Showing Page:
1/8
1
5-2 Information Technology Risk Analysis and Cyber Security Policy Assignment, Part 2
Southern New Hampshire University
IT-659-Q1593 Cyberlaw & Ethics 21TW1
10
th
November, 2021
Showing Page:
2/8
2
5-2 Information Technology Risk Analysis and Cyber Security Policy Assignment, Part 2
Cybersecurity is a pressing issue in modern organizations, as evidenced by the cases that
were presented in Part 1. Various forms of cyberattacks have taken place over time, including
malware, DoS, DDoS, and phishing. Cybercriminals aim to steal data from their targets, destroy
networks out of malice, or express their opinions through hacktivism. This paper details a
cybersecurity policy that is designed to eliminate cybercrime at the workplace.
Cybersecurity policies are a series of standard practices or procedures that should be
implemented at the workplaces to ensure protection from cybercrime. A standard cybersecurity
policy comprises the following parts:
General Security Expectations
This part outlines the roles and responsibilities of all stakeholders within an organization
to ensure enhanced cybersecurity. All persons are expected to play their roles as prescribed to
ensure their workplace systems are always safe from cyber threats.
Standards for Cybersecurity Technologies
This part outlines standards that are set for different applications that are used for
cybersecurity. For instance, a workplace cybersecurity policy could outline the requirements of
antivirus software that will be used at the organization. Cloud applications also require a set of
policies because they are the most vulnerable to cyber threats.
The design and implementation of a cybersecurity policy typically follow the following
procedure:
(i) Cybersecurity Risk Assessment
The workplace is first subjected to a cybersecurity risk assessment to determine existing
vulnerabilities and the overall risk of a breach. Risk assessment also determines the tolerance
Showing Page:
3/8
3
level of the organization against cyber threats. All cyber-physical systems must be routinely
assessed to determine whether they are compliant with cybersecurity policies.
(ii) Identification of Security Gaps
The findings from cybersecurity risk assessment are used to identify the security gaps in
the organization’s infrastructure. These gaps are used as the foundation for the new cybersecurity
policy to ensure the organization has sufficient protection against cyber threats.
(iii) Formulation of a Cybersecurity Policy
Results from the two previous steps are then used to develop a viable cybersecurity
policy. The policy could be organization-based or implemented on a law enforcement scale. The
latter is created based on data collected from multiple companies.
The following sections outline the different aspects of the cybersecurity policy pertaining
to the workplace environment:
Acceptable Use Policy (AUP)
This policy specifies the limits that employees using the workplace IT system have
regarding access to various online services. Most ransomware attacks that target organizations are
accidentally downloaded from the internet. Therefore, imposing restrictions on employees
regarding internet access using company servers will minimize the risk of such cyberattacks. The
AUP must be signed by all new employees as part of the onboarding process to ensure that all
personnel within the organization have a clear understanding of the restrictions. Access to
unprotected sites and social media is restricted under the AUP.
Data Breach Response Policy
This policy describes the procedure that should be followed in the event of a data breach
on the organization’s servers. It aims to minimize the impact of the attack and protect as much
Showing Page:
4/8
4
confidential data as possible. Each member of staff is assigned a role to play in the event of such
as attack. IT professionals are on the front line, and they are responsible for notifying the rest of
the staff of the attack immediately they notice it. Standard practice is to have all employees shut
down their workstations immediately to protect their systems against unauthorized access. IT
personnel then install the required safeguards to block the attack and work on recovering the lost
files.
Disaster Recovery Plan Policy
This part of the policy is only enacted in the aftermath of a large-scale attack that has
compromised most of the company’s assets. It aims to reduce the effects of the attack by recovering
the lost data. The Data Breach Response Policy acts as the precursor to the enforcement of this
policy. This policy is only enacted in the presence of high-level cybersecurity professionals
because of its implications on the organization. The Disaster Recovery Plan may contain the
following sub-sections (Disaster Recovery Plan Policy, n.d.):
Computer Emergency Response Plan
Succession Plan
Data Study
Critically of Service List
Data Backup and Restoration Plan
Equipment Replacement Plan
Mass Media Management
The sections stated above act as contingency plans and are implemented to salvage
different aspects of the organization after the disaster.
Showing Page:
5/8
5
Business Continuity Plan (BCP) Policy
The BCP outlines how the company should operate in the event of an emergency. It
contains information on how vital elements such as communication should be established and
maintained to recovery efforts are conducted efficiently in the event of an attack. BCP is also
integrated with the Disaster Recovery Plan for easy restoration of data and system applications to
ensure that business remains uninterrupted. The following procedures are used to implement BCP
(Integrating cybersecurity into Business Continuity Planning, 2021):
1. Business Impact Analysis (BIA) is conducted immediately after an attack to determine the
scale to which the organization’s activities have been affected.
2. A cybersecurity risk assessment is then carried out to determine the susceptibility of the
system to further cyber threats.
3. A third-party risk management system is activated to allow the organization to focus its
efforts on recovery.
4. An elaborate incident response and communications plan is created for use during
emergencies.
5. Continuous monitoring is done to assess company systems effectively.
Remote Access Policy
The emergence of the COVID-19 pandemic has resulted in the need for most organizations
to adopt remote work. Therefore, most services are accessed through the internet, and this exposes
most companies to cyberattacks. The past year has seen data breach costs in the United States rise
by $137,000, and this figure will keep rising unless proper mitigative measures are installed to
improve cybersecurity (6 examples of essential cybersecurity policies for businesses, 2021). A
Remote Access Policy (RAP) defines steps that one must follow to gain entry into their
Showing Page:
6/8
6
organization’s network system. The procedures are established to ensure that remote employees
do not expose their login credentials to cybercriminals. Organizations whose employees are spread
over large areas are at the highest risk because some of them may be accessing the network from
unsecured platforms such as public Wi-Fi.
Access Control Policy
The ACP outlines standards that must be adhered to access the control systems of networks
and software at an organization. This policy also describes tools that should be used to monitor
how employees are accessing an organization’s network. It also specifies the procedure for
revoking an employee’s access to the network once they leave work. The ACP efficiently prevents
unauthorized persons from accessing a network by providing all-around monitoring and security.
Ethical Issues in the Workplace
Social Media
Many employers ban their employees from accessing their social media accounts during
their work hours. Others consistently monitor the posts made by the employees even when they
are not working. In the past, several people have lost their jobs due to their social media posts that
the employers felt were not morally or ethically acceptable. While it is normal for employers to
expect the best moral and ethical standards from their employees, some people perceive their
actions as a violation of privacy (Managing and leveraging workplace use of social media, 2016).
No law explicitly governs how employers should handle the employees regarding the use of social
media.
Email
It is widely perceived that Emails are personal, but many employers consistently track the
emails sent by their employees from their work computers. Some employees use their work emails
Showing Page:
7/8
7
for personal use as well. While this may warrant a violation of privacy, employers feel they are
justified in tracking their workers’ mailing activity because they suspect some may be leaking
confidential information regarding the organization to external parties. The Communications
Privacy Act of 1986 bans employers from intercepting any form of communication from their
employees (Ethical issues and email accounts in the workplace, 2020). However, emails are not
explicitly mentioned in the Act, making it ambiguous.
How Cybersecurity Policies could be Used to Address the Ambiguity
Since no federal law addresses the issue of privacy and how employees utilize their emails
and social media, employers should opt to formulate a policy that governs the issue on the
organizational level. The policy should state that everyone is entitled to their privacy, but the
organization has the right to monitor their activities regarding posts or messages that may affect
their employers.
Showing Page:
8/8
8
References
6 examples of essential cybersecurity policies for businesses. (2021). Security Scorecard.
Retrieved November 13, 2021, from
https://securityscorecard.com/blog/cybersecurity-policy-examples
Disaster Recovery Plan Policy. (2014). SANS Consensus Policy Resource Community.
Retrieved November 13, 2021, from
https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt3cf8b9a0b2e4513
3/5e9ddb9ab1704560004196b5/disaster_recovery_plan_policy.pdf
Ethical issues and email accounts in the workplace. (2020). Chron. Retrieved November
13, 2021, from https://work.chron.com/ethical-issues-email-accounts-workplace-
16688.html
Integrating cybersecurity into Business Continuity Planning. (2021). Security Scorecard.
Retrieved November 13, 2021, from
https://securityscorecard.com/blog/integrating-cybersecurity-into-business-
continuity-planning
Managing and leveraging workplace use of social media. (2016). SHRM. Retrieved
November 13, 2021, from https://www.shrm.org/resourcesandtools/tools-and-
samples/toolkits/pages/managingsocialmedia.aspx

Unformatted Attachment Preview

1 5-2 Information Technology Risk Analysis and Cyber Security Policy Assignment, Part 2 Southern New Hampshire University IT-659-Q1593 Cyberlaw & Ethics 21TW1 10th November, 2021 2 5-2 Information Technology Risk Analysis and Cyber Security Policy Assignment, Part 2 Cybersecurity is a pressing issue in modern organizations, as evidenced by the cases that were presented in Part 1. Various forms of cyberattacks have taken place over time, including malware, DoS, DDoS, and phishing. Cybercriminals aim to steal data from their targets, destroy networks out of malice, or express their opinions through hacktivism. This paper details a cybersecurity policy that is designed to eliminate cybercrime at the workplace. Cybersecurity policies are a series of standard practices or procedures that should be implemented at the workplaces to ensure protection from cybercrime. A standard cybersecurity policy comprises the following parts: • General Security Expectations This part outlines the roles and responsibilities of all stakeholders within an organization to ensure enhanced cybersecurity. All persons are expected to play their roles as prescribed to ensure their workplace systems are always safe from cyber threats. • Standards for Cybersecurity Technologies This part outlines standards that are set for different applications that are used for cybersecurity. For instance, a workplace cybersecurity policy could outline the requirements of antivirus software that will be used at the organization. Cloud applications also require a set of policies because they are the most vulnerable to cyber threats. The design and implementation of a cybersecurity policy typically follow the following procedure: (i) Cybersecurity Risk Assessment The workplace is first subjected to a cybersecurity risk assessment to determine existing vulnerabilities and the overall risk of a breach. Risk assessment also determines the tolerance 3 level of the organization against cyber threats. All cyber-physical systems must be routinely assessed to determine whether they are compliant with cybersecurity policies. (ii) Identification of Security Gaps The findings from cybersecurity risk assessment are used to identify the security gaps in the organization’s infrastructure. These gaps are used as the foundation for the new cybersecurity policy to ensure the organization has sufficient protection against cyber threats. (iii) Formulation of a Cybersecurity Policy Results from the two previous steps are then used to develop a viable cybersecurity policy. The policy could be organization-based or implemented on a law enforcement scale. The latter is created based on data collected from multiple companies. The following sections outline the different aspects of the cybersecurity policy pertaining to the workplace environment: Acceptable Use Policy (AUP) This policy specifies the limits that employees using the workplace IT system have regarding access to various online services. Most ransomware attacks that target organizations are accidentally downloaded from the internet. Therefore, imposing restrictions on employees regarding internet access using company servers will minimize the risk of such cyberattacks. The AUP must be signed by all new employees as part of the onboarding process to ensure that all personnel within the organization have a clear understanding of the restrictions. Access to unprotected sites and social media is restricted under the AUP. Data Breach Response Policy This policy describes the procedure that should be followed in the event of a data breach on the organization’s servers. It aims to minimize the impact of the attack and protect as much 4 confidential data as possible. Each member of staff is assigned a role to play in the event of such as attack. IT professionals are on the front line, and they are responsible for notifying the rest of the staff of the attack immediately they notice it. Standard practice is to have all employees shut down their workstations immediately to protect their systems against unauthorized access. IT personnel then install the required safeguards to block the attack and work on recovering the lost files. Disaster Recovery Plan Policy This part of the policy is only enacted in the aftermath of a large-scale attack that has compromised most of the company’s assets. It aims to reduce the effects of the attack by recovering the lost data. The Data Breach Response Policy acts as the precursor to the enforcement of this policy. This policy is only enacted in the presence of high-level cybersecurity professionals because of its implications on the organization. The Disaster Recovery Plan may contain the following sub-sections (Disaster Recovery Plan Policy, n.d.): • Computer Emergency Response Plan • Succession Plan • Data Study • Critically of Service List • Data Backup and Restoration Plan • Equipment Replacement Plan • Mass Media Management The sections stated above act as contingency plans and are implemented to salvage different aspects of the organization after the disaster. 5 Business Continuity Plan (BCP) Policy The BCP outlines how the company should operate in the event of an emergency. It contains information on how vital elements such as communication should be established and maintained to recovery efforts are conducted efficiently in the event of an attack. BCP is also integrated with the Disaster Recovery Plan for easy restoration of data and system applications to ensure that business remains uninterrupted. The following procedures are used to implement BCP (Integrating cybersecurity into Business Continuity Planning, 2021): 1. Business Impact Analysis (BIA) is conducted immediately after an attack to determine the scale to which the organization’s activities have been affected. 2. A cybersecurity risk assessment is then carried out to determine the susceptibility of the system to further cyber threats. 3. A third-party risk management system is activated to allow the organization to focus its efforts on recovery. 4. An elaborate incident response and communications plan is created for use during emergencies. 5. Continuous monitoring is done to assess company systems effectively. Remote Access Policy The emergence of the COVID-19 pandemic has resulted in the need for most organizations to adopt remote work. Therefore, most services are accessed through the internet, and this exposes most companies to cyberattacks. The past year has seen data breach costs in the United States rise by $137,000, and this figure will keep rising unless proper mitigative measures are installed to improve cybersecurity (6 examples of essential cybersecurity policies for businesses, 2021). A Remote Access Policy (RAP) defines steps that one must follow to gain entry into their 6 organization’s network system. The procedures are established to ensure that remote employees do not expose their login credentials to cybercriminals. Organizations whose employees are spread over large areas are at the highest risk because some of them may be accessing the network from unsecured platforms such as public Wi-Fi. Access Control Policy The ACP outlines standards that must be adhered to access the control systems of networks and software at an organization. This policy also describes tools that should be used to monitor how employees are accessing an organization’s network. It also specifies the procedure for revoking an employee’s access to the network once they leave work. The ACP efficiently prevents unauthorized persons from accessing a network by providing all-around monitoring and security. Ethical Issues in the Workplace Social Media Many employers ban their employees from accessing their social media accounts during their work hours. Others consistently monitor the posts made by the employees even when they are not working. In the past, several people have lost their jobs due to their social media posts that the employers felt were not morally or ethically acceptable. While it is normal for employers to expect the best moral and ethical standards from their employees, some people perceive their actions as a violation of privacy (Managing and leveraging workplace use of social media, 2016). No law explicitly governs how employers should handle the employees regarding the use of social media. Email It is widely perceived that Emails are personal, but many employers consistently track the emails sent by their employees from their work computers. Some employees use their work emails 7 for personal use as well. While this may warrant a violation of privacy, employers feel they are justified in tracking their workers’ mailing activity because they suspect some may be leaking confidential information regarding the organization to external parties. The Communications Privacy Act of 1986 bans employers from intercepting any form of communication from their employees (Ethical issues and email accounts in the workplace, 2020). However, emails are not explicitly mentioned in the Act, making it ambiguous. How Cybersecurity Policies could be Used to Address the Ambiguity Since no federal law addresses the issue of privacy and how employees utilize their emails and social media, employers should opt to formulate a policy that governs the issue on the organizational level. The policy should state that everyone is entitled to their privacy, but the organization has the right to monitor their activities regarding posts or messages that may affect their employers. 8 References 6 examples of essential cybersecurity policies for businesses. (2021). Security Scorecard. Retrieved November 13, 2021, from https://securityscorecard.com/blog/cybersecurity-policy-examples Disaster Recovery Plan Policy. (2014). SANS Consensus Policy Resource Community. Retrieved November 13, 2021, from https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt3cf8b9a0b2e4513 3/5e9ddb9ab1704560004196b5/disaster_recovery_plan_policy.pdf Ethical issues and email accounts in the workplace. (2020). Chron. Retrieved November 13, 2021, from https://work.chron.com/ethical-issues-email-accounts-workplace16688.html Integrating cybersecurity into Business Continuity Planning. (2021). Security Scorecard. Retrieved November 13, 2021, from https://securityscorecard.com/blog/integrating-cybersecurity-into-businesscontinuity-planning Managing and leveraging workplace use of social media. (2016). SHRM. Retrieved November 13, 2021, from https://www.shrm.org/resourcesandtools/tools-andsamples/toolkits/pages/managingsocialmedia.aspx Name: Description: ...
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.
Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4