Part 1 Research Security Policy Frameworks 02 Completed

Posted on December 27, 2025

Part 1 Research Security Policy Frameworks 02 Completednotein Thi

Part 1: Research Security Policy Frameworks (0/2 completed) Note: In this part of the lab, you will review internet resources on security policy frameworks in order to form a basis for their purpose and usage. Understanding the reason behind a security policy framework is key to understanding the component policies and procedures. Please take the time to review the research thoroughly and think through the concepts behind the framework itself.

1. In your browser, navigate to .

2. Read Sections 1-5 of the SANS Policy Development Guide.

3. Summarize the Policy Development Guide's recommendations for organizing a policy hierarchy and selecting policy topics. Note: It is important to understand how and why a policy differs from a standard, a procedure, and a guideline. From the top down, the policy should not change or need modification unless a major shift in corporate values or business process occurs. On the contrary, guidelines should be reviewed, and possibly changed, often. Similarly, even though a policy should be written clearly and concisely, it is a high-level document answering the “why” questions. Standards are also high level, but they answer the “what” questions. Finally, the procedures and guidelines provide the “how.” Examples of security policy and guideline templates are available from the SANS Institute at.

4. In your browser, navigate to .

5. Describe the core principles and objectives of COBIT 2019.

Part 2: Define a Security Policy Framework (0/2 completed) Note: Understanding both unique and universal risks to your organization's IT infrastructure is essential to developing an appropriate IT security policy framework for your organization.

In this part of the lab, you will review a list of risk, threats, and vulnerabilities and define appropriate policies to mitigate them. Next, you will organize your policies into a policy framework.

1. Review the following list of risks, threats, and vulnerabilities at the fictional Healthwise Health Care Company. Unauthorized access from public Internet Hacker penetrates IT infrastructure Communication circuit outages Workstation operating system (OS) has a known software vulnerability Unauthorized access to organization-owned data Denial of service attack on organization’s e-mail Remote communications from home office Workstation browser has software vulnerability Weak ingress/egress traffic-filtering degrades performance Wireless Local Area Network (WLAN) access points are needed for Local Area Network (LAN) connectivity within a warehouse User destroys data in application, deletes all files, and gains access to internal network Fire destroys primary data center Intraoffice employee romance gone bad Loss of production data Need to prevent rogue users from unauthorized WLAN access LAN server OS has a known software vulnerability User downloads an unknown e-mail attachment Service provider has a major network outage User inserts a USB hard drive with personal photos, music, and videos on organization-owned computers Virtual Private Network (VPN) tunneling between the remote computer and ingress/egress router.

2. For each risk, threat, or vulnerability in the list above, select an appropriate security policy that might help mitigate it. You can select one of the SANS policies or choose one from the following list: Acceptable Use Policy, Access Control Policy, Business Continuity—Business Impact Analysis (BIA) Policy, Business Continuity and Disaster Recovery Policy, Data Classification Standard and Encryption Policy, Internet Ingress/Egress Traffic Policy, Mandated Security Awareness Training Policy, Production Data Backup Policy, Remote Access Policy, Vulnerability Management and Vulnerability Window Policy, Wide Area Network (WAN) Service Availability Policy.

3. Organize the security policies you selected so that they can be used as part of an overall framework for a layered security strategy.

Challenge Exercise (0/2 completed) Note: The following challenge exercise is provided to allow independent, unguided work - similar to what you will encounter in a real situation. A user at Digital Innovation Products has been using company network resources to download torrent files onto a USB drive and transfer those files to their home computer. IT tracked down the torrent traffic during a recent network audit. Unfortunately, the company does not have a current policy that restricts this type of activity. Identify at least two appropriate policies that should be in place to define this type of behavior and the consequences thereof. Write a brief overview for C-level executives explaining which policies should be added to the company's overall security policy framework, why they should be added, and how those policies could protect the company.

Paper For Above instruction

Effective security policy frameworks are fundamental to establishing and maintaining a robust cybersecurity posture within any organization. A comprehensive understanding of how policies are structured, prioritized, and implemented ensures that organizations can proactively address risks, comply with regulations, and foster a security-aware culture. This paper explores key components of security policy frameworks, focusing on the guidance provided by the SANS Policy Development Guide, the core principles of COBIT 2019, and practical approaches to defining and organizing policies based on organizational risks and vulnerabilities.

Organizing a Policy Hierarchy and Selecting Policy Topics

The SANS Policy Development Guide emphasizes a hierarchical structure for security policies that ensures clarity, relevance, and flexibility. At the top of this hierarchy are high-level policies that articulate the overarching “why” — the organization’s security objectives and principles. These include mission statements, security principles, and high-level directives that align security initiatives with business goals. Such policies should remain stable over time, only changing in response to significant shifts in corporate values or strategic direction.

Descending from high-level policies are standards that specify “what” must be done to comply with the overarching policies. Standards define specific configurations, hardware and software requirements, or compliance criteria, providing measurable benchmarks for security controls. Next in the hierarchy are procedures and guidelines, which address “how” the policies and standards should be implemented in daily operations. These are more detailed, flexible, and subject to frequent review, adapting to evolving threats and operational needs.

It is critical to distinguish among these components. Policies establish the “why” and the “what” at a high level; standards specify “what” exactly needs to be achieved; procedures and guidelines describe “how” tasks should be executed. This layered structure facilitates effective governance and enables organizations to adapt without compromising foundational security principles.

When designing a policy hierarchy, organizations should ensure policies are comprehensive yet concise, covering core areas such as access control, incident response, data protection, and personnel training. Regular review schedules and change management processes are essential to maintain relevance and effectiveness.

Core Principles and Objectives of COBIT 2019

COBIT 2019 provides a comprehensive framework for governance and management of enterprise IT. Its core principles include delivering stakeholder value, covering enterprise governance, and aligning IT initiatives with organizational strategy. The framework emphasizes a holistic approach, integrating planning, building, run and monitor, and improving IT processes across all organizational levels.

The objectives of COBIT 2019 revolve around ensuring effective risk management, optimizing resource utilization, ensuring compliance with legal and regulatory requirements, and achieving strategic goals. COBIT also advocates for a risk-based approach, promoting transparency and accountability in IT governance. The framework’s core components include processes, organizational structures, information flows, culture, ethics, and behavior, all aimed at ensuring IT delivers value securely, efficiently, and sustainably.

Defining Security Policies Based on Organizational Risks and Vulnerabilities

Understanding specific risks and vulnerabilities is paramount for developing tailored security policies. At Healthwise Health Care Company, numerous threats threaten the integrity, availability, and confidentiality of information assets. For example, unauthorized access from the internet, software vulnerabilities, employee misconduct, and physical disasters all pose significant risks.

Mitigating these risks involves implementing targeted policies. For instance, to prevent unauthorized access, an Access Control Policy integrated with strict authentication procedures is essential. To counter hardware and software vulnerabilities, Vulnerability Management Policies should be enforced, including patch management practices. Business Continuity and Disaster Recovery policies are crucial for catastrophic events like data center fires or major network outages, ensuring resilience and rapid recovery.

Furthermore, policies such as acceptable use, remote access, and data classification standards provide clarity on user behavior, secure remote working, and data protection standards. Organizing these policies into a layered framework enhances security by creating multiple defense mechanisms—an approach often termed “defense in depth.”

Policy Organization and Layered Security Strategy

Strategically organized, policies form a layered defense system where each layer addresses different kinds of risks and operational needs. For example, technical controls such as vulnerability management and network security are complemented by administrative policies like security awareness training and acceptable use policies. Together, they foster a security culture and technical resilience.

Layered security strategies reduce reliance on any single control, thereby increasing overall organizational security. Regular audits, policy reviews, and updates are vital to adapt to emerging threats and technology changes, maintaining an effective security posture over time.

Addressing Behavior-Related Risks with Appropriate Policies

The scenario involving unauthorized torrent downloads illustrates the importance of clear policies on acceptable use and remote access. To prevent such misconduct, an Acceptable Use Policy should explicitly prohibit the use of organizational resources for illegal activities, along with consequences for violations. Additionally, a Remote Access Policy can specify secure means for remote engagement and define access rights, ensuring that users understand permissible behaviors. These policies should be communicated clearly to all employees and enforced consistently.

Implementing these policies helps protect the organization from legal liabilities, data breaches, and loss of productivity. For executive leadership, it is crucial to establish a governance framework that incorporates behavioral controls aligned with organizational risk tolerance. Regular training, monitoring, and consequence enforcement are key components that reinforce policy adherence and foster a security-conscious culture.

Conclusion

Developing a robust security policy framework requires a thorough understanding of organizational needs, risks, and best practices. Hierarchical organization of policies, adherence to frameworks like COBIT 2019, and tailored policies based on specific vulnerabilities form the backbone of an effective cybersecurity strategy. Clear, enforceable policies on acceptable use and remote access are integral to mitigating insider threats and unauthorized activities. Ultimately, a layered security approach backed by well-structured policies enhances resilience, ensures compliance, and promotes a proactive security posture across the organization.

References

Clarke, R. (2020). Governance of Information Security. Journal of Cybersecurity, 5(1), 45-58.
ISACA. (2018). COBIT 2019 Framework. ISACA. https://www.isaca.org/resources/cobit
National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST.
Schneier, B. (2021). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. W.W. Norton & Company.
SANS Institute. (2016). Policy Development Guide. SANS. https://www.sans.org/white-papers/370/
ISO/IEC 27001:2013. (2013). Information technology — Security techniques — Information security management systems — Requirements.
Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Cengage Learning.
Calder, A., & Watkins, S. (2017). The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. CRC Press.
Porwol, R., & McCall, R. (2022). Layered Security Strategies in Cybersecurity Management. Cybersecurity Journal, 8(2), 123-135.
Rouse, M. (2020). Defense in Depth. TechTarget. https://searchsecurity.techtarget.com/definition/defense-in-depth

« Previous Next »

Hire Dr Jack for Homework & Academic Writing Help

Need personalised help with your homework, assignments, research papers, or dissertations? I would be happy to work with you one-to-one and support you from start to finish.

100% human-written work (no AI used) – if you ever detect AI content, I offer a full refund, no questions asked.
Zero plagiarism – I deliver original work, and if any plagiarism is found, you receive a 100% refund.
On-time delivery – your work is always completed within the agreed timeframe.
Available 24/7 – you can reach out whenever it is convenient for you.
Fixed Rate – $20 Per Page (Nothing Extra for Urgent, Title/Reference Page , Revision and many more.).

To discuss your requirements, please email me at drjack9650@gmail.com . I will respond as soon as possible.