Question

Research the IT security policy used by your university or by some other organization you are associated with. Identify which of the topics listed in Section 14.2 this policy addresses. If possible, identify any legal or regulatory requirements that apply to the organization. Do you believe the policy appropriately addresses all relevant issues? Are there any topics the policy should address but does not? [Note;  if you are unable to have direct access to an organization try to look one up on the web, must identify your source though. Your answer maybe one to three pages for this problem.]

Answer 1

Ans :- Security policies are the policies which are made by the senior management or a comities of an organization.

IT policies provide a guiding principle and responsibilities which are followed by all member of the university or organization

Purpose of the policy:-

• The main purpose of the IT security policy is to protect the data or information from security threats and to mitigate risks.

• All the member are aware of the policy and do not do something wrong which is illegal on the base of policy.and understand their personal responsibilities to protect the confidentiality and integrity of the data that they access

The IT policy in the university of Oxford:-

1. The first priority is to ensure the IT infrastructure remains in operation.which include network and services.Time to time update on the policies will be necessary and will take high priority in order to minimise overall disruption and to accommodate on-site contractors.

2. Infrastructure of collage administration is next prioroty this includes supported departmental systems such as databases and booking systems, also shared printers.

3. Academic priorities: No serious interruption in the operation of their IT equipment.

4. : For the single-user: breakdown of an individual computer or other collegeowned peripheral devices; software problems, major hardware problems affecting non-college owned equipment but being used for academic or college-related work.

5. Current students with critical problems involving their own personal PCs; single-user network or software problems.

By this policies we provide security to the university .There are some security fact for which policies are made and these security facts are:-

1. Network and computer:- The first priority of any university or organization is to secure their own network and the computer use for collage business “There must be a written policy in place at the local level for the handling of confidential information, whether electronic or hard copy, and a copy of the procedures must be provided to every user so that they are aware of their responsibilities.

2. Firewall:- The collage network include firewall to control the data into or out of their local network. This increase their security level and keep the thread minimum.

3. Retention of Data:- Different anti crime and security laws are implemented for the data we retain with regard to digital communications

Section 14.2 of the policy address:- It is a secure system engineering principle of the ISO. Iso helps organizations keep information assets secure.Control is not defined with many details. your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

Criminal Justice Information Services (CJIS) Security Policy :-

This is the latest security policy which are using in these days. This policy are use by the FBI . This law enforcement agencies to perform their mission and enforce the laws, information that can include biometric, identity history, person, organization, property, and case/incident history data

The purpose of the Criminal Justice Information Services (CJIS) security policy is to ensure the protection of criminal justice information (CJI) until the information is appropriately released or destroyed.

The intent of the CJIS Security Policy is to ensure the protection of the aforementioned CJI until the information is:-

1. Released to the public through authorized dissemination by a   court system, presented in crime reports data, or released in the interest of public safety.

2. Destroyed in accordance with applicable record retention rules.

Identify any legal requirement that apply to an organization:-

In support justice in the collage the concept Body-Worn Cameras are arise in 2016 I think this is the requirement which should be applied in the universities.

One of the best plicy which we want to apply in our organization is Incident Response Policy.a security incident comes in a different forms like malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data  Incident Response Policy is critical to successful recovery from a data incident. This policy cover all the security that may occer in your computer.

The topic which policy should address but does not :-

No there is no such topic which the policy should address but does not because every organization made the best plicies to make their IT sector secure .As the different approach to break the policies the managers who make the policies make update to their policies according to the attack on their security server .

It always a loophole in every security policy and the criminal take advantage of their loophole but it the policy manager duty to secure their network from the criminals.

Answer 2

IT security policy used by the organization and identification of this policy address and identification of legal or regularory requirements that apply to the organization --

• The most important assets of an organization is their assets. the information or data of the company should be kept safe and use appropriately.
• The organization has adopted an IT security policy which fulfill legal requirements and provide nacessary safety.
• Changes to application and operating system should be controlled.
• The development enviornment of the organization should be secured and outsourced development should be controlled  
• The IT security policies of the organization are as follow --
• The integrity of the information should be maintained.
• The information of the organization should be protected against unaouthorised access.
• Identification of responsibility for organization's users, administrator and mangment.
• The policy provide sufficient guidance for development of specific procedure.
• The responsibility and requirements document for IT users can be -- Resource managment, Broad security functions, access rights or granting of site access authorization, division of responsibility and saperation of function, Application and IT componants,
• Personnel security and background checking, Training for IT applications and assigned roles and control and security issues.
• The physical and environmental security of an organization include --
• Identify secure areas and general controls and access control
• Fire detection and intruder devices.
• Protection against entering and breaking.
• Fire safety inspection, entry regulations and controls.
• Alert plan and fire drills.