CEO. [Accept] I think this is a suitable statement and from the context of the organization, the CEO is the authority to accept business risk.

4.1.4 All ‘low' and ‘informational' vulnerabilities discovered during the security testing, shall be remediated within one week of discovery. [Delete] I don't think that remediating low and informational vulnerabilities would be considered a high priority to fix within one week. This will overwhelm the development team and cause the organization to miss vital deadlines.

Question 3. Explain the impact to the organization after applying the policy. You need to mentioned the expected benefit and any possible negative impact (e.g., performance impact, usability impact, financial costs)

Question 4. Explain your approach and what are the resources you have leveraged while working on this assessment. Reference any policy examples, articles, discussions, books...etc.

Question 5. Reflect on your learning experience with this assessment.