Hello there! please find attached documents and in case you have any quedtions, kindly you let me know immediately.🙏

OPERATIONAL AND
ORGANIZATIONAL
SECURITY

Operational and Organizational Security
It is absolutely important to note that organizations are able to achieve operational security especially

through the procedures and policies that can actually guide the user to be able to interact between the data
and the data processing systems. Aligning and coming up with these particular efforts with the diverse
business goals is indeed an important thing as far as developing a security program is concerned. It is also
important to recognize that one of the very crucial methods of basically ensuring the coverage is to ideally
align all the efforts with the models of operational security. This is actually able to break all the efforts into
distinctive groups and these include; detection, prevention, and the response elements (Arthur, 2016)

Prevention technologies are fundamentally created with an objective of ensuring that individuals are
kept off from basically being able to access the various data or systems they are not authorized to
access or use. This was actually the only approach to security. However, eventually, it was realized
that in any given operational environment, undertaking prevention was something that was extremely
difficult and therefore relying entire on prevention technology was not sufficient. Therefore, this
actually led to coming up of various technologies to be able to respond and detect any situation that
occurs when the prevention fails. It is important to note that the prevention technologies and the
response and detection technologies form what is called an operational model for computer security

(Arthur, 2016)

Procedures, Policies, guidelines, and standards
As a matter of fact, the most important part of the organizational approach to ideally

implementing security are actually procedures, policies, guidelines and standards that are
actually created to provide details of what the administrators and users should basically do
to be able to maintain the security of both the network and systems. All these particular
documents basically provide the guidelines that are required in the process of determining
how the security be ideally implemented in the organization. Provided that there is a
guidance document, then the specific security and technology mechanisms that are actually
required can be planned and organized for.

Policies are simply broad statements which are also the high level of whatever the organization is planning to
accomplish. These are basically made by the management especially when the organization's position is basically laid

out. Procedures are also step-by-step instructions guiding the implementation of policies in any given organization.
They give a clear description of how every single employee should basically behave and act especially in some given
situation or simply in the process of accomplishing some specific tasks. Standards are actually the mandatory elements
that are indeed necessary for the implementation of a policy. These are simply accepted requirements that actually
provide the details which are specific especially on how the enforcement of policies is done. Some specific standards

are actually driven externally. Policies and regulations for institutions like banks require some specific security
measures which should be taken by law. Other specific standards may ideally be set by the company in question with
an objective of achieving its own goals as far as security is concerned. Ultimately, guidelines are simply
recommendations that are related to the policy. The fundamental and key term for this particular case is actually
recommendations. Additionally and important to note is that guidelines are indeed not mandatory steps.

• It is important to note that just the same way as the network changes, the procedures, policies, guidelines, and standards should basically be
included in the specific document that is evaluated periodically and changed whenever necessary. Needless to mention that constant monitoring of
the given networks and also the constant review of the documents are indeed part and parcel of the process of the operational model. When this is
specifically applied to policies then the resultant process is basically called policy lifecycle. This particular policy lifecycle and operational process
ideally consist of the four distinctive steps and this is in relations to the organization’s security solutions and policies;
• Adjusting and planning for security in the organization
• Implementation of the plans
• Monitoring the implementation
• Evaluating the effectiveness
• In this particular first step, one is required to basically develop the procedures, policies, and guidelines that will ideally be implemented and
designing of the security components that would basically protect the network of the organization. As a matter of fact, there are instruments that
govern from compliance rules to standard that will basically provide boundaries for these particular documents. Once these particular documents
are developed and designed, then the plans can be surely implemented.

• It is important to recognize that part of the implementation of any given policy, guideline or procedure is basically an instruction
period in which those particular individuals who will be affected by the said change of the very new document are required to learn
about its content. The next thing that should be done is basically ensuring that both of the software and hardware, as well as the
procedures, policies, and guidelines, are indeed effective in the process of securing the systems. Ultimately, the evaluation of the
effectiveness of the security system should be done. This fundamental step may actually include what is called vulnerability
assessment which is purely an attempt to basically prioritize the list of the various vulnerabilities within a given network or system)
and also what is known as penetration test which is a method to ideally check the security systems by basically simulating an attack
by the individuals who are indeed malicious of the system and ensure that there is adequate security. After all the evaluation of the
security posture has been done, then you will be required to begin with the first step and this time round adjustment of the security

mechanism that is in place should be done and also continue with the cynical process.
• Needless to say that every single organization should basically have several common policies and regulations in place regardless of
security and all these should be absolutely in addition to those which are already discussed above in relations to their methods of
access control. These ideally include but not limited to the following; classification of information, acceptable use, security policies

in regards to the change management, due diligence and due care, need to know, due process, service level agreement, destruction
and destruction data, code of ethics and finally the policies that basically govern the response of the incident.

Security Policies
• In the process of trying to keep the high-level nature of the security, then the security policy which is actually a document produced by the
top management of the organization should be put in place and it basically outlines especially what the security is able to mean to the entire
organization as well as the goals and objectives for the security. It is important to note that the main security policy can basically be broken
down into diverse and additional policies that are able to cover specific topics. As a matter of fact, statements such as “this particular
organization will basically exercise the principle of its handling of the information of the client” would ideally be an example of the security
policy. Additionally, the security policy can basically describe basically security can be handled from the organizational point of view i.e.
describing which particular officer or office or manage will basically oversee the security program of the organization.
• In fact and of course in addition to the policies associated access control, the security policy ...