discussion questions for security strategy and policy – writinghub.net

1. “Importance of Security Policies” Please respond to the following:

  • Explain the significance of information systems security policies and the challenges and issues associated with ineffective or nonexistent policies in an organization.
  • Propose three methods that organizations can use to increase the acceptance of policies within their organization. Explain the potential challenges to implementing these methods.

2. “Security Controls and Security Policies” Please respond to the following:

  • Examine the classifications of security controls (physical, administrative, and technical) and the types of security controls (preventive, detective, and corrective). Explain how these different types of controls are used to enforce security policies within an organization.
  • Explain the classifications and the type of security controls that are most challenging to implement. Include suggestions for overcoming these challenges.

3. “CIPA” Please respond to the following:

  • From the e-Activity, describe the purpose of CIPA and whom it applies to. Determine why it is important for people attending schools and libraries affected by CIPA to know which schools and libraries must comply with CIPA versus those that do not.
  • From the e-Activity, determine some of the legal and technical challenges and issues with the implementation of CIPA.

LINK TO THE E-ACTIVITY: Organizations must be aware of the different regulations that apply to their organization and business sector, such as HIPAA, FERPA, CIPA, and others. The Children’s Internet Protection Act (CIPA) is one law that attempts to limit the exposure of children to sexually explicit material at libraries and schools. Review the information located at http://www.fcc.gov/guides/childrens-internet-protection-act. Be prepared to discuss.

4. “Domains of IT Responsibility” Please respond to the following:

  • Select one of the seven domains of IT responsibility and describe what is encompassed within that domain from a security perspective. Include an explanation of the common security controls implemented within the domain that you selected.
  • Describe the business challenges associated with the domain you selected. Determine the security controls and policies needed to overcome these challenges.

5. “Policy Implementation Issues” Please respond to the following:

  • Describe the basic elements of human nature and how they affect information security policy development and impact information security policy implementation issues.
  • Propose at least three ways that organizations can overcome these policy development and implementation issues.

6. “ISO / IEC 27000 Series and NIST” Please respond to the following:

  • Determine the part of an IT security program that you believe is the most challenging for organizations to implement. Justify your reasoning.
  • Analyze the business considerations, information assurance, and information systems security considerations that impact the area that you identified as being most challenging to implement. Provide at least two recommendations for IT management to implement to align the information assurance and security considerations with the business goals.

7. “Principles for Policy and Standards Development” Please respond to the following:

  • Select two principles for policy and standards development (accountability, awareness, ethics, multidisciplinary, proportionality, integration, defense-in-depth, timeliness, reassessment, democracy, internal control, adversary, least privilege, continuity, simplicity, and policy-centered security). Examine how these principles would be the same and different for a health care organization and a financial organization.
  • Determine which type of organization would have the most difficulty implementing the principles you selected. Support your answer.

8. “OCTAVE” Please respond to the following:

  • From the e-Activity, provide a brief explanation of the Operationally, Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methods. Explain how they are beneficial for organizations developing their IT risk management approaches.
  • From the e-Activity, explain how the size of the organization impacts the OCTAVE method utilized. Determine the factors that large organizations, as opposed to small organizations, are most concerned with.

LINK TO THE E-ACTIVITY: Operationally, Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a commonly used methodology for risk-based information security assessment and planning. Review the information located at http://www.cert.org/octave/. Be prepared to discuss.

Writing Hub