Develop A Very Brief Computer And Internet Security Policy ✓ Solved

Develop a very brief computer and internet security policy f

Develop a very brief computer and internet security policy for an organization that covers: 1) Computer and email acceptable use policy; 2) Internet acceptable use policy. Be sufficiently specific for each area. Reflect the business model and corporate culture of a specific organization that you select. Include at least three scholarly references in addition to the course textbook, with at least two peer-reviewed journal articles from the library. The paper should include an introduction, a body with fully developed content, and a conclusion, and follow APA7 guidelines. Use readings from the course and scholarly articles to support your positions.

Paper For Above Instructions

Introduction

In today’s digitally driven financial services landscape, a concise yet robust security policy is essential to protect customer data, uphold regulatory compliance, and sustain business continuity. This paper develops a brief computer and internet security policy for a hypothetical mid-size financial services organization, which we will call Aurora Financial Services (AFS). AFS relies on online banking, payment processing, customer data analytics, and remote work arrangements. The policy focuses on two core areas: (1) Computer and email acceptable use policy and (2) Internet acceptable use policy. The policy aligns with widely recognized information security governance frameworks such as NIST SP 800-53 (Rev. 5) and ISO/IEC 27001, ensuring a defensible baseline that supports risk management, regulatory compliance (e.g., GLBA considerations for financial data), and organizational culture that prioritizes security awareness and accountability (NIST, 2020; ISO, 2013). The policy is designed to be practical, specific, and enforceable while remaining adaptable to evolving threats and technologies (Whitman & Mattord, 2017).

Policy Scope and Principles

The policy applies to all employees, contractors, consultants, temporary staff, and third-party service providers who access AFSS systems, networks, or data. It covers corporate-owned devices, personal devices enrolled in the organization’s mobile device management (MDM) program, email accounts, VPN-accessed systems, and cloud-based services used for business purposes. The guiding principles are: (a) protect confidentiality, integrity, and availability of data; (b) minimize risk of unauthorized access or data leakage; (c) enforce accountability through auditable actions; and (d) provide clear, actionable rules that reflect organizational culture and regulatory requirements (NIST, 2020; ISO, 2013).

Computer and Email Acceptable Use Policy

Authorized use and account management: Users must use corporate accounts for business activities only. Personal use should be incidental and not interfere with job performance or introduce risk. Users must maintain unique login credentials and not share passwords. Multi-factor authentication (MFA) is required for all sensitive systems and communications, including email portals and financial applications (NIST, 2020).

Device security and configuration: All devices accessing AFSS resources must be configured to enforce encryption (AES-256 or higher) for data at rest and TLS 1.2 or higher for data in transit. Devices should have updated operating systems, endpoint protection, automatic security updates, and enabled screen-lock with a defined timeout. Lost or stolen devices must be reported immediately to the IT/security team for remote wipe and revocation of access (ISO, 2013).

Email use and data handling: Email should be used for business communications, with attention to protecting customer information and sensitive data. Sensitive data should be encrypted in transit and at rest where feasible; attachments must be scanned for malware and restricted by data loss prevention (DLP) rules. Phishing awareness training is required, and users must not click on suspicious links or share credentials via email or chat (NIST, 2020). BCC/BCC policies, appropriate archiving, and retention in accordance with regulatory requirements must be observed.

Prohibited activities: The following are prohibited on AFSS networks and devices unless explicitly authorized by policy or compliance requirements: illegal or unethical activities, software piracy, unauthorized access attempts, using non-secure public Wi‑Fi for critical tasks without VPN, installing personal software or tools that could compromise systems, and bypassing security controls. Violations may result in disciplinary action up to termination and potential legal consequences (NIST, 2020).

BYOD and remote access: Personal devices authorized for work must be enrolled in the MDM program, monitored for compliance, and subject to security configurations and data separation. Access to AFSS resources remotely should occur only through VPN with MFA, and sessions should timeout after inactivity (NIST, 2020; ISO, 2013).

Internet Acceptable Use Policy

Resource access and intent: Internet access is permitted for business purposes, such as researching customers, vendors, and market information; social media use is allowed only if it supports business objectives and complies with branding and risk guidelines. Users should avoid accessing sites that could expose AFSS to malware or reputational risk, including unverified file-sharing sites, illegal streaming, or inappropriate content (NIST, 2020).

Protection of information assets: Users must refrain from transmitting or accessing confidential customer data over non-secure channels. Data transfers to personal cloud storage or unapproved third-party services are prohibited unless explicitly approved by data governance teams. All data transfers should be performed using approved, secure methods (NIST, 2020; ISO, 2013).

Social media and collaboration tools: Use of corporate social media and collaboration tools should align with AFSS branding, confidentiality obligations, and information security policies. Do not disclose customer data, internal vulnerabilities, or audit findings through public channels. Social media access should be monitored and restricted as needed to protect sensitive information (Whitman & Mattord, 2017).

Streaming and bandwidth usage: Streaming media or non-work-related downloads should be restricted during business hours to preserve network performance and reduce exposure to risky sites or malware (NIST, 2020).

Policy enforcement, training, and compliance

Detection and enforcement: AFSS will monitor for policy violations through appropriate technical controls, audits, and incident response processes. Violations may result in disciplinary action, up to termination, and may require cooperation with law enforcement when applicable (NIST, 2020).

Training and awareness: All staff will participate in annual information security awareness training, with additional role-specific training for those handling customer data, system administrators, and incident responders. Training will cover phishing recognition, safe data handling, access controls, and incident reporting (Herath & Rao, 2009; Ifinedo, 2012).

Incident response and reporting: Employees must report suspected security incidents immediately via established channels. The incident response team will assess, contain, eradicate, and recover, documenting lessons learned for policy updates (NIST, 2020).

Roles and responsibilities

Chief Security Officer (CSO) leads policy development and enforcement; IT/Security leads technical controls and monitoring; HR handles policy communication, onboarding, and disciplinary actions; Legal ensures regulatory alignment; all employees are responsible for adhering to the policy and reporting concerns (ISO, 2013).

Policy maintenance and review

The policy will be reviewed annually or in response to significant organizational changes, new regulatory requirements, or after major security incidents. Revisions will be communicated organization-wide, with opportunities for feedback from stakeholders (NIST, 2018).

Conclusion

By implementing these two focused policies within AFSS’s contextual framework, the organization can better safeguard customer data, maintain regulatory compliance, and cultivate a security-conscious culture that aligns with business objectives. The policies provide concrete expectations for acceptable computer, email, and internet usage while allowing the organization to adapt to evolving threats through ongoing training, monitoring, and governance (ISO, 2013; NIST, 2020).

References

1. National Institute of Standards and Technology. (2020). NIST Special Publication 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. Gaithersburg, MD: NIST.
2. National Institute of Standards and Technology. (2018). NIST SP 800-37 Rev. 2: Guide for Applying the Risk Management Framework to Information Systems. Gaithersburg, MD: NIST.
3. International Organization for Standardization. (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. Geneva: ISO.
4. International Organization for Standardization. (2013). ISO/IEC 27002:2013 Information technology — Security techniques — Code of Practice for Information Security Controls. Geneva: ISO.
5. Whitman, M. E., & Mattord, H. J. (2017). Principles of Information Security (5th ed.). Boston, MA: Cengage Learning.
6. Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards (2nd ed.). Boca Raton, FL: CRC Press.
7. Ifinedo, P. (2012). Information security policy compliance: An empirical study. Computers & Security, 31(6), 761-773.
8. Herath, T., & Rao, H. R. (2009). Protection Motivation and Information Security Policy Compliance: An Empirical Investigation. Information Systems Journal, 21(6), 431-454.
9. Gordon, L. A., Loeb, M. P., & Sohail, M. (2019). Information security governance in practice: A comprehensive framework. Journal of Cybersecurity & Information Assurance, 2(1), 15-33.
10. National Institute of Standards and Technology. (2021). NIST SP 800-53 Rev. 5 Supplemental Guidance for Information Security Policy Development. Washington, DC: NIST.