Project 1 Employee Handbook: Company Background & Operating

Project 1 Employee Handbookcompany Background Operating Environmen

Use the assigned case study for information about “the company.” Policy Issue & Plan of Action The company has grown substantially over the past few years. The current Employee Handbook was created from a set of templates purchased from a business services firm. The policies in the handbook were reviewed by the company’s attorney at the time of purchase. The attorney raised no objections at that time. During a recent legal review, the company’s corporate counsel advised that the company update the Employee Handbook to better address its current operating environment.

The Chief Executive Officer has tasked the Chief of Staff to oversee the handbook updates including obtaining all necessary approvals from the Corporate Governance Board. The Chief of Staff met with the full IT Governance Board to discuss the required policy updates. (The IT Governance Board is responsible for providing oversight for all IT matters within the company). The outcome of that meeting was an agreement that the CISO and CISO staff will update and/or create IT related policies for the employee handbook. These policies include:

• Acceptable Use Policy for Information Technology
• Bring Your Own Device Policy
• Digital Media Sanitization, Reuse, & Destruction Policy

Your Task Assignment As a staff member supporting the CISO, you have been asked to research what the three policies should contain and then prepare an “approval draft” for each one. No single policy should exceed two typed pages in length so you will need to be concise in your writing and only include the most important elements for each policy. The policies are to be written for EMPLOYEES and must explain employee obligations and responsibilities. Each policy must also include the penalties for violations of the policy and identify who is responsible for compliance enforcement. Your “approval drafts” will be submitted to the IT Governance Board for discussion and vetting. If the board accepts your policies, they will then be reviewed and critiqued by all department heads and executives before being finalized by the Chief of Staff’s office.

The policies will also be subjected to a thorough legal review by the company’s attorneys. Upon final approval by the Corporate Governance Board, the policies will be adopted and placed into the Employee Handbook. Research: 1. Review the Week 1 & 2 readings. 2. Review the sample policies and procedures provided in Week 1. 3. Find additional sources which provide information about the policy statements which should be covered in three policies for the Employee Handbook.

Paper For Above instruction

This paper presents comprehensive drafts for three critical IT-related policies intended for inclusion in the company's Employee Handbook: the Acceptable Use Policy for Information Technology, the Bring Your Own Device (BYOD) Policy, and the Digital Media Sanitization, Reuse, & Destruction Policy. These policies aim to delineate employee obligations, responsibilities, penalties for violations, and enforcement responsibilities, ensuring a secure and compliant operational environment aligned with the company's growth and evolving legal landscape.

Acceptance of Use Policy for Information Technology

The Acceptable Use Policy (AUP) establishes the framework within which employees may utilize the company's IT resources, including computers, networks, email, and internet services. The policy asserts that all employees are responsible for safeguarding the confidentiality, integrity, and availability of company data and IT systems. Employees are permitted to access company resources solely for authorized business activities and must refrain from activities that could jeopardize system security or violate laws, such as unauthorized data access or distribution of prohibited content.

Employees are obligated to adhere strictly to security protocols, including the use of strong passwords, timely software updates, and reporting suspected security breaches immediately to IT staff. Violations of the AUP may result in disciplinary actions ranging from reprimand to termination, and potential legal prosecution if criminal activity is involved. The IT Department, specifically the Chief Information Security Officer (CISO), is responsible for monitoring compliance, investigating violations, and enforcing policy adherence.

Bring Your Own Device (BYOD) Policy

The BYOD Policy governs the use of personal devices—including smartphones, tablets, and laptops—for work-related activities. Employees must register their devices with the IT Department before accessing company systems to ensure security measures are applied. The policy mandates that employee-owned devices must have up-to-date security software, including antivirus programs and encryption, and comply with the company's password policies.

Employees are responsible for safeguarding their devices and reporting loss or theft immediately. They must not store or transmit sensitive or classified information on personal devices unless authorized and properly secured. Any employee violating these procedures could face disciplinary actions, including loss of access rights or employment termination. The CISO and designated IT staff are responsible for enforcing the BYOD policy, including conducting periodic audits to verify compliance.

Digital Media Sanitization, Reuse, & Destruction Policy

This policy outlines procedures for securely sanitizing, reusing, and destroying digital media—such as hard drives, USB drives, and portable storage devices—to prevent data breaches. Employees handling digital media must ensure that all data is irreversibly erased before media are reused or disposed of, using approved sanitization methods in accordance with industry standards such as NIST SP 800-88.

Employees are responsible for verifying proper sanitization before media are transferred or discarded. Unauthorized destruction or reuse of media containing sensitive information constitutes a violation and can lead to disciplinary action, including termination, and possible legal liability. The IT Department, under the supervision of the CISO, is responsible for establishing approved sanitization procedures, providing training, and auditing compliance to ensure data security during media disposal processes.

Conclusion

The proposed policies are designed to foster a safe, compliant, and efficient technology environment aligned with the company's growth and legal obligations. Clear delineation of employee responsibilities, coupled with enforcement mechanisms, will promote adherence while minimizing risks associated with misuse or mishandling of digital resources. Final approval from the Corporate Governance Board will formalize these policies into the Employee Handbook, strengthening the company's cybersecurity posture and operational standards.

References

1. National Institute of Standards and Technology. (2014). NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization. https://doi.org/10.6028/NIST.SP.800-88r1
2. Cybersecurity & Infrastructure Security Agency. (2018). Guidelines for Effective BYOD Policies. https://www.cisa.gov/news/2018/07/13/guidelines-effective-byod-policies
3. International Organization for Standardization. (2015). ISO/IEC 27001:2013. Information Security Management Systems.
4. United States Computer Emergency Readiness Team. (2020). Acceptable Use Policy Best Practices. https://us-cert.cisa.gov/ncas/tips/ST04-005
5. National Cyber Security Centre. (2017). Mobile Device Security and BYOD Policy Recommendations. https://www.ncsc.gov.uk/files/Guidance/Assessing-Mobile-Device-Security.pdf
6. European Union Agency for Cybersecurity. (2019). Data Sanitization Techniques and Standards. https://www.enisa.europa.eu/publications/data-sanitization
7. Institute of Electrical and Electronics Engineers. (2018). Standards for Data Sanitization. IEEE Std 1624-2013.
8. Federal Trade Commission. (2020). Data Security and Employee Responsibilities. https://consumer.ftc.gov/articles/0038-data-security
9. Center for Internet Security. (2021). Security Recommended Practices for Employee Policies. https://cisecurity.org/recommendations/
10. National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity. https://www.nist.gov/cyberframework