The Role of Information Security Policy
- Information security policies are the core internal guidance for an organization and must be enacted prior to the purchase of information security controls. There is a bit of a "chicken and egg" dispute in the information security community as to whether it is appropriate to first engage in risk assessment with policies created to address those findings or whether it is appropriate to first create policies against which a risk assessment can be performed. On a more granular level, security policy is meant to document what is important to a particular organization related to information technology assets, including data. This sequential order is critical to the success of an information security program because a successful program ensures that organizations do not spend too little or too much money when purchasing controls to enforce these policy decisions. For example, it is possible to purchase a certificate that uses DNA as the key to enforce an access control policy, but there are very few situations where that would be an appropriate or balanced choice.
- You are a new information security officer for Metro City Community College. Metro City has a small urban campus in downtown Detroit and also offers their catalog of courses online. One of the first tasks you are assigned is to create the information security policies that will guide all subsequent security projects that you propose.
- Use the study materials and engage in any additional research needed to fill in knowledge gaps. Write a 2 page paper that covers the following:
- Describe the overall objectives of creating information security policy for this institution.
- Analyze the benefits and challenges of enforcing information security policies within government agencies and organizations.
- Evaluate how creation and enforcement of information security policies can impact customers and business partners that have a relationship with a government agency or organization.