Journal: See attached | Information Systems

See attached Journal.docx Compose a 300-word essay addressing/answering the following questions: 1. Describe the characteristics of a cybersecurity policy. Who would create this policy? Who would be affected by it? 2. Explain how cybersecurity policies can help reduce the threats to an organization. Which threats are the hardest to protect against when dealing with assets? 3. Explain the characteristics of a successful cybersecurity policy. What needs to be in place during the creation to help with the success? 4. How does an IS or cybersecurity policy differ from a traditional organizational policy? Be sure to use double spacing and paragraph format for your essay. You must use at least your textbook as a source in completing this assignment. All sources used must have proper citations and references formatted in APA Style. Course Textbook(s) Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. https://online.vitalsource.com/#/books/9780134858548 UnitIV.pdf SEC 4303, IS Security Policy Analysis 1 Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to: 5. Show a familiarity with a wide range of substantive issues in IS security policy creation. 5.1 Define the purpose of IT governance with policies. 5.2 Indicate the potential risks associated with IS security. Reading Assignment Chapter 4: Governance and Risk Management Unit Lesson Governance Organizations usually have some form of governance in place for structure and accountability. Governance is the process of structuring, operating, and controlling an organization with the objectives to achieve long-term strategic goals, meet the interests of stakeholders, and comply with legal and regulatory requirements. Think about the functional areas (i.e., accounting, production, and sales, service) and governance within each department. What governance practice does an accounting department apply to the financial data of an organization? How should this information be protected and used for operations? Governance encompasses the establishment of chains of responsibility, authority, policies, standards, and control mechanisms. It expresses the expectations, allocation of resources, and management of risks. In Chapter 4 of your textbook, you will review the issues associated with silos. The problem with silos is that each department establishes their own governance controls, but they do not share these structures or processes with the entire organization. To help with this, the information technology (IT) team can gather these structures and processes to build the cybersecurity responsibility of IT. However, it must be noted that each department performs these activities differently; consequently, it may take time, and it may come with complexities. If IT tries to meet regularly with the functional departments, this information can be collected and documented to provide a holistic IT governance model. UNIT IV STUDY GUIDE Risk Management with IS Security Silo-based cybersecurity example (Adapted from Santos, 2019) SEC 4303, IS Security Policy Analysis 2 UNIT x STUDY GUIDE Title IT governance refers to the increase of effectiveness of an organization through IT to align with corporate goals, protect IT investments, and address IT-related business challenges. The National Institute of Standards and Technology (NIST) (2018) defines data governance as a set of processes that ensures data assets are formally managed throughout the organization. This needs to be an organizational effort involving different functional areas to ensure the data assets are protected. IT governance establishes authority and management and decision-making parameters related to the data produced or managed by the enterprise (National Institute of Standards and Technology, 2018). Security policies facilitate organizational efforts to devise integration, help in operating performance, guarantee strategic controls, and alleviate risk management. Policy Alignment The development of security policies must align with organizational objectives and strategies. This should hold true with any information system (IS) or IT initiative. The importance of policy alignment is that it facilitates organizational effectiveness and efficiency, links technology and business, optimizes the business model, and ensures success. We can also look to the external regulations within a particular industry. Santos (2019) explains how regulations such as Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Family Educational Rights and Privacy Act (FERPA), Federal Information Systems Management Act (FISMA), and Payment Card Industry Data Security Standard (PCI DSS) relate to cybersecurity so organizations can verify their practices are in line. In today’s technological world, IS security is always a topic at the executive and management levels. Security is an expected topic of discussion among decision-makers and is given the same level of respect as other fundamental drivers and influencing elements of the business (Santos, 2019). In recent years, we have seen many organizations create chief information security officers (CISO) positions to address the cybersecurity concerns and threats. Why would an organization not hire a CISO (especially if they work with financial or healthcare data)? The CISO coordinates and manages security efforts across the company, including IT, human resources (HR), communications, legal, facilities management, and other groups (Santos, 2019). However, many organizations operate on a strict personnel budget, so hiring this position is not always a feasible option. The question is, how can organizations ensure their policies are up to date and sufficient if the role is not in place? Risk Risk can be associated with any business process or project. Think about the risks organizations take on with any long-term decision-making. If we implement a simple website or a large enterprise solution, then we take on risks. The risks can be substantial or small, depending on the probability and potential impact. We must understand the value of communicating and working with functional departments to help identify potential security risks and concerns. Therefore, we always need department involvement when identifying the risks. Risk is defined as “the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction” (Santos, 2019, p. 122). The question is then, why we even take risks. Organizations take on risk with IT projects because of competition, regulations, growth, or necessity. According to Santos, (2019) managing risk implies that other actions are being taken to either mitigate the impact of the undesirable or unfavorable outcome and/or enhance the likelihood of a positive outcome. Failure to assume any risks with new ventures can be devastating to an organization over the long term because their competitors are taking on new risks with innovations to meet customer demands. Managing Risks As we found, an organization will be subject to risk with any new project or process. Therefore, we have to manage the risks if we want to remain competitive with new projects. Managing that risk is an important part of the IT department in coordination with management. We can manage the risks with acceptance, mitigation, reduction/avoidance, or transfer or share. SEC 4303, IS Security Policy Analysis 3 UNIT x STUDY GUIDE Title Risk Acceptance At first, this sounds bad. However, this strategy is acceptable, especially when there is a low probability or low impact of the risk. Risk acceptance indicates that the organization is willing to accept the level of risk associated with a given activity or process (Santos, 2019). We may accept the risk if the potential privacy implications are low and have little or no impact to the operations. Consider a situation where there is a potential for a hacker to penetrate a Web server, but the Web server is rarely used by the organization, does not connect to any network servers, and does not contain any sensitive data. The organization may decide to accept this risk instead of building additional parameters and security measures to protect the access. If a hacker penetrates the system, then it is a low impact to the organization and it does not cause any damage. Risk Mitigation Security policies play a critical role in facilitating the risk management effort and governance. The risk mitigation strategy can use countermeasures, offset the risk, transfer the risk, or modify the approach to reduce the probability of the risk. In this approach, the organization can use multiple techniques, such as the reduction and transfers described below, to help with the mitigation. Risk Reduction and Avoidance In risk reduction, the organization implements proactive measures to reduce the cybersecurity risk. Risk reduction recommendations should be evaluated in terms of their effectiveness, resource requirements, complexity impact on productivity and performance, potential unintended consequences, and cost (Santos, 2019). Many organizations can stay ahead of some risks by simply updating their systems, operating systems frequently, and applying patches to their software and systems. However, if an organization wants to be proactive, then it needs to plan and allocate appropriate funds to ensure these activities are performed throughout the year. Unfortunately, many organizations wait until an event occurs before applying patches, which can be extremely costly and increase the chance of system failures. Risk Transfer and Risk Sharing Organizations can hire an outside cyber-defense firm to help share the risk in case the organization’s data were to be compromised. The organization would need to have a contingency plan in place to contact the firm when the event occurs. This sounds like a great plan, but it may take hours to evaluate the firm to ensure it accepts the risk during the designated period. Many firms will say they are willing to accept the risk, but when they are needed, the environment or their workload on other projects may have changed. Therefore, the organization will need to stay in contact with the outside firm to ensure they are available when needed. Some organizations pay a monthly flat fee just to have the outside firms on standby. Another option is simply to purchase insurance in the event of a cyberattack or distributed denial of service (DDOS). We can think of this in the same terms of vehicle or home insurance where the insurance would step in to cover the cost to resolve the problem. Unfortunately, the organization will not have much time to file a claim because operations must continue to service the customers. Risk Management Strategies SEC 4303, IS Security Policy Analysis 4 UNIT x STUDY GUIDE Title Summary Organizations can start by establishing IT governance committees to outline how the IT assets, data, systems, and networks should be managed and protected. This should be accepted and promoted by top management because resources need to be allocated to the committee. We can also use risk management strategies depending on the organization’s acceptable levels and risk appetite. There are plenty of risk strategies organizations can adopt, but these decisions need to be carefully considered because a potential risk may not occur for months or years. It becomes very problematic when a risk strategy was identified in the past, but it is no longer a viable option when needed. The organization is then forced to make a decision based on the current situation, but it may be a quick decision depending on the severity of the issue. References National Institute of Standards and Technology. (2018). Computer security resources center: Glossary. https://csrc.nist.gov/glossary/term/data-governance. Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. Course Learning Outcomes for Unit IV Reading Assignment Unit Lesson