Question

Information security policies are the core internal guidance for an organization and must be enacted prior to the purchase of information security controls. There is a bit of a "chicken and egg" dispute in the information security community as to whether it is appropriate to first engage in risk assessment with policies created to address those findings or whether it is appropriate to first create policies against which a risk assessment can be performed. On a more granular level, security policy is meant to document what is important to a particular organization related to information technology assets, including data. This sequential order is critical to the success of an information security program because a successful program ensures that organizations do not spend too little or too much money when purchasing controls to enforce these policy decisions. For example, it is possible to purchase a certificate that uses DNA as the key to enforce an access control policy, but there are very few situations where that would be an appropriate or balanced choice. You are a new information security officer for Metro City Community College. Metro City has a small urban campus in downtown Detroit and also offers their catalog of courses online. One of the first tasks you are assigned is to create the information security policies that will guide all subsequent security projects that you propose. Use the study materials and engage in any additional research needed to fill in knowledge gaps. Write a 2–3 page paper that covers the following: •Describe the overall objectives of creating information security policy for this institution. •Analyze the benefits and challenges of enforcing information security policies within government agencies and organizations. •Evaluate how creation and enforcement of information security policies can impact customers and business partners that have a relationship with a government agency or organization.

Answer 1

1. Describe the overall objectives of creating information security policy for this institution.

As the Security Officer of Metro City Community, I’ll establish the Information security policy for my organization with the following objectives:

• The policies will comprise of well-defined, comprehensive, rules and practices that will regulate the access to the organization’s system and information.
• Since our organization works online and is a provider of catalogue of online courses, hence the policies will lay the foundation of access control since it’ll have many levels of users restricted access.
• Also, the laid policies should be organization oriented and should not be an imitation or a replica of already established security policies/rules.
• The Information Security policies needs to ensure that it fulfils all parameters for user friendliness.
• The policies will act as regulating body for vulnerable internet security threats and possibility of any incoming hack.

Scope of the Policies:

The scope of the policies will be limited to Metro City Community only.

Responsibilities –

Me as a Information Security Officer will be responsible for:
-Daily overall security check
-Weekly Internal audits within all modules of the System.
-Risk Assessment on every new release and planning for further improvements.

1. Analyze the benefits and challenges of enforcing information security policies within government agencies and organizations.

Lets talk of Benefits first:

Protects Data-Integrity

This is one key benefits of Information security policies that, it helps to secure and Confidentiality and Data integrity.

Data and Information Security:

Since Metro City is an online based course offering organization, hence its maximum data comprises of Intellectual property i.e. Information which has been developed by its creators and are their own efforts for providing knowledge and information to users.

Ability to sustain vulnerable cyber attacks

Since it’s an online course offering organization hence it mostly deals with Internet. As mentioned in the last point of the Objectives, the policies act as a regulating body for vulnerable internet security threats and possibility of any incoming hack

Overall Governing policies for the organization

Lays down an effective foundation for overall organization’s working policies.

Provides Cost effective solutions to avoid third party security outsourcing

An efficient in-house development of Information security policies can thus reduce costs which would have employed to avail external defense services to combat potential security threats.

Challenges faced to enforce Information Security Policies:

Some of the practical challenges which may be faced while implementing Information security policies in my organization are:

1. Continuous developments and change in work culture – With an increase of exponential customer demand and in an effort to provide enhanced models, the security policies are often left un-touched. Hence, they fall back with the current times and start generating loopholes. It is therefore very important to update Information security policies with time.
2. Active Hackers – There are always in-ethical hackers present to decode every website and portal to gain administrative access over the system. There are dedicated underground teams running for this purpose and they always keep an eye to just wait for a small security glitch to get into the system and steal intellectual property.
3. Discipline with team – As we know ‘Charity begins at home’, hence above all the policies, it is the primary responsibility of the employees within the organization to be disciplined, well-cultured and follow the offline Information security policies dedicatedly without any enforcement. If this fails, it’ll ultimately weaken the roots of the security in every level.

1. Evaluate how creation and enforcement of information security policies can impact customers and business partners that have a relationship with a government agency or organization.

Impact over Customers and Business partners:

Customers and Business merchants taking services of the organization can be impacted in following ways:

Negative Impacts:

1. Restricted Access – A customer needs to pay to avail respective services and the services depend on the specific type chosen either Demo, Full or Partial. The only impact on the customer will be that, he will not be eligible to avail full services in demo or trial offer. Also, on the other hand, suppose particular service is available in Full version but he doesn’t need rest of the services, then he’ll have to pay an unnecessary extra amount.

1. Link breakage/Loophole – An overly sensitive and complicated security design may sometimes work negatively in cases where the customer may face inaccessibility. For Example, suppose Metro City integrates Payment gateway for customers to purchase a particular service. The customer selects the service and gets redirected to payment gateway, but the transaction gets cancelled midway and amount is deducted. This is a very common issue faced by most of the customers where in the loophole within the security structure may be either in the parent company or the merchant bank. Whatever may be the case, it surely has a negative impact on the customer.

1. Inclination of Business partners towards organizations – Most common business partners associated with organizations are mostly either Banks, Courier services, third party vendors. Suppose an organization reaches a financial bank to tie up with it for all its customer transactions. The bank will deploy an audit on the past records of the organization. An organization with an effective laid down information security structure may have a poor record in terms of customer deliverables and satisfaction. Such an audit score by the third part merchant (govt. on non-govt) will definitely have a negative impact may not turn into a successful affiliation.

Positive Impacts:

1. Gaining Customer’s confidence – Laying down effective Information Security policies may also have a positive impact like to help gain potential customer’s confidence in a way that a new customer will be more willing to take the organization’s service seeing an impressive Security structure.

1. Possible tie-ups or Mergers with Business partners- With an effective Information Security and the smooth continuity between two successful organization and partner, may in the long run result in merger of the two thereby gaining an even large audience and raise up in the market competition.