**CASE STUDY IS ATTACHED**
>>PLEASE DO NOT BID UNLESS YOU UNDERSTAND IT SECURITY AND CAN REVIEW, THEN TIE IN CASE STUDY INFORMATION<<
Project #2: Manager’s Deskbook
Company Background & Operating Environment
Use the assigned case study for information about “thecompany.”
Policy Issue & Plan of Action
The Manager’s Deskbookcontains issue specific policies and implementation procedures which arerequired to mitigate risks to the company and to otherwise ensure goodgovernance of the company’s operations. The Chief Information Security Officer(CISO) and key CISO staff members held a kick-off meeting last week to identifyissue specific policies which should be added to the company’s policy system inthe IT Governance category. Thepolicies will be disseminated throughout the company by incorporating them intothe Manager’s Deskbook. The requiredissue specific policies are:
1. Data Breach Response Policy
2. Preventing / Controlling Shadow IT Policy
3. Management and Use of Corporate Social MediaAccounts Policy
4. Corporate Domain Name Management Policy
5. Website Governance Policy
For the purposes of thisassignment, you will create a policy recommendations briefing package(containing an Executive Summary and draft policies) and submit that to yourinstructor for grading.
Note: In a “real world” environment, the policy recommendations briefingpackage would be submitted to the IT Governance board for discussion andvetting. After revisions and voting, a package containing the accepted policieswould be sent to all department heads and executives for comment and additionalvetting. These comments would be combined and integrated into the policies andsent out for review again. It usually takes several rounds of review andcomments before the policies can be sent to the Chief of Staff’s office forforwarding to the Corporate Governance Board. During the review & commentsperiod, the policies will also be subjected to a thorough legal review by thecompany’s attorneys. Upon final approval by the Corporate Governance Board, thepolicies will be adopted and placed into the Manager’s Deskbook. This entireprocess can take 9 to 12 months, if not longer.
Your Task Assignment
As a staff member supporting the CISO, you have beenasked to research and then draft an issuespecific policy for each of the identified issues. These policies are to bewritten for MANAGERS and must identify the issue, explain what actions must betaken to address the issue (the company’s “policy”), state the required actionsto implement the policy, and name the responsible / coordinating parties (bylevel, e.g. department heads, or by title on the organization chart). Aftercompleting your research and reviewing sample policies from otherorganizations, you will then prepare an “approval draft” for each issuespecific policy.
· The purpose of each issue specific policy is to address a specific IT governance issuethat requires cooperation and collaboration between multiple departments withinan organization.
· Each issuespecific policy should be no more than two typed pages in length (singlespace paragraphs with a blank line between).
· You will need to be concise in your writing andonly include the most important elements for each policy.
· You may refer to an associated “procedure” ifnecessary, e.g. a Procedure forRequesting Issuance of a Third Level Domain Name (under the company’sSecond Level Domain name) or a Procedurefor Requesting Authorization to Establish a Social Media Account.
Your “approval drafts” willbe combined with a one page Executive Summary (explaining why these issue specific policies are beingbrought before the IT Governance Board).
1. Review NIST’s definition of an “Issue SpecificPolicy” and contents thereof (NIST SP 800-14 p. 14)
2. Review the weekly readings and resourcedocuments posted in the classroom. Pay special attention to the resources whichcontain “issues” and “best practices” information for:
· Data Breach Response
· Preventing / Controlling Shadow IT
· Social Media
· Corporate Domain Name Management
· Website Governance
3. Review NIST guidance for required / recommendedsecurity controls
· NIST SP 800-53 Access Control (AC) controlfamily (for Social Media policy)
· NIST SP 800-53 Incident Response (IR) controlfamily (for Data Breach policy)
· NIST SP 800-53 System and Services Acquisition(SA) control family (Domain Name, Shadow IT, Website Governance)
4. If required, find additional sources whichprovide information about the IT security issues which require policysolutions.
1. Prepare briefing package with approval drafts ofthe two IT related policies for the Manager’s Deskbook. Your briefing package must contain the following:
· Executive Summary
· “Approval Drafts” for
o Data Breach Response Policy
o Preventing / Controlling Shadow IT Policy
o Management and Use of Corporate Social Media AccountsPolicy
o Corporate Domain Name Management Policy
o Website Governance Policy
As you write your policies, make sure that you address IT andcybersecurity concepts using standard terminology.
Length requirement:The paper should be less than 10 pages, as each issue specific policy should be no more than two typed pages inlength (single space paragraphs with a blank line between
2. Use a professional format for your policydocuments and briefing package. Yourpolicy documents should be consistently formatted and easy to read.
3. Common phrases do not require citations. Ifthere is doubt as to whether or not information requires attribution, provide afootnote with publication information or use APA format citations andreferences.
4. You are expected to write grammatically correctEnglish in every assignment that you submit for grading. Do not turn in anywork without (a) using spell check, (b) using grammar check, (c) verifying thatyour punctuation is correct and (d) reviewing your work for correct word usageand correctly structured sentences and paragraphs.
ExecutiveSummary for the Policy Briefing Package 10points
TheExecutive Summary provided an excellent summary of the policy package’s purposeand contents. Information about the case study company was well integrated intothe summary. Each policy was individually introduced and clearly explained. Thematerial was well organized and easy to read.
Data Breach Response Policy
PolicyIntroduction 10 points
The DataBreach Response policy contained an excellent introduction which clearlyidentified the policy issue and then addressed five or more specificcharacteristics of the company’s business, legal & regulatory, and/orenterprise IT environments. The introduction clearly and concisely presentedthe major reasons why the company must have this policy.
PolicyContent 20 points
The body ofthe policy provided an excellent description of the actions required to createand implement a data breach response plan. The policy identified theresponsible parties, compliance requirements, and sanctions / disciplinaryactions for compliance failures. Contact information is provided for questionsabout the policy. The policy was clear, concise, easy to understand, andappropriately organized.
Shadow IT Policy
PolicyIntroduction 10 points
The ShadowIT Policy contained an excellent introduction which addressed three or morespecific characteristics of the company’s business, legal & regulatory,and/or enterprise IT environments and addressed the reasons why employees mustcomply with this policy. Compliance requirements are addressed and contactinformation is provided for questions about the policy.
Policy Content 15 points
The body ofthe policy provided an excellent description of the required actions, theresponsible parties, compliance requirements including audits, and sanctions /disciplinary actions for compliance failures. Contact information is providedfor questions about the policy. The policy was clear, concise, easy tounderstand, and appropriately organized.
Social Media Accounts Policy
PolicyIntroduction 5 points
The SocialMedia Accounts policy contained an excellent introduction which addressed fiveor more specific characteristics of the company’s business, legal ®ulatory, and/or enterprise IT environments and addressed the reasons whyemployees must comply with this policy
PolicyContent 10 points
The body ofthe policy provided an excellent description of the required actions, theresponsible parties, compliance requirements, and sanctions / disciplinaryactions for compliance failures. Contact information is provided for questionsabout the policy. The policy addressed all required actions listed in theassignment. The policy was clear, concise, easy to understand, andappropriately organized.
Addressedsecurity issues using standard terminology 5points
Demonstratedexcellence in the use of standard cybersecurity terminology to support thedeliverable. Appropriately used terminology from five or more pillars of IA/IS.
Organization& Appearance 5 points
Submittedwork shows outstanding organization and the use of color, fonts, titles,headings and sub-headings, etc. is appropriate to the assignment type.
Execution 10 points
No wordusage, grammar, spelling, or punctuation errors. All quotations (copied text)are properly marked and cited using a professional format (APA formatrecommended but not required.)