Cybersecurity Policies

The development and enforcement of cybersecurity policies are critical for the ability to protect networks and data. Such policies can be developed locally based on an organization's unique mission or requirements, or they can be broadly developed to accommodate a general audience. There are organizations that develop cybersecurity standards, which are then implemented via policies. The International Organization for Standardization (ISO) is such an organization.

While cybersecurity policies focus specifically on data and networks, management policies are also required, in order to guide the activities of personnel, identify responsibilities and accountabilities, and ensure the effective operation of the organization. Often, an organization establishes a central policy structure to oversee the development and management of policies. Cybersecurity policies should be synchronized with the organization's mission and vision.

Check Your Knowledge

Choose the best answer to each question:
Question 1
Which of the following is an overarching, generalized statement that specifies an organization's philosophy or vision for key areas, such as information security, strategic planning, and business continuity, and defines the structure and approach that will be implemented to achieve that vision?
a strategic plan
a policy
guidelines
procedures
Question 2
Which of the following govern the day-to-day operations of an organization and serve as benchmarks for quality, compliance, and other measurable controls?
procedures
policies
standards
guidelines
Question 3
Which of the following has a local focus and spells out what needs to be done for the implementation of policies?
procedures
policies
standards
guidelines
Question 4
In terms of organizational scope, what is the order of the following from the highest level to the second-highest level and the most specific, local level?
policies, standards, procedures
strategic plan, guidelines, standards
standards, plans, procedures
policies, guidelines, standards
Question 5
Security policies specifically do all of the following except for _______.
broadly defining the organization's orientation toward data and system security
specifying methods, techniques, and practices for protecting organizational information
focusing only on network security
specifying methods for preventing data theft
Question 6
The process of developing a security policy requires collaboration among which of the following?
the CISO and the CIO
staff members of the information systems department
managers in the various business units
all of the above
Question 7
Which of the following is an often-forgotten final step in drafting policies for organizations and serves to inform and educate employees about the policy?
releasing the policy
creating awareness of the policy
documenting the policy
building a case for the policy
Question 8
You decided that the best way to begin is by setting up a committee to create the policy. Which individuals should the committee comprise?
the "C‟-level employees (CEO, CIO, COO)
the middle-management employees
the IT security team
individuals from various departments, such as IT, finance, and HR
all of the above
Question 9
Which of the following would be the most effective remedy to prevent sabotage of the IT systems?
Create a policy that forces the system administrators to record their exit every time they physically leave the building.
Create a policy that restricts system administrators' permissions to network resources, applications, and physical components. Other members of the IT department should have defined administrative roles, separate from the system administrator's duties.
Log each system entered, and allow the system administrator to control these logs.
None of the above
Question 10
Once a policy has been created, what is the most appropriate way to train employees?
Post an announcement about the new policy on the IT security department's web page with links to any relevant training material.
Distribute the policy to department managers and have them redistribute it to their teams.
Rely on the HR department to handle training.
Post an announcement about the new policy on the IT security department's web page with links to any relevant training material and distribute the policy to department managers and have them redistribute it to their teams.
Question 11
Organizations do not need to create compliance policies, because of ______.
the implementation of GLBA
the implementation of SOX
the implementation of FISMA
none of the above
Question 12
Which of the following assigns responsibilities to various agencies to ensure the security of data in the federal government and requires each agency to inventory its major computer systems, identify and provide appropriate security protections, and develop, document, and implement an agencywide information security program?
NIST
FISMA
IETF
ISO