Cyber Security
Operational Policy
Operational Policy
​
In the highly connected world that we live in, every organization has information systems or deal with data, or has business intelligence that business processes can rely on information systems.
Building a highly effective operational policy will guide the business and collaborators to establish a robust and secure foundation for any organization's workstreams.
Creating a secure foundation assists organizations to prevent breaches and protect information systems and data.
The continuous development, implementation, and execution of measuring the effectiveness of these policies will increase the security of organizations and value to the business, therefore making it clear to the C-level the importance of why establishing an investment in an information security policy program and ensuring.
​
Reflections
​
Data is essential to any organization in the world and is vitally important to any organization’s business operations and long-term viability. Data can be translated to any assets that must be protected.
All organizations must ensure that their information assets are protected cost-effectively, reducing the risk of unauthorized information disclosure, modification, or destruction, whether accidental or intentional.
​
Establishing a security program via a robust information security program is vital for any organization in the globe, and therefore, it is essential to establish an information security policy program to protect the information.
​
Information Security Program will adopt a risk management approach to Information Security. The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and threats that can adversely impact Company information assets.
This Information Security Program Charter serves as the capstone document for the Information Security Program.
​
Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.
From the professionalism and ethics standpoint, I have elected two artifacts for these reflections.
As part of this course, I was able to write a full policy covering a specific sector of the industry, in my point of view the critical aspect behind this assignment the fact of following since the initial development of the policy followed by guiding principles that establish a robust foundation for any organization and from the ethics standpoint is vital to connect with values and empathy with the collaborators.
These guiding principles are the highlight for any policy writers or policy owners and are described as follows:
​
-
Everyone is responsible for implementing the security policy as it relates to their specific roles and responsibilities.
-
Risk management security – An organization’s security is defined by the set of risks it faces. These risks must be managed and must remain the primary focus of any security policy or program.
-
Least Privilege – Users and systems should only have the minimum level of access necessary to perform their defined function.
-
Defense-in-Depth – Overall, security must not rely on a single defense mechanism.
-
Compartmentalization – If one compartment is compromised, subsequent chambers should be safe.
-
Secure Compliance Failure – When a system's confidentiality, integrity, or availability is compromised, it should fail to a safe state.
-
Need-to-Know – Information will be distributed to those parties requiring it to execute their defined business function.
-
Sufficient Authentication and Authorization – Firmly established identity and role-based authorization are essential to making informed access control decisions.
-
Audit Mechanisms – Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
​
The second artifact is an excellent resource for privacy that can be applied to any industry.
The highlights are the high standards applied to this written policy and to ensure that I apply responsible privacy practices to protect customers, increase trust, and manage risk, and to support contractual requirements, regulatory obligations, and customer commitments, needless to say, that helps any organization to staff essential privacy roles and authorize standards and procedures adequately.
​
Leveraging the learning from this course at work, I have generated a couple of updates in terms of policies for Red Team engagements and rules of engagement.
In Summary, the information security policy is a critical part of any organization’s mission. Protecting information, systems, facilities, employees, and customers are part of fulfilling the promise of helping any business partner achieve more. Security is a vital component to drive trust with any level of a business partner.
​
There is a statement that security is everyone’s responsibility.
Information security policies detail the security requirements that apply to each organization's business.
Course Artifacts
​
Information Security Policy
​
Privacy Policy and Guiding Principles
​
Resources
​
Books References
​
Peltier, Thomas R. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. Auerbach Publications, 2002.
​
Arlotto, Pam, and Susan P. Irby. Beyond Return on Investment: Expanding the Value of Healthcare Information Technology. CRC Press, Taylor & Francis Group, 2019.
​
Smallwood, Robert F. Information Governance: Concepts, Strategies, and Best Practices. Wiley, 2020.
Pruteanu, Adrian, and Zeal Vora. Enterprise Cloud Security and Governance. Packt Publishing, 2017.
​
Stafford, Brian, and Dottie Schindlinger. Governance in the Digital Age: a Guide for the Modern Corporate Board Director. Wiley, 2019.
Related Links
​