Security policies are a set of rules and standards that an employee follow in various settings or areas. The policies are the golden blueprint for ensuring the organization uses all its resources to protect itself from malicious attackers, lawsuits, data leaks, or anything that will negatively impact the organization. Without properly implementing and enforcing these policies, it is just written words on a document or poster. Policies can be as simple as only being allowed to create a 15-character password. However, if that password can be kept like that forever, we are not using the best practices. So we implemented and enforced another policy that users must change passwords every couple of months or 365 days. Using multiple sets of policies will strengthen the organization's protection by creating layers of defense.
Privacy Policy
Children’s Online Privacy Protection Rule (COPPA) is a federal law requiring specific protection of children under 13 when operating websites and online services. The Federal Trade Commission (FTC) manages the COPPA and provides 6 steps to comply. Step 1: Determining if we will collect children’s personal information. Step 2: Displaying the privacy policy that complies with COPPA. Step 3: Notifying the parents about the company’s information practices before collecting the information. Step 4: Getting verifiable consent from the parents. Step 5: Honoring the parent’s right to their child’s personal information. Step 6: Implementing procedures to safeguard personal information.
Implementing extra security measures include data minimization, scale-down principles, and Confidentiality, Integrity, and Availability (CIA) fundamentals.
Your browser does not support viewing this document. Click here to download the document.
Policy Implementation, Enforcement, and Compliance
Creating policies can be time-consuming because it’s a well-thought-out process to ensure we meet the organization's standards. When creating these policies, we also consider the federal, state, and local laws, regulations, and standards. We conduct our due diligence to establish a fundamental baseline of the policies we will implement and continuously monitor. I recognize laws, regulations, and standards to implement in our fictional company, TN-Tech. Since the company was working with government-affiliated organizations, I recognize the National Institute of Standards & Technology (NIST), the International Organization for Standardization (ISO), and the Federal Information Security Management Act (FISMA) as essential regulations to be followed. Understanding these policies is critical to have further success in an organization and conducting business with the government.
Your browser does not support viewing this document. Click here to download the document.
Legal Program
Designing a cybersecurity legal program takes time and due diligence. We continued using our fictional company, TN-Tech, to create a baseline of which laws, regulations, and standards they would follow. Implementing a cybersecurity law program will reduce the chances of losses due to criminal activity and civil litigation and include cybersecurity liability insurance in case the legal efforts are not won in court. We identify the duties, laws, frameworks, potential impact, cybersecurity insurance, and recommendations. Duties: Duty of Care, Failure to Act, and Reasonable Person Doctrine.
Laws: Payment Card Industry- Data Security Standard (PCI-DSS), General Data Protection Regulation (GDPR), and Data Security and Breach Notification Act of 2015
Framework: National Institute of Standards and Technology (NIST), and International Organization for Standardization (ISO).
Potential Impact: Internet of Things (IoT), Denial of Service (DoS).
Cybersecurity Insurance: Network security liability insurance and Privacy insurance.
Recommendation: Follow the NIST framework, conduct risk assessments, and additional security controls.
Your browser does not support viewing this document. Click here to download the document.
Reflection
In the Operational Policy course, we learn how to develop and implement policies specific to an organization. Understanding, creating, and implementing operational policies is essential for someone starting in the cybersecurity profession because it demonstrates that you understand the organization’s goals and values. Creating policies is time-consuming, but they do not change often. Instead, as cybersecurity professionals, we check to see if they work as implied and recommend updates when needed. We like to monitor and check our policies because, as our technology advances, so do the malicious actors. Comparing the technology from 15 years ago to today’s era, there is a massive gap. Internet of Things (IoT) was not an issue in the past because there was little to nothing to worry about. Today, almost anything is an IoT, posing a security threat if no security policies or measures exist. So as cybersecurity professionals, we do our due diligence on researching Common Vulnerabilities and Exposures (CVE) and network with our related organization to identify security flaws. Reflecting on the CSOL 540 course, I realized there is more to creating and implementing policies. We constantly need to conduct assessments to verify that they are being implemented correctly. Furthermore, we must adjust and adapt to new security flaws discovered over time.