Search Your Institution’s Intranet Or Website For Security

Search Your Institutions Intranet Or Web Site For Its Security Pol

Search your institution’s intranet or Web site for its security policies. Do you find an enterprise security policy? What issue-specific security policies can you locate? Are all of these policies issued or coordinated by the same individual or office, or are they scattered throughout the institution? Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization. At the beginning of your document, describe the organization for which you are creating the policy and then complete the policy using the framework. Assume a smaller organization has a plan to implement a security program with three full-time staff and two or three groups of part-time roles from other parts of the business. What titles and roles do you recommend for the three full-time staff? What groups would commonly supply the part-time staff? Draft a work breakdown structure for the task of implementing and using a PC-based virus detection program (one that is not centrally managed). Don’t forget to include tasks to remove or quarantine any malware it finds.

Paper For Above instruction

Introduction

In the contemporary digital landscape, security policies form the backbone of an organization’s defense mechanism against cyber threats. This paper explores the security policies within an institutional context, drafts a sample security policy framework, and discusses organizational roles involved in implementing security programs, culminating in a practical work breakdown structure (WBS) for deploying a virus detection program.

Institutional Security Policies

Upon examining the intranet and website of my institution, I found that the security policies are somewhat decentralized. The institution maintains an overarching enterprise security policy that provides general guidelines, but specific issue-oriented policies are scattered across different departments. For example, IT security, data privacy, and physical security policies are issued by respective department heads or committees, rather than a centralized security office. This decentralization can lead to inconsistencies and challenges in enforcement.

The enterprise security policy primarily emphasizes the safeguarding of institutional data, user access controls, and incident response procedures. Issue-specific policies I identified include a password policy, email security policy, and remote access policy. These are typically issued or coordinated by the IT security department, but some policies, like physical security, are managed by facilities management, indicating a fragmented approach.

Framework and Draft Security Policy

Utilizing the security policy framework outlined in the chapter—comprising policy statement, scope, responsibilities, implementation guidelines, monitoring, and review—the following is a sample issue-specific security policy for a mid-sized academic organization.

Organization Description: Grandview University is an institution dedicated to providing quality undergraduate and graduate education. It has approximately 20,000 students, 2,000 faculty and staff, and multiple campuses. The university values data security and proper access controls to protect student records, research data, and institutional reputation.

Sample Security Policy - Data Access and Usage Policy

• Policy Statement: To ensure the confidentiality, integrity, and availability of institutional data, all users must adhere to access control protocols, data handling procedures, and reporting requirements.
• Scope: This policy applies to all students, faculty, staff, contractors, and external partners accessing university data systems.
• Responsibilities: The Chief Information Security Officer (CISO) oversees policy enforcement. System administrators implement technical controls. Users are responsible for secure data handling and adherence to policies.
• Implementation Guidelines: Users must use unique, strong passwords; restrict data access to authorized personnel; and report security incidents promptly. Regular training sessions will be held to ensure compliance.
• Monitoring and Review: Security audits will be conducted quarterly, and this policy will be reviewed annually or after significant security incidents.

Organizational Roles in a Small Security Program

For a small organization seeking to establish a security program with minimal staff—three full-time personnel and several part-time contributors—it is critical to assign clear roles. Recommended titles include:

• Chief Information Security Officer (CISO): Responsible for overall security strategy, policy development, and compliance oversight. This individual monitors threat landscape and advises executive leadership.
• Security Operations Manager: Handles day-to-day security operations, incident response, and management of security tools. Coordinates with technical staff and ensures policies are implemented effectively.
• Security Analyst: Conducts vulnerability assessments, monitors network activity, and provides technical expertise for security issues. Assists in training staff and evaluating security measures.

The part-time roles are often supplied by internal staff from departments such as IT support, network administration, or even administrative units for physical security support. These individuals contribute specialized knowledge and resources on an as-needed basis, under supervision of the core security team.

Work Breakdown Structure for Virus Detection Program Deployment

Implementing a PC-based, non-centrally managed virus detection system requires careful planning and execution. The following WBS outlines key tasks:

1. Project Initiation
   • Define project scope and objectives
   • Identify target PCs and end-user groups
   • Gather requirements for virus detection software
2. Procurement and Deployment Planning
   • Select appropriate antivirus software based on compatibility and features
   • Plan deployment schedule and communication plan
   • Assign roles for installation and maintenance
3. Installation and Configuration
   • Install antivirus software on target PCs
   • Configure software settings for automatic updates and real-time scanning
   • Test software functionality on sample systems
4. User Training and Awareness
   • Develop training materials for end-users
   • Conduct training sessions on software use and malware prevention
5. Operational Tasks
   • Initiate regular virus scans on all PCs
   • Monitor virus detection logs and alerts
   • Respond to malware detections
6. Malware Removal and Quarantine
   • Isolate infected systems to prevent spread
   • Use antivirus tools to quarantine or remove malicious files
   • Verify system integrity post-removal
   • Document incidents for review and compliance
7. Maintenance and Review
   • Schedule periodic updates for virus definitions and software patches
   • Review detection logs for trends and areas for improvement
   • Adjust settings or procedures as necessary based on evolving threats
8. Project Closure
   • Evaluate project success and document lessons learned
   • Plan for ongoing monitoring and maintenance

This structured approach ensures systematic deployment and management of the virus detection process, including crucial steps to handle malware once detected, thereby safeguarding the organization’s PCs from persistent threats.

Conclusion

Effective security policies and organizational roles are vital for an institution’s resilience against cyber threats. Proper planning, clear role definitions, and structured task execution—such as the detailed work breakdown structure for virus management—are essential components of a comprehensive security strategy. As threats evolve, continuous review and adaptation of policies and procedures will ensure ongoing protection and compliance.

References

• Furnell, S., & Clarke, N. (2012). Human aspects of information security. Cyber Security: A Peer-Reviewed Journal, 1(1), 3-10.
• Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Cengage Learning.
• Kaspersky Lab. (2020). Cybersecurity risks and best practices. Retrieved from https://www.kaspersky.com/resource-center/threats
• National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST Cybersecurity Framework.
• Harris, S. (2013). CISSP Certification All-in-One Exam Guide. McGraw-Hill Education.
• Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley.
• Pfleeger, C. P., & Pfleeger, S. L. (2015). Analyzing Computer Security: A Threat / Vulnerability / Risk Approach. Pearson.
• SANS Institute. (2022). Security policy templates and frameworks. Retrieved from https://www.sans.org
• Sangwa, S. (2019). The importance of security policies in organizational cybersecurity. Journal of Cybersecurity, 5(4), 245-255.
• Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). Investing in cybersecurity. Journal of Computer Security, 19(2), 351-365.