Running head THE POLICY ISSUE AND THE ACTION PLAN 9
Introduction
As our company continues to record substantial growth, the management has decided to improve on the current Employee Handbook in a bid to review the policies through Policy Issue and Action Plan. This review is done in line with the current Information Technology Security Action Plan as advised by the Federal Governments Action Plan and will be addressed in this meeting, focusing on the duties and responsibilities of each employee. The briefing will detail the contents of the Acceptable Use Policy for the Information Technology, Bring Your Own Device Policy, and the Digital Media Sanitation, Reuse, and Destruction Policy. All these will be the guiding principles for all of us as we continue working towards the prosperity of the company. They are aimed at curbing the growing insecurity in the Information Technology through abuse of the internet, lack of confidentiality, and spread of malicious information. Therefore, all of us are required to follow the guiding principles and avoid the disciplinary actions that may result from negligence of any of the policy statements.
The Acceptable Use Policy for the Information Technology Systems
The Executive Summary
The first policy document will involve the Acceptable Use Policy paper that will contain the policies that secure use of Information Technology. The document deals with methods that will ensure that the five pillars of the IA and the pillars of information security are well addressed (Reynolds, 2010). In details, the file will contain the overview, the scope, policy statements, and the enforcement practices that the company must abide. In the overview, for example, the company intends to prioritize on the policies that highlight the proper use of electronic and network devices in a way that suits the traditions and expectations of the company. It is the responsibility of each of the staffs to ensure compliance with the devices to avoid fatal legal issues. The scope of the policy ranges from all the employees, consultants, contractors, or any other third party user and includes assets either owned or leased by the company (Reynolds, 2010).
The Policy Statement
Most important in the Acceptable Use Policy is the policy statement which details the responsibilities aimed at securing the information and technology systems. As employees and stakeholders in the business, you are required to maintain high standard judgement when handling these devices and follow the stated guidelines and policies. No unauthorized personnel are entitled to interfere with the devices, especially when they deal with security, maintenance, or compliance.
One of the key areas addressed by the policy statement is the System Accounts. Everyone working under the accounts department is responsible for securing financial data by securing the passwords, both in the system level and the user (WhatIs.com, 2016). It is in line with the password policy. Besides, the proprietary information on both personal and company level remains controlled through technical or legal means. The use of links or contacts such as the e-mail strictly prohibited at all levels.
The computing and network assets are also pointed out in the statement. The following care standards are advised; protect the computers and all their appliances, lock all the laptops after use, especially those that are left at the premises overnight, and report any losses or theft. Protecting the devices’ screensavers with passwords is also advised. You must as well make sure that the minimum access policy is observed in those devices that connect to the company’s network (WhatIs.com, 2016). The security system software or the corporate device management must not be interfered. For the network use, everyone is supposed to protect any form of a security breach or disrupting any service. The prohibition will include the introduction of honeypots or honey nets types of technology. You must also be aware of the violation laws that are detailed in the copyright laws, software exportation or importation in line with the international export control and the local laws. Strict measures will be enforced to anyone who introduces malicious codes such as e-mail bombs, viruses, worms, Trojan horses, or the like (WhatIs.com, 2016). The Information Security organ is the only party entitled to authorize port or security scanning.
Finally, the electronic communications has spelled out the following prohibitions. The use of communication means that supports illegal activities or violates confidentiality or proprietary data is prohibited. Spam must not be sent from the company by any electronic means. Other measures involving communication includes; suppression or replacement of another user’s identity, forgery, obscuring information, posting of similar non-business-related messages, and sending messages against the company’s policies, especially through IP or e-mail (WhatIs.com, 2016).
All the above regulations must be abided to, failure to which, any employee risks a disciplinary action. This may include termination of job for the employees or termination of contract for the vendors and the contractors.
Bring Your Own Device Policy
Executive summary
For a successful control of security, issuance, and control of information technology in our company, the company has put in place the set standards in the Bring Your Own Device Policy. This policy applies to all non-situationally electronic devices that can record, store, record, and transmit information in form of messages, voice, video, or images. They range from cellular or satellite phones, tablets, secure tokens, to laptops and all the related peripheral and storage media. The policy is developed in line with the Federal Information Security Management Act. You have to note that it also covers the personally owned information technology devices that can access the company’s network and security code. Therefore, the policy must be clearly understood and followed by all the employees, contractors, trainees, and volunteers. The CISO is charged with overseeing and directing all the security control measures.
The roles and responsibilities
A. The Chief Information Security Officer
He or she will be responsible for approving all procurements of the IT devices are done in accordance to the policy statement. He must ensure that they are functional and will accomplish their mission and operations within the security of the staff as well as the volunteers. Besides, he must offer administrative support which will include maintaining an inventory of the security machines, an inventory of the licenses involving the company’s software which is installed in any personally owned device. Also, he will oversee the security configuration, monitor the daily activities for compliance, and develop a remote access and the user guide for every IT section (Daft, 2011).
B. The Supervisor
All the supervisors, especially those who deal with IT devices must ensure that they comply with the managerial regulations as per the remote access and the mobile IT guide. They must also approve and sign all the agreement forms for all device users (Daft, 2011). In cases of theft or damages, supervisors must report immediately and confirm the issue to the relevant personnel.
C. Users
There are two categories of users. One of the groups includes those who use the company owned devices. They must sign the Device Agreement Form and the Remote Access Form. Once assigned, they must operate them in accordance with the Compliance Policy, the Federal Requirements, Remote Access, and the IT Guide. They are restricted from using the appliances for personal information, accessing any information to unauthorized people, and careless handling during travels (Daft, 2011). Besides, they must report any loss or damage to their supervisors, or in case a device becomes non-functional.
Secondly, those users using their devices are expected to comply with the regulations by not altering any of the security key features and reimburse the CISO in case of any charges that may be incurred above the established costs. Their devices are supposed to be used for only official government functions while personal use is limited. In the same way, the losses must be reported to the supervisors and reimbursement processes be done, but only if the supervisors approves.
All in all, all these Policies must be complied upon the date of issuance. The Bring Your Own Device Policy have been in use in the recent security procedures that are aimed at securing the Information Technology systems as these systems are at the verge of destruction (Daft, 2011). Therefore, all of us must abide to the policies, effective from the date of approval.
Digital Media Sanitization, Reuse, and Destruction Policy
The Overview and Scope
Media sanitization and destruction policy gives proper guidelines on the disposal of physical and electronic media. The rules and deadlines are vital in protecting the agency’s information, employees and the organization. Poor disposal of the agency’s information and data in the electronic media may put employees of this agency at risk. The media sanitization and destruction policy covers the agency, contractors, the employees, the temporal staff and other workers at the agency who have access to the data and the information systems. This group of people must be well trained on data handling and disposal to avoid unnecessary leakage of the agency’s information to an authorized people. The policy also covers the type of equipment that is responsible for recording, storing as well as transmitting LEIN and classified and any other sensitive data that the company owns or leases.
The regulating policies
It is advisable for information technologists to properly dispose of hard drives, ribbons, and other materials used to process and store CJI. To ensure safe disposal of sensitive data, proper disposal has to be done by following the guidelines provided by our agency. The measures established by the agency on data disposal will have to be followed by all the employees responsible for data and information disposal (Whitman & Mattord, 2011). Our agency has come up with proper disposal measures both for physical and electronic media. According to these measures, physical media such as print-outs shall be disposed using the following methods: Incineration using in our incinerator or incineration at the contractor’s site under witness by our representative if conducted by non-authorized personnel, shredded using our agency’s shredders or by placing them locked in shredded bins for cross-cutting by a private contractor witnessed by our personnel at our premises throughout the entire process.
Electronic media in our agency include hard-drives, copier hard-drives and flash drives among others. The following methods shall be applied in disposing electronic media, degaussing, overwriting and destruction. Degaussing; in this method, data is cleared magnetically from a magnetic media. There are two types of the degaussing method; electric magnet and strong magnet degausses. A strong magnet is required to clear data from a magnetic media. Overwriting: Overwriting is done at least over three times. This is the most effective way of erasing data from a magnetic media. Overwriting is a well-structured program that write 1s, Os, or a combination of both onto the actual position of the media where the data to be cleared is located (Whitman & Mattord, 2011). Destruction; this is the third method of destroying magnetic data. This method involves crushing and dismantling the magnetic media. The main aim of this method is to ensure that no data can be recovered again from the gadget after destruction. However, the remains of the destroyed gadget must be disposed of to avoid environmental pollution.
Penalties
It is important to note that the Information Technology Systems in our agency have been used to store, process and transmit FBICJI in our organization and thus shall not be released to any other party before the data has been cleared using the appropriate methods (Whitman & Mattord, 2011). Employees who violate the rules and regulations indicated in our policy shall face disciplinary actions based on the disciplinary committee findings. The disciplinary actions may include suspension or termination of the job contract. Therefore, I urge all employees to follow the policy accordingly and consult the management in case of any difficulties.
Conclusion
It is important for our company to instill discipline in the use of technology, a move that can only be possible through the use of the Acceptable Use Policy, the Bring Your Own Device, and the Digital Media Sanitization, Reuse, and Destruction Policy. The company’s management have found it necessary to develop and enforce the strategies to ensure the security of information regarding accounts, working procedures, the employee’s security, the contractors’ as well as volunteers’ welfare, and the general confidentiality. The internet and other technologically based services have for the recent years faced abuse and lack of privacy. As the CSIO and the company at large, we would like to maintain the standards of information being transmitted to and from our company. Therefore, we humbly request the employees and other affiliates to comply with the new regulations and help maintain the development agenda of the company and ourselves as well.
References
Daft, R. L. (2011). Understanding management. Mason, OH: South-Western Cengage Learning.
Reynolds, G. W. (2010). Ethics in the information age (3rd ed.). Boston, MA: Course Technology.
WhatIs.com (2016). What is acceptable use policy (AUP)? – Definition from WhatIs.com. Retrieved 28 June 2016, from http://whatis.techtarget.com/definition/acceptable-use- policy-AUP
Whitman, M. E., & Mattord, H. J. (2011). Roadmap to information security: For IT and InfoSec managers. Boston, MA: Course Technology/Cengage Learning.
