Assignment: IT Security Policy Framework Case Study

Your policies need high visibility to be effective. When implementing policies, you can use various methods to spread the word throughout your organization.

Use management presentations, videos, panel discussions, guest speakers, road shows, summits, question/answer forums, and newsletters. Introduce computer security policies in a manner that ensures that management's support is clear, especially where employees feel overwhelmed with policies, directives, guidelines, and procedures.

Remember that the work of building awareness and gaining acceptance of security policies does not start when the framework is published. Its success will be determined by how it is put together and who is involved. Every organization is different, and differences play out in many ways. Organizations vary as to their industry or field, their regulatory requirements, their culture, and their leadership personalities.

All are necessary considerations as you start to develop a framework. In general, you should state core principles in form of goals upfront. This defines "what" the framework must achieve. These goals are typically nonnegotiable security requirements. First get buy-in on the "what," and then get others to work together with you on the "how." You can be more flexible on the "how" than the "what." Gain ownership from key user groups by offering them choices on how to achieve policy goals. Executives and end users know the business and can usually finds ways to integrate security processes while minimizing operational impact.

Formulating viable computer security policies is a challenge and requires communication and understanding of the organizational goals and potential benefits that will be derived from policies. Through a carefully structured approach to policy development, you can achieve a coherent set of policies. Without these, there's little hope for any successful information security systems.

Case Studies in Policy Framework Development

This section provides three case studies that help you understand how to develop or implement a policy framework. You will look at cases from the private sector, the public sector, and the critical infrastructure protection area.

Private Sector Case Study

In 2008, Nadia Fahim-Koster, director of Piedmont Healthcare IT Security, reassessed the security compliance of the hospital using a well-established approach. The director decided to start with baseline metrics for IT security risk. This would help her determine whether the systems were already in compliance. It would also provide a baseline when assessing systems in the future. If systems were not in compliance, her IT team could adjust security configurations and controls to bring them into compliance. However, the director faced the following challenges:

• A large, diverse network of systems with over 7,000 devices
• An incomplete inventory of IT assets and their configurations
• No easy way to classify assets
• A broad Health Insurance Portability and Accountability Act (HIPAA) standard that left elements of reporting open to interpretation

She assembled an IT team to work on the project. They began with asset discovery to create a complete and up-to-date inventory of systems. Next, they looked at system configurations to determine if they complied with regulations and existing hospital policies.

The director decided to measure Piedmont Healthcare's IT security controls using NIST SP 800-53. The team established a framework for classifying and measuring security controls across the Piedmont Healthcare network.

"Selecting the NIST framework as our measurement framework meant that we had to classify all of our IT assets the same way," explained Fahim-Koster. "Once this was completed, we could begin to capture the existing security controls and perform a gap analysis to see where we needed to make improvements."

Using the NIST framework, Piedmont classified its servers as high, medium, or low impact based on the type of information they contained. When IT personnel determined the gaps in compliance controls, they could prioritize which servers to address first and prioritize which controls to use.

Based on the above case study or the Case Study, write a 3 - 6 page paper to include the below information:

• Assign roles and responsibilities for employees at varying levels in the corporate hierarchy that are responsible for security policies.

• Analyze risk assessment and risk mitigation strategies and policy needs based on best practices

• Summarize your findings.

Format your assignment according to the following formatting requirements:

1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.

2. The response also includes a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.

3. Also include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.