Sign Up Now
Get instant access to over 1 million+ study documents
OR
Already registered? click here to login
By creating your account, you agree to our terms of service, privacy policy and student honor code.
¶ … Policy Case Study
The author of this report has been asked to act as a consultant for a major security consulting firm. Contained within this report will be several topics that were requested to be covered and thus they will be with the appropriate amount of vigor and detail. The first topic will be a brief overview of the overall legal environment for non-information technology managers when it comes to things like constitutional law, administrative law, civil law, criminal law, due care, due diligence and overall fiduciary duty. Another major topic that will be covered is the applicable information security laws and practices. Next up will be the impact of policies, regulations and laws when it comes to the information security sphere. The next topic, and a very controversial one in the eyes of many, is the Central Intelligence Agency including is practices, what has been in the news about them and so forth. There will also be a discussion of governance policy and recommendations for the same. The final portion will be the distinguishing between government and organization policies. While information security practices are like writing a tightrope, it is something that people must master and learn to do well.
Analysis
When it comes to the legal environment in which information technology managers operate, it can be a minefield and then some. Just as two examples, Target and Home Depot have learned a very hard lesson about what happens when information is not properly secured and some very high-ranking IT and non-IT people lost their jobs over that mess (Sidel, 2015). Then of course there were prior incidents like the one at TJX that was borne of abject ignorance about the obsoleteness of the WEP wireless standard at the time (Ou, 2007). What information technology executives and other managers must understand is that failing to secure information properly and with the proper amount of due diligence can have a wide array of legal implications. In fact, being too secure and too interested in what employees are doing (or not doing) can lead to issues. For example, an employee can scream about a loss of privacy even if they are using company equipment and this has obvious constitutional implications...
Other things that can occur included the proper amount of privacy regulations and security that must be in place, protection against lawsuits from customers, employees or shareholders (among other people), general ramifications for not exercising due care or due diligence or not acting in a fiscally responsible manner in any provable or demonstrable way (TechTarget, 2015).
Practices that could and should be mastered included setting proper password complexity requirements, having the right firewalls and access control standards in place, establishing (and enforcing) policies that could or would have an impact on information security, restricting physical access to sensitive equipment and keeping sensitive information about a system's setup and security on a "need to know" basis with the people that should know these things. Impacts of information technology policies, for example, include whether they are legal, whether they are all-encompassing and whether they are actually being enforced. When it comes to regulations and laws, it is commonly at the discretion of law enforcement as to whether or when they prosecute people but that is there call and they will tend to protect employees and customers if they are being wronged or if there is a perception of the same (Hess, 2013). One major component of any solid information security and integrity protocol would be having data backed up reliably and sufficiently. As described by the NIST, backups can be done via DVD disc, network storage, external hard drives and internet backups. Generally, it is best to have both local redundancy and remote redundancy so that one backup is local and immediately accessible while the other is in a secondary location just in case the first location is compromised by a storm, fire or sabotage (NIST, 2010)
One gray area in all of that are requests for information from agencies like the CIA, the NSA and so forth. The tech giants of the United States have complained that these agencies often go on "fishing expeditions" to root out malfeasance any way they can. Information technology personnel should certainly cooperate with these agencies but there should be legitimate warrants and/or other judge-ordered actions…
References
ABA. (2015). What Are the Limits of Employee Privacy? | Solo, Small Firm and General
Practice Division. Americanbar.org. Retrieved 10 June 2015, from http://www.americanbar.org/publications/gp_solo/2012/november_december2012pr
ivacyandconfidentiality/what_are_limits_employee_privacy.html
DHS. (2004). Information Security Governance - A Call To Action. Department of Homeland Security. Retrieved 10 June 2015, from https://www.dhs.gov/sites/default/files/publications/csd-informationsecuritygovernance-acalltoaction-2004.pdf
Retrieved 10 June 2015, from http://www.zdnet.com/article/10-security-best-practice-guidelines-for-businesses/
News. U.S. News & World Report. Retrieved 10 June 2015, from http://www.usnews.com/news/articles/2015/04/08/privacy-board-will-do-deep-dive-
10 June 2015, from http://www.zdnet.com/article/tjxs-failure-to-secure-wi-fi-could-cost-1b/
Retrieved 10 June 2015, from http://www.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571
SearchSecurity. Retrieved 10 June 2015, from http://searchsecurity.techtarget.com/Security-liability-Whos-to-blame-for-a-data-security-breach
SECURITY Information Security and Risk Management in IT This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the
Information Security The discussion below provides answers to questions raised with regard to a case at Greenwood Company A forensic plan of readiness comes with several advantages. If there arises a situation that forces a company to be engaged in litigation, and there is need for digital evidence, e-discovery is of central importance. The laws and rules that govern the e-discovery, such as the Federal Rules of Civil Procedure or the Practice
OSIIT An analysis of IT policy transformation The aim of this project is to evaluate the effectiveness of information security policy in the context of an organization, OSI Systems, Inc. With presence in Africa, Australia, Canada, England, Malaysia and the United States, OSI Systems, Inc. is a worldwide company based in California that develops and markets security and inspection systems such as airport security X-ray machines and metal detectors, medical monitoring anesthesia
Security An institution of higher learning is one of the most vulnerable places to cyber-attacks available to hackers due to the number of units operating, lackadaisical security measures and the ability of hackers to hide in plain sight. The fact that these are vulnerable systems and individuals has made it a top priority of most institutions to ensure that the people who attend the school at least have a policy
goals of this study are to reveal some of the common and prevailing cyber security threats. Here we plan to explore the risk that is most difficult to defend: social engineering. We seek answers to the human elements and characteristics that contribute to the frauds and how they themselves unwittingly give out information that eventually leads to difficult situations. There are many ways in which the attackers 'phish' their
A micro considers the interests and rights of the individual company as the primary concern. Both of these views are valid depending on the lens that one wishes to use. The problem arises when the government is forced to develop policies regarding procurement in this volatile debate. The government must decide whether to take a micro view, favoring the rights of companies, or a macro view that places the