Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1-2 page paper that discusses how policies and procedures are used to implement

ID: 3805389 • Letter: 1

Question

1-2 page paper that discusses how policies and procedures are used to implement a security plan. Describe the following: •Topics that should be covered by security policies •Role of security awareness training •Steps that can be taken to help ensure compliance with policies •How human resources security is included in security policies and planning •Risk assessment and mitigation strategies related to security controls and safeguards Include detailed speaker notes within your presentation, and support your presentation with appropriate references.

Explanation / Answer

Every organization is divided into various subgroups, called Departments, that control specific functions of the organization. Policies and procedures specify the activities to happen in each of the Department. One of the first steps taken at time of Auditing is to scrutinize these critical documents. Any finding an auditor makes should be referenced back to the policy. This enables Auditors to identify the Cause of the Problem and suggest Solution accordingly.

Policy Development

Policies can be developed using either a bottom-up or top-down approach.

Top-down policy development means that policies are pushed down from the top of the company. The advantage of this approach is that it ensures that policy is aligned with the company’s strategy. But where this approach lacks is speed. It's a time-taking process that requires a considerable implementation time.

Bottom-up policy development is another approach for Policy development. In Bottom-up policy development, the Policies are developed with input from Employees about issues they are facing and any other Inputs they want to provide for Policy development. It further builds on known risk. The bottom-up approach is faster than a top-down approach but a major disadvantage is that it lack the support of senior management support which considerably add to risk factor.

Note that a risk assessment typically drives bottom-up policy development more than top-down policy development.

No matter what the policy approach is, they are designed to address specific concerns:

·         Regulatory—Ensure that the organization's standards agree with local, state, and federal laws. Industries that frequently use these documents include health care, public utilities, etc.

·         Advisory—Ensure that all employees are aware of the consequences of some specific behaviour and actions. An example of an advisory policy is Internet policy of an organization. It states the rules and regulations that an employee should following while using Internet in Office, failing could lead to disciplinary action or dismissal.

·         Informative—Specify that the policy is to provide information only and not for enforcement. Their goal is to inform employees and/or customers. An example of an informative policy is a return policy on goods bought on the business's website.

Policies and Procedures

Policies are high-level documents developed by management to specify the strategy and philosophy of the organization to its employees. Management and business process owners are responsible for the organization and design of policies. Policies emphasises on the words of management. They define, detail, and specify what is expected from employees and how management plans to meet the requirements of employees, customers, and stakeholders. Policies can be developed either internally or can be based on international standards such as Common Criteria or ISO 17799:

·         Common Criteria—A framework used to specify security requirements

·         ISO 17799—Provides best practice recommendations for implementing good security management

An important policy of any organisation is its security policy. Security policy specifies management's guidelines to the use, operate, and secure the information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations.

The security policy should further act as a base to integrate security with all business functions. It serves as an overall high-level guide to create detailed lower-level documentation, such as procedures. The security policy should be designed in such a way so that it implements efficient security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset.

An auditor must review all the audit process to get a better idea of how specific processes function. As an example, the auditor should examine the disaster recovery and business continuity planning document. Some questions to focus in here are what kind of hardware and software backup is used; is the software backup media is stored off site, and if yes, what kind of security is implemented at offsite location, and what type of access is available? These are just a few of the questions that an auditor may consider during auditing. The disaster recovery policy is an important part of corrective control.

During the audit, the auditor must verify how well policy actually maps to activity and also suggest the ways to improve policy.

Policies don't last forever. They must be reviewed periodically to make sure they stay updated. It is very easy to see that low-level procedures need to be updated, but this also applies to high-level policies.

Next we focus of discussion is on procedures.

Procedures

Procedures are the detailed document which are derived from the Policy document. They provide detailed step-by-step approach and hence changed more frequently (to stay updated with business processes and the technological environment.) than the Policy document. Procedures are detailed documents associated with specific technologies and devices, and change when technology or device changes. For example, a company might have devised a policy specifying the network traffic that can enter or leave the company's network, but a procedure would detailed out the step-by-step instruction on how the policy is to be implemented. As an example, your company has implemented a Cisco Firewall, the procedure would provide step-by-step instruction on its configuration. Now suppose the company want to change firewall to Checkpoint, the policy would remain same, but the procedure for configuration of the firewall would change.

During an audit, the auditor must review all relevant procedures and map them to employee behaviour through interview or direct observation. Any deviation mean that there are no existing procedures, that procedures don't map well to existing practices, or that employees do not have the relevant training on the procedures they are tasked with.

Reviewing Policies and Procedures

The objective of auditing of Policies and Procedures is to improve the quality of the control environment. Audits can verify that documents are being as intended by the Management. An audit can also help verify that policies are up-to-date and are adhered to. Per ISACA, the following items should be examined:

·         Human resources documents

·         Process and operation manuals

·         Quality-assurance procedures

·         IT forecasts and budgets

·         Organizational charts and functional diagrams

·         Change-management documentation

·         Security policies and procedures

·         Job details and descriptions

·         Steering committee reports

Documents related to external entities should also be reviewed. A company might have contracts with vendors or suppliers for an array of products and services. Now, how the vendors are selected, how the bidding process functions, what factors are used to determine the best bid, and what process is used to verify contract completion should all be reviewed.

Need For Security Awareness Training

Security awareness training is a formal process for educating employees about computer security.

A good security awareness program educates employees about corporate IT policies and procedures as implemented. Employees should be aware of whom to contact if they discover a security threat and should be educated on the importance of data as a valuable corporate asset. Regular training is particularly necessary in organizations with high turnover rates and those that rely heavily on contractual or temporary employees.  

Related Questions

1-) When the demand for money is greater than the supply of money: A. people off
Question #1098742
1-) When there is a deficit in the U.S. balance of payments on the current accou
Question #1099046
1-) Which of the following would be included in the U.S. current account? A. pub
Question #1099011
1-) Write a program in assembly to copy the value of 0x95 into memory location 0
Question #3577336
1-) Write a program in assembly to copy the value of 0x95 into memory location 0
Question #3579336
1-) Write an algorithm and draw a flowchart to prompt the user for a score and p
Question #3663797
1-) identify the substance that most capable of conducting electricity. A) water
Question #515734
1-)A profit-maximizing monopolist produces the output level where ______________
Question #1210214

Navigate

Previous
1-2 page (3-4 reliable sources) that addresses the following scenario: Your neig
Next
1-2 pages of info and references if needed. Looking for some help to complete th

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.