This report is an Information Security Policy for Millers Corporation. The organization is based in Seattle and is involved in shoe making. Most recently the organization has been a victim of cyber attack that led to the compromise of personal private information of its customers such as social security and credit card numbers. The security policy comprises has been divided into various sectors which include organizational strategic governance framework, business continuity policy, risk assessment policy, resilience policy, the integrated resilience management model and system, threat identification, competitor and marketing analysis, and the governance and regulation compliance decision-making process.
Key words: standards, procedures, and guidelines
Executive Summary
Based in Settle, Millers Corporation is an organization that specializes in shoe making and local and international supply. The organization has 100 employees. Recently, Millers Corporation became a victim of cyber-crime that resulted in the compromise of personal information that had been stored in the organization’s database system. Among the compromised information include social security numbers as well as credit cards. Following the breach of data security, the management elected me to develop an IT security policy on decision making framework that is based on ethical leadership models. This report is an IT security policy that is partitioned into various sections which include organizational strategic governance framework, business continuity policy, risk assessment policy, resilience policy, the integrated resilience management model and system, threat identification, competitor and marketing analysis, and the governance and regulation compliance decision-making process. Each of the sections of the IT security policy is based on standards, procedures, and guidelines. Their definitions are explained in the report.
Delegate your assignment to our experts and they will do the rest.
Background
Cyber-attacks that result in compromise of data security as well as loss can be preventable if the targets are well-prepared. One of the ways organizations can be adequately prepared to counter cyber threats and attacks is through the formulation of concrete IT security policies. Furthermore, the increasing technological and economic developments have led to the rise pf interdependencies in companies. An optimized organization’s network is based on information technology that is vulnerable to numerous cyber attacks and risks. Regardless of the reason these cyber attacks took place, which could range from end user errors, weak passwords and authentication, one aspect of cyber security that must be addressed is the better security and additional security layers that can only be achieved by a well-formulated IT security policy. While developing the security policy, ethical leadership models for decision making should be put into consideration. Ethical leadership, at its core, is centered on respect for ethics, values, as well as the rights and dignity of others. Concepts such as integrity, honesty, accountability, and trust are critical in ethical leadership. For Millers Corporation, a strategic level transformational ethical leadership model is needed to develop the IT security policy to curb the current cyber-security issue as well as prevent occurrence in the future.
Organizational Strategic Governance Framework
The designing of an organizational governance framework is the first step in the development of the information technology security policy. Both leadership and the governance are critical for the success of any organization. Prior to the integration of information technology (IT) in the modern business environment, the operations of many organizations were dependent on corporate governance. The inclusion of IT, however, has seen organizations adopt governance in alignment with it. Furthermore, the alignment of the IT policy ensures that the organization’s operations still remain in line with its overarching goals and objectives (Maymi et al., 2017). Among the factors that should be taken into consideration include the structure of the organization, leadership, and the culture at the organization. The senior management should ensure that the organizational strategic governance framework is well orchestrated to counter the current and future attacks.
Considering the alignment of the information security to the overarching goals of Millers Corporation, below is a presentation of the organizational strategic governance framework. The framework is dependent on standards, guidelines, and procedures that take into consideration ethical models of leadership.
Standards - a detailed written definition for hardware and software and how they are to be used. Standards ensure that consistent security controls are used throughout the IT system. Procedures - written instructions for how to use policies and standards. They may include a plan of action, installation, testing, and auditing of security controls. Guidelines - a suggested course of action for using the policy, standards, or procedures. Guidelines can be specific or flexible regarding use for each policy discussed.
Standards
Millers Corporation has numerous sets of hardware and software. For hardware, the standards provided represent the minimum standards that will enable the efficient operation of the system. To begin with, the company has a rule that requires the purchase of laptops and computers not more than three years old in the market. This will enable the organization to be up to date in terms of hardware. The organization also has two major workstation domains. A workstation domain is where staff or rather users are able to connect to the network system of the organization. Other devices include a personal digital assistant and several smartphones owned by Millers Corporation. For the software, the systems primarily are run on the Microsoft Windows Operating System. The OS is up to date, with the latest version, Windows 10 and the 2019 server. Both the hardware and software standards help ensure that there is compatibility. Transformational leadership is also use to ensure that the standards of the software and hardware are not compromised in order to maintain data integrity and confidentiality.
Procedures
The access to computers and network at Millers Corporation is a privilege which imposes responsibilities and obligations to end users. The objective of these procedures is to ensure a secure, available, and responsive cyber security environment. Any procedure at the organization is dependent on the policies of the company. These policies were decided upon following the leadership at the organization. The core policies governing the organization include Acceptable Use Policy, Disaster Recovery Policy, Data Governance Policy, and Privacy Policy. The interconnectedness of these policies is critical for the procedural framework at Millers Corporation. These policies apply to all staff of Millers Corporation from the highest to the lowest level in the leadership hierarchy. As a staff member at Millers Corporation, the organization provides access to certain computer systems, servers, hardware, and databases. Based on the transformational leadership style at the organization, each employee is entrusted with the company’s passwords, and database systems on the first day at work. The company holds the belief that this creates a sense of responsibility and accountability which are the tenets of ethical leadership. In turn, the employees are held responsible for awareness of the regulations and policies that apply to the appropriate use of the organization’s technological resources.
Guidelines
For adherence with policies that have been developed and enforced in the organization guidelines are critical. Guidelines at Millers Corporation are dependent on compliance with the policies. All staff and stakeholders alike, are expected to adhere to policies, authority, as well as ethical decisions made for the organization. The company has an Agreement to Compliance Form (ACF) that every member is expected to sign to following their hiring at the organization. The decision of having the form was arrived at following the studies of various breach of data security in other organizations. According to research, various organizations have suffered data breach from their internal staff or even formerly employed members. The guidelines bind employees which consequently makes them held responsible and accountable in case they are involved in data breach of the organization’s critical information such as credit card and social numbers.
Business Continuity Policy
A business continuity policy is critical especially with such a scenario where the privacy of social security numbers and credit cards has been compromised. The importance of the business continuity policy stems from the need for continued manufacture and supply of shoes even amidst the crisis. Haidzir, Othman & Mammi (2018) reveal that a business continuity policy reduces the downtime for an organization. Trim & Lee (2016) define a business continuity policy as a set of standards and guidelines that have been well-documented that enable the organization to resume normal operations in the events of major disruptions such as natural disasters or malicious attacks by cybercriminals. With the overarching goal of resuming operations, the business continuity policy is based on the below guidelines, standards, and procedures.
Standards
The business continuity policy covers all IT assets and applications that are owned and utilized by Millers Corporation. Also, the business continuity policy shall be made up of plans for each service. A key standard for business continuity is the availability of a secondary data backup site. This will enable the organization to continue the delivery of its products and services even amidst the crisis. The site has customers’ private information such as credit card numbers, social addresses, contacts, and social security numbers among others. As such, the availability of these forms of data in the secondary website has made it possible for business continuity even amidst disruptions.
Procedures
In case of an event, priority is given to the safety of employees. Procedures have outlined the kind of actions that should be considered in the case of an event. According to (Buchler et al., 2018) team work is critical for completion of tasks that involve more than a single individual. Needless to state, in the case of a cyber security event, all employees are expected as outlined in the procedures to work in collaboration. The effectiveness of team work is dependent on factors such as leadership and decision-making. Navigating the challenges posed by cybersecurity requires considerable interaction among team members and cyber analysts to monitor, report, and safeguard critical data. Also, is leadership is critical to facilitation of problems’ resolution as well as making the appropriate decisions in the case of a disaster. In the case of physical disasters, the executive team will be expected to base their decision on the rescue mission of their staff. In the case of a cyber incident as the current one, priority is given to the secondary site that acts as a back up plan.
Guidelines
At their core, guidelines form the basis on which senior management defines the objectives of the business continuity policy depending on its goals and alignment with the gals of the organization. At their minimum, the business continuity policy must be documented and responsibility assigned to each corporate member. The business plan must also be in alignment with the risk management objectives and goals of the organization. Also, the business continuity policy document shall be under the control of management. Generally, the guidelines define the decisions to be made by management and their delegation of tasks that members have to undertake in the event of the cyber attack that has causes the company to operate from the secondary site.
Risk Assessment Policy
According to the U.S. Department of Homeland Security, its definition of risk is well accepted. Trim & Lee (2016) define risk as the potential for an unwanted outcome resulting from an incident, event, or occurrence that is determined by its likelihood and the associated consequences. Inherently risk assessment is the method used in the formal examination of hazards that could be harmful to people and businesses, eliminating the redundant ones and giving the most important one’s priority in terms of the need for attention. Below are the standards, guidelines, and procedures for the risk assessment policy at Millers Corporation.
Standards
The risk assessment standards used provide guidance in regards to assessment of loopholes that pose risk to the organization and whose timing and nature is responsive to the risks that have been assessed. The risk policy covers all electronic data that is owned by Millers Corporation and individual data of their employees. According to the managerial team in the organization, all information systems are expected to be assessed for risks on a quarterly basis. This is regardless of any changes or their lack of, that have been made in the organization. Research reveals that when organizations undergo changes, particularly those involving the executive team, the new leaders are likely to forget some practices such as auditing for risks (Barafot, Mesquida & Mas, 2017). With a risk policy in place, however, the organization is expected to periodically audited to identify the risks and vulnerabilities.
Following the identification of risks, the policy requires sifting through to identify those that require prioritization and also eliminate the redundant ones. Risks have then to be mitigated within the shortest time possible. The mitigation of risks ensures that further damage is not caused in the case of a cyber-attack. Also, it ensures that the loopholes are sealed to prevent the occurrence of such or even worse events in the future. Security control plans have also to be put in place. In the case of breach of private information, for instance, the executive team has to decide on the responsibility of each members. One of the ways transformational leadership can be applied in the risk assessment policy is having in place room for delegation (Kohan, Safari & Teimouri, 2018). Particularly, the heads of departments in the organization are responsible and held accountable for frequent risk assessment. This will make it possible for the executive team to manage the entire organization as opposed to being directly involved in each department.
Procedures
Within the policy is a set of procedures that have been outlined on how to assess risks within the organization. The first step is to observe the workplace area overall and address the individual areas and equipment systematically. The next step is to decide who is likely to be harmed by the identified risks, to what extent, and how. Depending on the findings, an evaluation
is done on the existing hazards to determine the adequacy of the measures in place.
Guidelines
Notably, the procedures in place are carried out by a particular team that will be appointed by the top management team. The team has to be composed of members who are honest with their findings and are intended to uphold ethics when it comes to protecting private data. Depending on how severe each risk is, the team identifies the potential impact and magnitude it could have on the organization.
Resilience Policy
Generically, resilience is the ability of a system to recover from an event and maintain dependability when faced with faults. In the recent years, there has been emergence of cyber resilience because of the inability of traditional cyber security measures to protect against cyber-attacks risks, and ensure the entire organization is not demobilized. The presence of a resilience policy for Millers Corporation will enable continued operation even amidst the breach of data on credit card numbers and social security numbers. The below standards, guidelines, and procedures have been developed by the organization for its resilience policy.
Standards
The foundation of the resiliency policy at Millers Corporation is anchored on four major principles. These include centering cyber resiliency on highly valued assets, placing people at the center, integration into innovative programs, inclusion of vendors and suppliers, and availability of lean and efficient governance structures.
Centering on Highly-valued Assets
Millers Corporation has centered its resilience policy on the prioritization of its crown jewels. These are the most critical information assets such as customers’ private information which when compromised can undermine the business as well as its ability to operate amidst the cyber-attack event. Research reveals that in the modern business environment, digital assets are at the heart of most enterprises and have product offerings that are highly valued by customers (Nowduri, 2018). As such, the resiliency policy should be such that it actively supports the highly-valued assets.
Placing People at the Center
At Millers Corporation the resilience policy should be based on people as opposed to technology. The creation of deeply entrenched beliefs that the protection of the organization from cyber security is the responsibility of all staff members including the board of directors creates a sense of accountability. Consequently, this transforms the attitudes of employees as well as their behaviors and attitudes. The resiliency policy transcends technology since the real work of preventing cyber-attacks in the future as well as mitigating the current event takes place in business teams and is underpinned by shared norms and values. Embracing of the precepts of the resiliency policy will form a culture for protecting the organization from future attacks.
Integration into Innovative Programs
The integration of the resilience policy into innovative programs is also critical for the organization. With such innovative programs the organization will be diligent regarding the decisions they make as they embrace disruptive and innovative technologies. The resiliency policy will also ensure there are secure capabilities that will keep up with the constantly changing technological environment.
Implementation of risk-based assurance programs with Vendors and Suppliers
With the fast-paced business environment, there is need to partner with external suppliers’ and vendors. This will facilitate easy access to innovative solutions and enable the organization to focus on differentiation hence creating a competitive advantage. The implementation of assurance programs is essential for the company’s resilience.
Availability of Lean and Effective Governance Structures
Millers Corporation recognizes that leadership is essential for driving the driving transformational change within the organization. The top management team has unwavering support for the organization’s programs that are oriented towards cyber security. Through role modelling of expected behaviors and upholding virtues such as data integrity, maintaining confidentiality, and adherence to policies of the organization, the management team has set an example to fellow employees. Finally, the resilience policy has been governed into the culture of the organization making it an inevitable part in decision-making.
Procedures
With the standards for the resilience policy in place, the next step in the policy is a procedural framework. Usually the first step is educating the employees of the organization about the policy and the importance of compliance. Creating awareness is important because through the training employees are tasked with a sense of responsibility (Peltier, 2016). After employees have been enlightened on the resilience policy, a hands-on simulation drill is conducted to help strengthen the resilience policy. The exposure of employees to simulation drills will create a sense of awareness that is critical for the resiliency policy (Limba et al., 2019). Also, the organization should ensure no only documentation, but also regular updates of the resilience policy.
Guidelines
Internationally, organizations regardless of their size are required to have in place a policy that ensures their ability to recover from disastrous events. The guidelines outline the importance of having the resiliency policy as part of the culture of the organization. Furthermore, resiliency policy underpins the entire process. Regulators of the resiliency policy should be focused on the overall accountability, oversight of the board of directors, and the frequency of internal audits. Stakeholders and staff alike want to see that even the board of directors have the necessary understanding of the cyber risk profile of the firm and are active at overseeing challenges of resiliency strategies if any.
Integrated Resilience Management Model and System
The integrated resilience management model, at its core is intended to align the resiliency policy for implementation at the organizational level. With the interconnected nature of the IT infrastructures at Millers Corporation, the risks can be anticipated from both internal and external stakeholders. As such, the integrated resilience model is critical for well-written procedures as well as policies. The model integrates the various components of the Information technology security policy such as compliance, creation of awareness, and regulations that should be adhered to. The management of accounts, passwords, and control of integrity, for instance is critical in the accessing of various components of the database system. Below are the standards, guidelines, and procedures that are well-detailed to ensure that the resiliency model meets the expectations.
Standards
These standards’ core purpose is to ensure confidentiality, integrity, and availability of information systems and critical data. Through the three tenets, the privacy and security of data is not compromised. With the current cyber-attack, it is evident that there are external and internal loopholes that the organization was not aware of that resulted in the event. As such these standards will ensure that data integrity is maintained henceforth. To begin with, the organization has set out a minimum requirement of educating its employees on threats on how to mitigate them. Well-documented, the plan is to ensure that there is an annual training of employees regarding the cyber security culture of the organization, how to identify risks, and mitigate them. The creation of security awareness is critical for prevention of security data breach. Among the topics employees are trained on include the avoidance of using laptops in public Wi-Fis, using strong passwords, and the scanning of hardware such as USB and flash disks before inserting into the ports of the system. The awareness of these standards will help in the overall goal of compliance with and adherence to policies.
Procedures
The integrated resilience management model is based on the various policies that have been laid out by the organization. From a standpoint of the company’s resilience, the most important is the business continuity policy, Data Governance Policy, and Privacy Policy.
Business Continuity Policy
As highlighted earlier, the business continuity policy provides the staff with procedures on how to mitigate a cyber-attack. The policy clearly defines the role and responsibility of every staff member and the priorities that are accorded in the event of a cyber-attack.
Data Governance Policy
The purpose of the Data Governance Policy includes:
The establishment of appropriate responsibility among the staff of Millers Corporation as an organizational asset
Enable the ease of access and ensure that the users are knowledgeable about the data and are able to interpret them consistently and correctly.
Improve the security of the data including protection form breach, loss, and upholding confidentiality
Enhance the integrity of data resulting in its accuracy, timeliness, and quality deemed necessary for making critical decisions for the organization.
To achieve the above objectives, the Data Governance Policy provides staff with the procedures to follow to ensure that data integrity, confidentiality, and availability is upheld. Further the policy defines the responsibility of each staff member when it comes to the use of IT resources such as workstations, LAN and WAN domains, firewalls, network devices, and antivirus. According to the policy each user should ensure they are using updated hardware and software. The senior management has the responsibility of ensuring that updates are done regularly to enhance the process of data governance.
Privacy Policy
In the complex business environment where most of the actions are dependent on data that businesses collect and store, the protection and privacy of that information becomes increasingly important. As such the data privacy policy is critical. The Privacy Policy at Millers Corporation is a legal document that states how a company collects, handles, and processes data. Millers Corporation is committed to protecting the privacy as well as confidentiality of personal information of its employees, business partners, and customers. The organization’s guidelines support this commitment of protecting personal private information.
Guidelines
The guidelines for the integrated resilience model and system is dependent on the practices of the cyber security industry to ensure that confidentiality, integrity, and availability is maintained or rather is not compromised. In addition, employees are encouraged to follow the examples of the senior management as an example for arriving at the best decisions that favor the interests of the organization. Also, the transformational model of leadership is encouraged so that staff are able to uphold virtues such as integrity and honesty. The transformational leadership model is implemented from the highest to the lowest level in the organizational hierarchy. The guidelines set the minimum standards and are a guideline to all people involved with the operations of Millers Corporation. Millers respects the privacy of its employees and requires even third parties that range from vendors suppliers and service providers to do the same.
Threat Identification
The prevention of data security and breach that compromises the integrity and confidentiality of information has become a daunting task for organizations in an era where systems are interconnected by the Internet (Palomares, Kalutarage, & Huang, 2017). Millers Corporation is no exception especially after the recent cyber attack where the social security and credit card numbers were compromised. Below are the standards, guidelines and procedures for identifying threats that pose a threat to cyber incidents in the future:
Standards
The process of threat identification has to involve all the computer resources owned by the organization. Resources that have to be checked for threats include hardware such as workstations, smartphones, and laptops among others. The software will also be scanned to check for malware that could pose a threat to the security of data in the database system of the organization. The organization has put in place a committee that will identify cyber threats for Millers Corporation.
Procedures
With a complete list of threats, the procedural framework lays out the necessary actions to be taken. The first step would be for the IT team to break down the threats into components that affect the organization’s functionalities that have been prioritized. These include personnel and administrative functionalities that could result in breach of data security and privacy for security gains.
Guidelines
Threat identification is a process that is guided on the security culture of the organization as well as policies. Among the guidelines most important to the organization are ensuring that only authorized devices and software are given access and installed. Those that are not should be regarded as a threat to the security of the organization. The process of threat identification is also guided by requirements of the industry.
Competitor and Marketing Analysis
With the growth of the global cyber security market, other sectors have similarly achieved tremendous growth. As such, there has been fierce competition in the market. Millers Corporation faces competition from other shoe manufacturers in the U.S. and across the global market. The guidelines, procedures, and standards below are the basis for competitor and marketing analysis for the organization.
Standards
The standards for the competitor and marketing analysis at Millers Corporation is based on the availability of resources to carry out the process. For instance, the website of Millers Corporation is to be used to determine the number of people that visit the site daily, monthly, weekly and even annually. This is critical as it reveals the kind of messages left behind by reviewers of the company’s messages and products and any attempts made by competitors to breach the organization’s information and security policy.
Procedures
The organization should have in place social media personnel who monitor how competitors in the industry are using the web to run and monitor the market space. The first step would be to develop an analysis of the web and develop a strategy that will protect critical information of the business in the future. Other procedures include:
Mapping out competitors and reviewing each website.
Using data analysis to comprehend the average number of people that visit the site.
Identify the kind of messages on these websites and attempts by competitors to breach information security and privacy
Guidelines
Based on the security culture of the organization, the IT team should record and document how competitors are using the web to get more customers. Also, there should be education of the employees regarding the imminent dangers of failing to protect private and personal information of employees. The organization should consider updating the digital content on its website. Also, a SWOT analysis that identifies the strengths, weaknesses, opportunities, and threats will be handy in conducting a competition/marketing analysis.
Governance and Regulation Compliance Decision-Making Process
At its core, governance and regulation compliance refers to a strategy aimed at managing the overall governance, risk management, and compliance with regulations. The entire process is aimed at aligning IT with the objectives of the business, the leadership, and effective risk management to enable meeting the requirements for compliance. The below guidelines, standards, and procedures for the basis for Millers governance and regulation compliance decision-making process.
Standards
The culture of accountability and responsibility is the core standard for the decision-making process. In the event of a cyber incident, the organization is expected to make decisions to mitigate the event based on the governance framework in place. For instance, at minimum, it is in the culture of the organization to ensure that prior to making decisions, the executive team is notified of the event. This will allow for the flow of information from the upper to the lower hierarchies in the organization and vice versa. The availability of information, will sequentially enable compliance to policies with the organization but also the making of decisions easy. Also based on international standards in the industry, organizations are expected to
Procedures
Awareness of the constantly evolving technologies should be created. This can be done through educating staff and employees alike. Also, there should be outsourcing of advice from organizations. Due to numerous issues revolving around cyber security and the decisions that have to be made, outsourcing is critical for the decision-making process (Osborn, Simpson & Loukas, 2017). Hierarchy is also critical in governance, compliance and the process of making decisions. As such the transformational leadership model should be integrated to ensure that employees observe the rules and hierarchies while making decisions for the organizations. Besides, compliance ensures that employees work as a team other than individually in mitigating the incidents of cyber security.
Guidelines
Unless the executive supports the cultural change in the organization, compliance, governance and decision-making may not be enough for realizing a change in Millers Corporation. Therefore, the support from the executive team can be in the form of setting up who does what in specified disastrous events. Also, the speed at which the decisions are made is a guideline. Quick responses in tackling the situation is critical for preventing the attack from causing further damage on the system. For these reasons, the executive team should base their leadership of virtues such as trust. This will create a strong foundation for compliance to policies as well as a ground on which the governance of the organization is possible.
Conclusion
In conclusion, the above informational security policy will propel Millers Corporation to mitigate the recent event of cyber-attack as well as prevent future occurrences of similar events. As highlighted in the paper a concrete information security policy with the various component that have been extensively discussed based on their standards, guidelines, and procedures is critical for mitigating the current business environment. Although the implementation is challenging and intriguing, it will be in the long run be beneficial for the cyber environment of Millers Corporation.
References
Barafot, B., Mesquida, A. L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces , 54 , 176-185.
Buchler, N., Rajivan, P., Marusich, L. R., Lightner, L., & Gonzalez, C. (2018). Sociometrics and observational assessment of teaming and leadership in a cyber security defense competition. computers & security , 73 , 114-136.
Haidzir, H., Othman, S. H., & Mammi, H. K. (2018). Evaluation of Business Continuity Plan Maturity Level Using Business Continuity Maturity Model. International Journal of Innovative Computing, 8(1).
Kohan, N. A., Safari, A., & Teimouri, H. (2018). Friendship, transformational leadership and organizational climate. Human Systems Management , 37 (3), 319-331.
Limba, T., Plėta, T., Agafonov, K., & Damkus, M. (2019). Cyber security management model for critical infrastructure.
Maymí, F., Bixler, R., Jones, R., & Lathrop, S. (2017, December). Towards a definition of cyberspace tactics, techniques and procedures. In 2017 IEEE International Conference on Big Data (Big Data) (pp. 4674-4679). IEEE.
Nowduri, S. (2018). An Attempt to Understand Cyber Security Management Process. Archives of Business Research , 6 (5).
Osborn, E., Simpson, A., & Loukas, G. (2017). Risk and the Small-Scale Cyber Security
Decision-Making Dialogue--a UK Case Study . (Computer journal.)
Peltier, T. R., & CRC Press. (2016). Information security policies, procedures, and standards:
Guidelines for effective information security management . Boca Raton: Auerbach Publications.
Palomares, C. I., Kalutarage, H. K., & Huang, Y. (2017). Data analytics and decision support for
cybersecurity: Trends, methodologies and applications . Cham: Springer International Publishing.
Trim, P., & Lee, Y. I. (2016). Cyber security management: a governance, risk and compliance framework . Routledge.