There are Various Approaches to Writing Cybersecurity Policy
Applying system strategies from an information security perspective rather than a system development perspective, would be an appropriate place to start when developing security policies. Incorporating an information security perspective with a top-down approach, one that is created and implemented by upper management, possesses the most effective strategy for securing networks. The information security perspective would be the stronger approach due to it beginning with the creation of policies and procedures.
After a cybersecurity professional develops information security policies and standards, they begin the process of creating an information security blueprint for a technical solution. The process includes quantitative and qualitative analyses, feasibility studies, and cost-benefit analysis. Security professionals in connection with upper management select the appropriate security model to implement at the company. I would implement the following solutions below.
Enterprise Information Security Policy
Enterprise information security policy is typically created in collaboration with the chief information officer, involves the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. The executive-level document provides guidelines for the development, implementation, and management of security programs. I would implement this policy first in order to design a framework that will help the company remain in compliance with industry standards, and provide current and future solutions that correspond with the company’s goals and objectives.
Authorized Access and Usage of Equipment
Authorized Access and Usage of Equipment are policies that addresses who can use the technology and what it can be used for. This policy section defines “fair and responsible use” of equipment and other organizational assets and address key legal issues, including the protection of personal information and privacy. I would create this policy after conducting an inventory of company assets in order to inform employees on the appropriate use of technology, which will reduce the chance of human error leading to an exploit in the company’s network.
Systems Management
Systems Management is policy which focuses on the user’s relationship to specific rules influencing the daily operations of network systems, including the use of e-mail, the storage of materials, the authorized monitoring of employees, and the physical and electronic scrutiny of e-mail and other electronic documents. The policy assigns responsibility for each task to either the systems administrator or other users, and they work collaboratively to ensure they are in compliance with the policy. I think implementing this policy first will give employees specific responsibilities they can focus on during their work days, and inform them on which employees need to handle particular aspects of information security. The policy organizes staff and instructs all employees on what they can do to have a positive impact on information security.
Authentication
Information security professionals can also implement authentication policies regarding the effective use of passwords. All passwords, which are secret words or combination of characters that only the user should know, provide an appropriate level of authentication which gives employees access to the particular assets within a company. I would suggest that users create passwords that are 12 characters long, using a mixture of uppercase and lowercase letters, numbers and special characters. The longer and more diverse a password becomes, it increases the level of difficulty for threat agents to discover and use employee credentials for hacking into and damaging systems.