A. Evaluate the effectiveness of AEnergy Company’s security policies (see the attached “AEnergy Data Security Policy,” “AEnergy Employer Security Policy,” and “AEnergyy Accounting Security Policy”) regarding ethical issues. Requirement: look over the 3 security policies and talk about how good/bad they are regarding ethical issues. 1. Discuss two potential unethical uses of the company technology and/or data by internal users. Requirement: point out 2 potential unethical uses by internal users. 2. Discuss two potential unethical uses of the company technology and/or data by external parties. Requirement: point out 2 potential unethical uses by external parties. B. Evaluate the effectiveness of AEnergy Company’s security policies (see the attached “AEnergy Data Security Policy,” “AEnergy Employer Security Policy,” and “AEnergy Accounting Security Policy”) regarding security threats. Requirement: look over the 3 security policies and talk about how good/bad they are regarding security threats. 1. Discuss two potential security threats to the company technology and/or data from internal users. Requirement: point out 2 potential security threats from internal users. 2. Discuss two potential security threats to the company technology and/or data from external parties. Requirement: point out 2 potential security threats from external parties. C. Create updated company policies that outline expectations related to use of company technologies by internal users and issues with external parties. Requirement: outline new policies for the expectations toward the use of company technology by internal users and issues with external parties. 1. Explain how your changes would mitigate the unethical uses discussed in parts A1 and A2. Requirement: Address how the new policies mitigate the issues from A1 and A2. 2. Explain how your changes would mitigate the security threats discussed in parts B1 and B2. Requirement: Address how the new policies mitigate the issues from B1 and B2. This task cannot be completed without the use of the information in the provided attached documents. This task needs to clearly address each requirement. A Energy “ A to the power of Energy” Data Security Policy Purpose This document defines the data security policy of A Energy Company. A Energy Company takes the privacy of our employees and clients very seriously. To ensure that we are protecting our corporate and client data from security breaches, this policy must be followed and will be enforced to the fullest extent. Intent The goal of this policy is to inform employees at A Energy Company of the rules and procedures relating to data security compliance. The data covered by this policy includes, but is not limited to, all electronic information found in e-mail, databases, applications, and other media; paper information, such as hard copies of electronic data, employee files, and internal memos; etc. Audience This policy applies to all employees, management, contractors, vendors, business partners, and any other parties who have access to company data. Data Types A Energy Company deals with two main kinds of data: 1. Company-owned data that relates to areas such as corporate financials, employment records, payroll, proprietary information about our products, etc. 2. Private data that is the property of our clients and/or employees, such as Social Security numbers, credit card information, contact information, etc. 1 Proprietary & Confidential A Energy “ A to the power of Energy” Data Classifications A Energy Company data is composed of 4 classifications of information: 1. Public/Unclassified This is defined as information that is generally available to anyone within or outside of the company. Access to this data is unrestricted, may already be available, and can be distributed as needed. Public/unclassified data includes, but is not limited to, marketing materials, annual reports, corporate financials (and other data as applicable). Employees may send or communicate a public/unclassified piece of data with anyone inside or outside of the company. 2. Private This is defined as corporate information that is to be kept within the company. Access to this data may be limited to specific departments and cannot be distributed outside of the workplace. Private data includes, but is not limited to, work phone directories, organizational charts, company policies (and other data as applicable). All information not otherwise classified will be assumed to be private. Employees may not disclose private data to anyone who is not a current employee of the company. 3. Confidential This is defined as personal or corporate information that may be considered potentially damaging if released and is only accessible to specific groups (e.g., payroll, HR, etc.). Confidential data includes, but is not limited to, Social Security numbers, contact information, tax forms, accounting data, security procedures, and other personal data. A Energy Company considers it a top priority to protect the privacy of our clients and employees. A separate privacy policy outlines our commitment to protecting personal data. Employees may only share confidential data within the department or named distribution list. 4. Secret/Restricted This is defined as sensitive data which, if leaked, would be harmful to A Energy Company, its employees, contractors, and other parties as applicable. Access is limited to authorized personnel and third parties as required. Secret/restricted data includes but is not limited to audit reports; legal documentation; business strategy details; and proprietary information about designs, materials, and processes. Secret/restricted data cannot be disclosed by anyone other than the original author, owner, or distributor. 2 Proprietary & Confidential A Energy “ A to the power of Energy” It is the responsibility of everyone who works at A Energy Company to protect our data. Even unintentional abuse of classified data will be considered punishable in accordance with the extent and frequency of the abuse. Responsibilities All employees are responsible for adhering to the policy and reporting any activities that do not comply with this policy. Management personnel are responsible for ensuring that those who directly report to them understand the scope and implications of this policy. Human resources must also ensure that all employees have a signed copy of this policy in their file. Security staff will be monitoring data for any unauthorized activity and are responsible for updating access requirements as needed. Any employee who authors or generates corporate or client data must classify that data according to the criteria outlined above. Management Ownership of this policy falls to the IT team. For any questions about this policy, or to report misuse of corporate or personal data, please contact the IT team at ITteam@aenergycompany.com. The IT team will work to maintain data access privileges, which will be updated as required when an employee joins or leaves the company. These are the accepted technologies A Energy Company uses to enforce and ensure data security: 1. Access controls 2. Strong passwords 3. System monitoring 4. Trend analysis 3 Proprietary & Confidential A Energy “ A to the power of Energy” Review Management is responsible for keeping this policy current. This policy will be reviewed annually or as circumstances arise. Also annually, a full security audit will be performed by the IT team and selected company members to ensure that the policy is properly aligned with industry standards. Enforcement Employees found to be in violation of this policy by either unintentionally or maliciously stealing, using, or otherwise compromising corporate or personal data may be subject to disciplinary action up to and including termination. Employee Acknowledgement I agree to the terms and conditions set forth in this policy: Employee Name: __________________________ Date: ________________________ Employee Signature: _______________________________________ Witness Name: __________________________ Witness Signature: _______________________________________ Date: ________________________ 4 Proprietary & Confidential A Energy “ A to the power of Energy” Employer Security Policy All new employees will receive training related to computer and organization security during the required new hire training. The employee must agree to the security requirements to receive the user ID and temporary password. All employees are expected to maintain secrecy of their password and abide by company security procedures. Computer and Workstation Security All computers accessing the A Energy Company network are required to have an IT administrative account to access the computer and the password-protected log in. All computer activity may be audited and all activity is tracked by user ID. All laptop computers and workstations are equipped to automatically lock at a set number of minutes of inactivity for protection from intentional or unintentional misuse of an employee's account. A single user ID and password is used to access the computer and e-mail system. All hardware, including computers, projectors, external hard disk drives, and printers, contain tracking mechanisms in case of loss or theft. Laptop computers are assigned to a single user. Workstations may be shared and require authentication by each user with the individual's user ID and password. All printing requires a pass code to be entered for proper billing and cost allocation. Internet browsing is managed to safeguard bandwidth. Select Internet sites are blocked using web filtering software. Appeals may be filed for access to sites that have been blocked and have a business necessity. Staff Security A Energy Company safeguards its employees with monitoring technology. High-definition digital security cameras monitor internal and external environments. All employees are offered personal safety training by an approved instructor. Entrance into the building and movement from one area to another requires each employee to swipe an electronic identification card. At no time are employees permitted to allow another employee or a guest access without the individual swiping an electronic identification card. Guest Security All guests are required to receive a visitor's electronic identification card. The card will be coded to allow access to the approved areas of the facility. Guests may be asked to sign a nondisclosure form to protect proprietary information and technology. Monitoring The physical location and network use are monitored to identify and respond to any unauthorized access to the facility or network. 1 Proprietary & Confidential A Energy “ A to the power of Energy” Physical Location Monitoring High-definition digital cameras record movement at internal and external locations at each site. Security personnel monitor the video output. All images are saved for future analysis. Motion sensors are in place for additional security. Network and Resource Usage Monitoring The A Energy Company network and servers are accessible only through authentication by an approved user ID and password. Some levels of the network require a SecurID token in addition to an approved user ID and password. Use of network resources is monitored and linked to the user ID and password that authenticated the computer accessing the network. Locking or logging off laptop computers or workstations when not in use is advised to avoid intentional or unintentional misuse of the network. Internet access to some sites is limited. If these blocked sites are necessary for business related activities, an appeal can be made. Reviews of appeals will be within one business day. E-mail accounts can be reviewed at any time. If a personal e-mail is sent from the work account, employees can mark the subject line as "personal" to avoid that e-mail being opened during the monitoring process. Confidentiality of trade secrets is essential for a competitive edge; each person must help protect the company. E-mail etiquette is suggested to portray the professional image of the company. Computer Security Each computer and workstation has virus protection software. This software automatically updates once per week and also whenever critical updates are identified. Each computer will be scanned for viruses and malware once a month. Updates and scans are scheduled to be performed to minimize impact on productivity. Passwords must be changed every 90 days, must be a minimum or 8 characters in length, and must contain at least three of the four following criteria: a capital letter, a lowercase letter, a symbol, or a number. All computers have VPN access that requires authentication with an approved user ID and password to tunnel through firewalls when using the internal network or any external network. Each laptop computer has an encrypted hard drive to protect sensitive information in the event of loss or theft. Each employee is issued a security cable to use when traveling to help deter theft. Violations Violations of the security policies will be reviewed to determine the cause of the security breech. Intentional misuse will be prosecuted to the full extent of the law. 2 Proprietary & Confidential A Energy “ A to the power of Energy” Accounting Security Policy The A Energy Company Accounting Security Policy is to be provided to each employee at the time of acceptance of the employment offer. The policy is available for review by users of our website through a request to customer service. Updates to the policy are documented and available on the company intranet for review. The website policy is updated as needed and the last date of revision is posted on the website as well. Audits for compliance are budgeted to occur annually at six months after the start of the fiscal year, July 1. Billing and cost allocation analyses are completed monthly. Trend analysis is analyzed daily in a manner similar to how production data is analyzed. A thorough examination of the accounting data is completed quarterly. Accounting Security Policy The accounting controls for A Energy Company keep a time-stamped record of resource usage including logins and network use. The accounting controls do not permit or deny access. The purpose of collecting resource usage information is for the purpose of trend analysis, auditing, billing, or cost allocation. Information about users of services provided by the A Energy Company website and network is collected, stored, and secured to protect the users' personal information and privacy. For Employees of A Energy Company Each employee is assigned a user profile and password at the time of employment. Each request to connect to a network or service queries a check within the system to determine if the user is permitted access or if enough licenses are available for use. If authorization is granted, the user ID, IP address, location, time of connection, and location of the file or information accessed are recorded. Use information is analyzed for billing and cost allocation to internal and external cost centers. Trend analysis provides information on infrastructure functionality and requirements for infrastructure modifications. Usage information is shared only in aggregate for evaluation to appropriate management staff for confirmation of acceptable use. For Users of the A Energy Company Website The website of A Energy Company collects and safeguards personal information and other usage data. The data collected through participation in website activity and completing survey or contest forms includes name, ID, phone number, e-mail or mailing address, and other contact information as necessary for participation. The data collected through subscription to newsletters delivered via e-mail include name, 1 Proprietary & Confidential A Energy “ A to the power of Energy” company name, and e-mail address. The data collected through browsing the website include user IP, browsing profile, content tracking, location tracking, time of use, and search terms. The A Energy Company website uses cookies to transfer short pieces of information to the user's hard drive to store settings and for record keeping purposes. If users have set their browsers to refuse cookies, there is the possibility that some features and activities on the A Energy Company website may not be accessed. The purpose of using cookies is to provide a better and more personalized service to the user by facilitating logging in to and out of the website and customizing the presentation of the website. The information from the cookies tracks access counts and frequency of participation in promotional activities. A Energy Company does not rent, sale, or otherwise distribute the data collected with other organizations or individuals. Those data transmissions that are not completed through an SSL connection between the website and the user may not be completely secure, and the user must bear the risk of data transfer via the Internet. Personal information submitted in public sections of the website may be collected by others and used by third parties. To reduce exposure to the risk, users of the public forums and other public sections of the website are reminded in the agreement of use statement that they are not required to reveal personal information publicly. A Energy Company is not responsible for consequences resulting from disclosure of personal information in the public sections by users. Users of the A Energy Company website will be reminded to adhere to the latest privacy safeguard measures and guidelines. Announcements will be posted on the website to inform users of any changes to the policies, guidelines, or uses of personal information. Inquiries about the A Energy Company privacy policy may be sent via e-mail to customerservice@aenergycompany.com or by calling Customer Service during regular business hours. 2 Proprietary & Confidential 
Purchase answer to see full attachment