Project #1: Employee Handbook Company Background & Operating Environment Use the assigned case study for information about “the company.” Policy Issue & Plan of Action The company has grown substantially over the past few years. The current Employee Handbook was created from a set of templates purchased from a business services firm. The policies in the handbook were reviewed by the company’s attorney at the time of purchase. The attorney raised no objections at that time. During a recent legal review, the company’s corporate counsel advised that the company update the Employee Handbook to better address its current operating environment. The Chief Executive Officer has tasked the Chief of Staff to oversee the handbook updates including obtaining all necessary approvals from the Corporate Governance Board. The Chief of Staff met with the full IT Governance Board to discuss the required policy updates. (The IT Governance Board is responsible for providing oversight for all IT matters within the company). The outcome of that meeting was an agreement that the CISO and CISO staff will update and/or create IT related policies for the employee handbook. These policies include: Acceptable Use Policy for Information Technology Bring Your Own Device Policy Digital Media Sanitization, Reuse, & Destruction Policy Your Task Assignment As a staff member supporting the CISO, you have been asked to research what the three policies should contain and then prepare an “approval draft” for each one. No single policy should exceed two typed pages in length so you will need to be concise in your writing and only include the most important elements for each policy. The policies are to be written for EMPLOYEES and must explain employee obligations and responsibilities. Each policy must also include the penalties for violations of the policy and identify who is responsible for compliance enforcement. Your “approval drafts” will be submitted to the IT Governance Board for discussion and vetting. If the board accepts your policies, they will then be reviewed and critiqued by all department heads and executives before being finalized by the Chief of Staff’s office. The policies will also be subjected to a thorough legal review by the company’s attorneys. Upon final approval by the Corporate Governance Board, the policies will be adopted and placed into the Employee Handbook. Research: Review the Week 1 & 2 readings. Review the sample policies and procedures provided in Week 1. SAMPLE POLICIES Show data table for This chart displays the number of completed topics versus the total number of topics within module Sample Policies.. List of Topics and Sub-Modules for Sample Policies Sample Acceptable Use Policy Link I’m Done Reid, G., & Hilldale, D. (2006). Acceptable use policy template. Retrieved from https://www.first.org/_assets/resources/guides/aup_generic.doc This sample Acceptable Use Policy includes a generic policy template. Sample #2 “Bring Your Own Device – Policy and Rules of Behavior” in Bring Your Own Device Toolkit Link I’m Done Digital Services Advisory Group & Federal Chief Information Officers Council. (2012). A toolkit to support federal agencies implementing bring your own device (BYOD) programs. Retrieved from https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf See Sample #2 on page 30. Sample Policy and Guidance Language for Federal Media Sanitization Link I’m Done Federal Electronics Challenge. (2012). Sample policy and guidance language for federal media sanitization. Retrieved from https://www.epa.gov/sites/production/files/documents/sanitization_sample.pdf Media Sanitization & Destruction Policy (State of Michigan) Link I’m Done Michigan State Police. (2013). Media sanitization and destruction policy sample. Retrieved from https://www.michigan.gov/documents/msp/Media_Sanitization_Destruction_Policy_442249_7.pdf Find additional sources which provide information about the policy statements which should be covered in three policies for the Employee Handbook. Write: Prepare briefing package with approval drafts of the three IT related policies for the Employee Handbook. Your briefing package must contain the following: Executive Summary “Approval Drafts” for Acceptable Use Policy for Information Technology Bring Your Own Device Policy Digital Media Sanitization, Reuse, & Destruction Policy As you write your policies, make sure that you address security issues using standard cybersecurity terminology (e.g. 5 Pillars of IA, 5 Pillars of Information Security). See the resources listed under Course Resources > Cybersecurity Concepts Review for definitions and terminology. Use a professional format for your policy documents and briefing package. A recommended format is provided in the assignment template file (see the recommended template under Course Resources). Common phrases do not require citations. If there is doubt as to whether or not information requires attribution, provide a footnote with publication information or use APA format citations and references. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. Submit For Grading Submit your Employee Handbook approval draft in MS Word format (.docx or .doc file) for grading using your assignment folder. (Attach the file.) Topics: Political-Legal Environment (external scan) Legal & Regulatory Drivers for Information Security Policies, Plans, & Procedures IT Security Standards & Regulatory Compliance This week, we begin with a scan of the external, political-legal environment which impacts the practice of information security (CSO Staff, 2012; Whitman & Mattord, 2010). Next, we turn our focus to four specific federal laws which contain information security mandates: Federal Information Security Management Act (FISMA, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes – Oxley Act (SOX). These laws apply to specific types of information and require specific actions / security controls to protect that information. Many laws contain language which requires regulatory actions on the part of the Executive branch of the federal government. These actions frequently result in the issuance of “rules” containing implementation guidance. In the “Regulatory Environment” section of this week’s readings, you will find information about three rules which contain information security mandates (requirements) for personally identifiable information: HIPAA Security Rule (45 CFR Part 160 https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-part160.pdf and Subparts A and C of Part 164 https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-part164.pdf ) PCI-DSS Fair Credit Reporting Act “Red Flags” Rule (preventing identity theft) FTC Safeguards Rule (GLBA Compliance) In addition to federal laws, industry “governance” bodies may also issue security standards which serve as a form of regulation. The PCI-DSS standard is a form of regulation which applies to the payment card industry. This industry consists of companies who process payment card transactions. The PCI-DSS standard also applies to organizations that accept payment cards for financial transactions. The major assignment due this week is Project 1: Employee Handbook (IT Security). For this assignment, you will write an executive summary (to brief the reviewers about the policies) and three short policies which inform employees about their responsibilities with respect to: Acceptable Use Policy for Information Technology Bring Your Own Device Policy Digital Media Sanitization, Reuse, & Destruction Policy

    Employee Handbook

    Acceptable Conservation Plan

    Overview

    The society contributes a ample stroll of computing and netagoing instrument ce perfect employees currently agoing at the society. Mode to networks, computers and computing environments that are registered and based by the society, coercion-this-reason, becomes a liberty that comes with fixed responsibilities and obligations (Siau et al., 2002). Each employee is expected to influence in yielding with the plan guidelines either partially or confusedly and behold the rigorous conservation of these guidelines in daily operations.

    Purpose

    To warrant employee instrument in the society and to exalt best practices in in the collision and conservation of counsel technology instrument.

    Scope

    • The plan shperfect devote to perfect employees who are currently on the society’s payroll.
    • Policy
    • Users are prohibited from modeing downloading, uploading or storing unfair resigned on the society’s plans.
    • No employee conciliate be perfectowed to supply cast or market in any coercionm with foul embodied, negative ce product-related investigation.
    • The employees may merely mode the society’s custom-made society website
    • It is unfair to strive to divine other passwords.
    • Restricted areas of the website shperfect rest as such and should be avoided
    • Perfect employees must log extempore the plan at any weight when they are referable agoing with the plan.
    • Perfect passwords solution codes conciliate be exclusive by the society’s counsel technology plans manager.

    Fetch Your Artifice Plan

    Overview

    This instrument contributes guidelines to collision and proceeding of employees currently populated by the society ce the conservation of separate artifices at product to mode the society’s counsel technology environment (Caldwell et al. 2012).

    Purpose

    This plan is aimed at ensuring the entireness, and the carelessness of the society’s counsel technology plans is referable complicated.

    Scope

    This plan is meant ce perfect the employees who are currently populated by the society including elder address staff.

    Policy

    • Employees are perfectowed to fetch their have artifices to product save with the acquaintance of the plans managers
    • No employee is perfectowed to merge or conservation their artifices to log in to the plan externally direct example and supervision of a plans manager.
    • Ce carelessness purposes, perfect artifices brought in from beyond must be password defended. The password protocols contribute that perfect passwords must be more than six characters containing alphabets, numerals, and symbols ce hardening.
    • Using the society’s runspell ce separate browsing and investigation at the society’s cost is prohibited.
    • Camera and video functions ce privy artifices should referable be influenceivated at any spell the conservationr is mergeed to the society’s network
    • Merely android befriended artifices conciliate be perfectowed.

    Digital Instrument Sanitization, Reuse, & Perdition Plan

    Purpose

    This plan endowment to contribute guidelines about special sanitization, dispensation and perdition electronic instrument at the society (Golubic et al. 2012). These measures are necessitating by the demand to coerciontify twain the society’s employees and perceptive axioms of the structure. In misspend sanitization may deposit twain the society’s counsel plans and its employees at risk of needless mislaying.

    Scope

    The policies and guideline contained herein shperfect devote to perfect employees once including those in elder address standing.

    Policy

    • Print and other natural instrument conciliate be appointd of as follows:
    • Shredding conciliate be produced using cross-cutters.
    • Shredding conciliate be supervised by a specially appointed extemporeicial.
    • Privy contractors conciliate be consulted to arrange the disstanding and perdition of electronic instrument. This is becaconservation procedures such as degaussing and overwriting claim appointd input.
    • Perfect employees including the elder address members are referable perfectowed to waste, appoint or strive to sanitize the electronic plan instrument externally authorization.

    References

    Caldwell, C., Zeltmann, S., & Griffin, K. (2012, July). BYOD (fetch your artifice). In Competition ceum (Vol. 10, No. 2, p. 117). American Society ce Competitiveness.

    Golubić, K., & Stančić, H. (2012, June). Clearing and Sanitization of Instrument Conservationd ce Digital Storage: Towards Recommendations ce Secure Deleting of Digital Files. In Central European Conference on Counsel and Intelligent Plans 23rd International Conference.

    Siau, K., Nah, F. F. H., & Teng, L. (2002). Acceptable internet conservation plan. Communications of the ACM, 45(1), 75-79.