Legal Reg, Compliance, Invest. IT - Information security policy

Legal Reg, Compliance, Invest. IT

1. Conduct an internet or library search to locate the information security policy for 2 colleges or universities.

Note: Consider searching for your own institution’s information security policy. As a student, you are responsible for knowing its contents.

2. Read each policy in its entirety.

3. Identify the first policy you selected and  document whether it contains the following elements:

1. Policy statement

2. Rationale

3. Who is affected by the policy

4. Definitions

5. Roles and responsibilities

6. Compliance

7. Related documents

8. Policy contact

4. Identify the second policy you selected and  document whether it contains the following elements:

1. Policy statement

2. Rationale

3. Who is affected by the policy

4. Definitions

5. Roles and responsibilities

6. Compliance

7. Related documents

8. Policy contact

Note: In this part of the lab, you will use your research from Part 1 to analyze the policies you selected.

 

1. Which policy was more complete or informative? Why?

2. As an end-user, which policy was easier to understand? Why?

3. For the first policy, what are your responsibilities for following the policy?

4. For the second policy, what are your responsibilities for following the policy?

 

Note: The following exercise is provided to allow independent, unguided work using the skills you learned earlier in this lab - similar to what you would encounter in a real-world situation.

 

You have been hired as an information security analyst at a small company called Astounding Appliances. Your manager asks you to help her create an information security training and awareness policy. The primary goal of the policy is to keep employees from responding to phishing attempts and other internet scams. Any policy that is created will have to be reviewed by legal counsel and other company stakeholders, so it is not important to get the language exactly right for the first draft. What is important, however, is to outline all of the main parts of the policy. Your manager wants you to prepare the first draft of the outline using the common policy elements headings.

Create an outline of an information security training and awareness policy.

Note: Phishing is a type of fraud where criminals attempt to obtain sensitive information or data via electronic transmissions (usually email) by pretending to be a trusted individual, such as a member of a company’s leadership or IT team.