Journal VIII: see attached. | Information Systems

see attached. Journal.docx 2 Identify a task that you would need to perform in your current career or future career, and explain in detail how you would apply the knowledge you have learned in this course to succeed at performing the task in a real-world scenario. Your submission should be in paper format and include at least two well-constructed paragraphs indicating how you will apply the knowledge gained from this course.  Your journal entry must be at least 200 words in length. No references or citations are necessary. UnitVIII.pdf SEC 4303, IS Security Policy Analysis 1 Course Learning Outcomes for Unit VIII Upon completion of this unit, students should be able to: 2. Develop security policies. 4. Analyze a security policy for its completeness. 5. Show a familiarity with a wide range of substantive issues in IS security policy creation. 6. Design a research project on an IT security-related problem. 7. Communicate the findings of a research project related to an IT security problem to the organization’s management. 7.1 Describe a process for communicating the policy to stakeholders. Reading Assignment Chapter 8: Communications and Operations Security, pp. 236–257 Chapter 12: Business Continuity Management, pp. 426–447 Unit Lesson In an earlier unit, we covered the importance of physical and environmental security to help protect the assets and information technology (IT) resources. We will now cover the necessity of communications. For organizations to have good communication with the policies, they need to have standard operating procedures (SOPs). If we have consistent communication and the processes are clear for the policies, then we will see more success with the enforcement and overall knowledge. If employees receive this information by email and during training events, then we can hold them accountable for following the procedures. However, if this information is rarely sent out or discussed, then the organization may see inefficiencies because employees do not know the proper processes. SOPs should be written by individuals knowledgeable about the activity and the organization’s internal structure (Santos, 2019). Therefore, organizations should have senior personnel writing the procedures. Santos (2019) explains SOPs should be understandable and written in concise, step-by-step, plain language format. Policies and procedures will need to be modified over time. It is at this point that we need to change or adjust the policies. However, we need to have a formal process in place for doing this. Consider the ramifications if a team changes a policy without following a formal process. If the change was made but never communicated to the functional departments, then the change has no value because the departments are not aware of the adjustments. As mentioned in Unit VI, HR should be responsible for sending out the communication for these UNIT VIII STUDY GUIDE Operation Security and Business Continuity Change control process SEC 4303, IS Security Policy Analysis 2 UNIT x STUDY GUIDE Title updates. Additionally, if a change is necessary, then the potential change should be sent to the appropriate department and then this department will start the form change process to update the policy and communicate the updates to the departments. In this unit, you will see a standard change control process to include the preliminary information associated with the potential change to be submitted to the appropriate department. The following graphic outlines a standard process for submitting, communicating, and implementing changes to the policies. Another issue we need to address with operations is the protection against malware such as viruses, worms, Trojan horses, bots, and ransomware. We want to minimize the impacts, so it is critical to institute policies for prevention and detection. A prevention policy would focus on providing steps on how to treat an alarming email in your inbox. Employees need to know if the organization wants them to delete the message and contact IT or follow another process. The IT group can also implement steps to lock down browsers and install auditing and detection software to help with the protections. However, if the browsers are locked down, then there should be an aligning policy to confirm these practices, as opposed to IT simply locking down the browsers. The key is to identify, control, and protect information technology systems. Therefore, organizations should actively deploy audits and monitoring mechanisms for the identification of security events. In Chapter 12 of the textbook, we will finish with business continuity. We are all familiar with disasters that have impacted the country in the past. Therefore, it is important to plan for these instances and create plans to follow when the disaster occurs. A disaster is an event that results in damage or destruction, loss of life, or drastic change to the environment (Santos, 2019). Key things to consider as we build these policies are the resources, locations, data, systems, networks, and operations. A business continuity approach from a security perspective entails the four methods shown in the image provided. Many organizations practice these events with designated teams to ensure they are prepared for a disaster. Business disaster recovery (DR) and business continuity (BC) teams should be appointed to prepare, declare, and manage a major business disruption. This is a great concept and best practice, but it does take resources and money to coordinate. If the organization sends a twelve-person team to a remote location twice each year to practice the business continuity plan, then the organization must pay for the offsite location, travel, technology, and employee pay for substitute work. In addition to these costs, the organization has to spend time during the year creating the policies for all employees and a disaster recovery team. Organizations must keep in mind the entire process of maintaining the network, systems, communications, and operations. Organizations want to identify how their customers will contact them during the disaster using redirect phone lines and prompting messages on the company website with key contact numbers. If the organization is not functional for weeks after a disaster, then there is a high probability that many of the existing customers will move their business to other organizations. As we all know, when a disruption of business occurs, the organization loses revenue and incurs extra expenses and reduced profits. The costs associated with these plans are very insignificant when compared to losing everything. Santos (2019) explains organizations must be resilient to ensure they can recover from known or unknown changes to the environment. Security policies and principles should identify the process and approach from an operational perspective. The organization security is about policy decisions, expenditures, and risk management. We focused on physical security in this lesson, so it is good to consider both the insider and outsider threats. Insider threats are more complex to detect and quantify. Internal attacks tend to be very damaging as well. Outsider threats are well known because they tend to come in via the Internet. Thus, recovery strategies for IT should be planned, developed, and tested so that, in case of an unexpected incident, technology can be restored to meet organizational needs. Disaster recovery planning (DRP) is an Business continuity approach from the security perspective SEC 4303, IS Security Policy Analysis 3 UNIT x STUDY GUIDE Title approach that details the strategies required to restore an organization’s IT infrastructures and services following a major business disruption or disaster. The main objective of DRP is to minimize the impact that a disaster or disruptive event will have on the day-to-day business functions. A concrete business DRP is built around the unique requirements of the organization as well as the risks, exposure, and potential damages to IT infrastructures. It is also key to point out that many regulatory bodies require financial firms and medical facilities to have these plans in place. For example, the Health Insurance Portability and Accountability Act (HIPAA) Contingency Plan Standard 164.308(a)(7) requires covered entities to “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” (Santos, 2019, p. 429). There are also governing agencies that make surprise visits to medical facilities to review their systems, security, patient care, and business continuity plans. If the business continuity plan is not in place, this can lead to fees or loss of grants or state revenue. Therefore, it is critical to build the business continuity plans around the needs of the organization and to support the governing body’s expectations and requirements. Failure to do this can put the organization at risk and jeopardize future funding and accreditations. Summary In summary, we were able to cover many aspects that affect an organization’s operations. We understand the importance of continued business and communication of the policies to the entire organization. It is equally important for organizations to have resources in place along with a yearly budget to ensure the policies are created to address the physical concerns and disaster probabilities. If top management supports these activities, then the organization will continue to enhance the policies and integrate process improvements to ensure the organizations remain resilient and protected. However, it is very easy for the policies to become outdated and neglected if there is not engagement and communication on the importance of information systems (IS) security. IS security can sometimes be put on the shelf because the functional areas are busy working the operations, taking care of customers, and meeting performance goals. Therefore, IT and HR have to be strategic when sending out IS security updates and holding professional development sessions. If we spend too much time on security, then it may have a negative impact on meeting other expectations associated with the core business. Last, the organizations always need to establish a business continuity plan along with accepted policies in case of a disaster. If an organization creates a limited business continuity plan with few policies, then it will be extremely difficult to continue operations during a disaster event. If you find yourself working in IT, then please review the policies and look for opportunities for improvement. Most likely, you will work in an ever-changing environment where applications, resources, departments, executives, and business models change rapidly. Reference Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. Course Learning Outcomes for Unit VIII Reading Assignment Unit Lesson