Assignment - Security Standards and Procedures
This exercise is designed to have you write security standards and procedures. To accomplish this goal, you may build on available templates; but the exercise requires you to think for yourself because every enterprise is different and because security policies, standards and procedures must adapt over time to new threats.
The Scenario - The scenario is the same as for assignment 2 (i.e., it concerns Wright Aircraft) as is your role within the company.
Parts (i) and (ii)
Give headings and subheadings only (not content) for the following documents that you would create for employees to ensure cyber security at Wright Aircraft. The headings and subheading can be expressed in a table of content format. Interpret "standards" and "procedures," in the same manner as in the online notes. Be sure to make sections as specific to Wright Aircraftas feasible.
Part (i): Security standards for Wright Aircraft
Part (ii): Security procedures for Wright Aircraft
Explain any additional assumptions that you want to or need to make (consistent with the description from assignment 2) about Wright Aircraft or the environment.
Hints:
- This exercise challenges you to differentiate among "policies," "standards," and "procedures." In order to respond to this question, you have to reorganize and select from the online notes and other sources.
- Where you encounter an item that overlaps two of these categories, it's best to explain this overlap.
- Tailor the headings to Wright Aircraft in particular, not a generic business. Boilerplate material can be useful, but this is not simply an exercise in copying and pasting. You are required here to think through implications to Wright Aircraft's business goals.
- Peltier contains a wealth of materials, of course, in Chapters 6, 7, and 8, and in the appendices. Use Peltier to suggest topics that you could include. You must filter what you, as the CISO at Wright Aircraft think is relevant to their business goals.
- Peltier sometimes mixes policies and procedures with standards.
Part (iii)
The standards document that you outlined in Part (i) has several sections. Select two different sections or subsections with characteristics critical to the business of Wright Aircraft, and provide their full contents. In other words, these characteristics would not typically appear in the same form on policies for departments of other companies. As an example, many companies have an Internet Acceptable Use Policy that specifies what employees may do on the Internet, but this would not be a particularly good example because Wright Aircraft business does not demand that its Acceptable Use Policy be much different from the typical ones. (You may have a different view, which is fine as long as you justify it.)
Where cost/benefit trade-offs are required, explain them.
Part (iv): Do the same as in Part (iii), but applied to the procedures document you outlined in Part (ii).
The answer to this question should be no longer than 7 pages of 12-point text.
Hints:
- Peltier, in the sections mentioned above covers details that you can tailor to Wright Aircraft.
- We are looking for sections you as CISO consider critical to Wright Aircraft.