Please excuse the delay. I posted it as a comment on another page and not a unique blog entry. To confirm, here’s the link.
Policy Video
https://www.powtoon.com/online-presentation/dj1UMvQxS9a/mis-5202/
Week 07: Policy Documents & Video
Week 7 Wrap-up: Policy
Up until now we have been talking mainly about doing the “Right Things”. Policies is our first topic focused on “Done Right”. The basic idea of policies is that they simplify decision making and encourage consistant orginzational behavior. The idea works something like this:
- Senior management desires the organization to follow a certain objective behavior. This may be because its required by the law or because its something they choose to do voluntarily.
- It is impossible, or impractical, for senior management to make all the decisions that are necessary to achieve this objective.
- Instead, management approves a policy that describes its objective and how they expect the organization to make related decisions and behave in a compliant manner. The policy may also set up a structure or role to which it delegates additional policy making responsibility in relation to this objective.
- The larger the organization, and the more complex the behavior associated with the objective, the more likely it is that there will be several related policies organized under an overview policy.
- At the end of the day, an employee facing a decision on how to behave in a certain situation should be able to look at the policy and decide for him or herself what to do.
Once available, a policy is apt to generate any number of standards, guidelines and procedures that are intended to help realize the objective. These can all be thought of as controls. Thus, a security policy may say that employees will have unique userids (with least priviledged access) and are accountable for how their userids are used. This generates any number of controls from how userids are provisioned, who needs to approve a new role, what tasks are not permitted in the same role, what passwords are acceptable, how often they need to be changed, etc. These controls are then audited to see if the organization’s controls, if followed, will enable the objective to be meet (sufficiency) and how well each control works (effectiveness).
Rich
ITACS Credit Union – Michael Gibbons, Paul Needle, Tamekia Pitter, and Bilaal Williams
Temple 5202 Real Estate Inc. (Anthony Quitugua, Jonathan Duani, Heiang Y Cheung, Donald Hoxhaj)
AccuExchange (Vince Kelly, Jason Mays, Duy Nguyen, Pascal Allison)
Week 7: The Policy Project
Readings
There will be no reading questions this week.
Policy Project
Work with your team and pick one of the security topics listed below that interests you. Use the readings as a guide to write a comprehensive policy statement for the topic.. They are usually on the order of 3-5 pages. Then, prepare a 5 minute or less presentation (Thu’s section)/video(Rich’s section) that introduces your new policy to the employees of your hypothetical company.
The possible topics are:
- Data Destruction Policy
- Social Security Number Policy
- Remote Access Policy
- Electronic Document Retention Policy
- Memory Drive Usage Policy
As a help to understanding what we want, here is a link to a acceptable use policy submitted in a previous semester. You should not copy the format exactly, but think about what’s covered, the level of detail, references, etc.
http://community.mis.temple.edu/mis5202online2016/files/2015/10/Initech_Acceptable_Use_Policy.pdf