Computer science

Posted: August 22nd, 2017

Application: Creating a Security Policy

You have just purchased a used car at a fantastic price. You are so excited that you decide to take an extended drive. Unfortunately, you experience a flat tire and discover that you do not have a spare. Now, your vehicle is disabled because you are missing a critical component. You are in a potentially bad situation.

One aspect of security policies that is often neglected is what assets staff members are permitted to use and how they may use those assets. Failure to address staff members in security policies might weaken an organization’s legal position. An incomplete security policy, like a missing spare tire, may not be realized until an incident has occurred. Consequently, the organization could find itself in a potentially bad situation.

***

The U.S. Army has hired your firm, Token Tiger Consulting (TTC), to provide IT services to one of their new civilian contractors. Although the exact nature of this contractor is not known to TTC, the Army has indicated that this contractor will be gathering and storing “sensitive” data, and communicating with the Army via the Internet and communications security (COMSEC) equipment. Furthermore, some contractor staff travel often and are required to use their own personal devices for work.

The Colonel that hired TTC has asked you to begin drafting a security policy for the contractor. You decide to begin with the separation of duties (SoD), staff legal obligations (e.g., bring your own device [BYOD], social media, and acceptable use), and the COMSEC equipment.

write a  security policy that:

• Specifies SoD requirements for contractor staff who handle sensitive data
• Addresses the legal obligations that pertain to contractor staff
• Specifies procedures for COMSEC equipment