Professional Documents
Culture Documents
Step 2
Step 2
Step 2
Name of student:
Course:
Institution:
Date of submission:
2
that no modifications by unauthorized people. The policy sets the rules and guidelines that
employees must abide by in their daily duties to guarantee information security fully. Ideally, the
policy should ensure complete data coverage, facilities, infrastructure, networks and systems,
programs, users, third and fourth parties. Full implementation of an organization policy requires
consideration of several components to ensure that the policy covers all the areas and is effective
and achievable. This section aims to identify these various components that make an excellent
cybersecurity policy.
The following are the critical components of cybersecurity policy that organizations should
a) Purpose
A cybersecurity policy's first basic and essential component is to have a defined purpose.
Calderaro and Craig (2020) state that the primary purpose of implementing policy in an
organization is to protect sensitive digital information. However, the firm may be willing to
define the policy goals in a more actionable way. An organization may have several objectives as
to why they indent to develop a security policy. For instance, clarifying the firm's information
security approach and responding to security breaches immediately and effectively. A firm's
objective may also be to uphold the brand reputation in information security, respect its customer
Suppose an organization fails to articulate its cybersecurity policy's clear and concrete
purpose. In that case, their security measures are at risk due to ineffective and unfocused
3
measures. In contrast, having a well-defined purpose for the organization's security policy
enables an organization to tailor its security measures and provide enhanced data protection.
to ensure that the business specifies the reach of the security policy. The policy should show
which users are targeted and who are not affected. For example, the organization may decide that
third-party vendors will not be included in its security policy. However, with extended reach, it
may be tempting for security reasons. Keeping the policy within the organization makes it easier
to enforce and manage. In terms of scope, the business must consider the infrastructure the
policy will govern (Calderaro & Craig, 2020). Ideally, the policy should consider all the
programs, systems, data, and other deployed technology in the organization. With such broad
creation. According to Sabillon et al. (2017), the IT industry is concerned with three main
principles, the CIA triad that guides information policy formulation for an organization. These
include; confidentiality, where the policy being created should ensure sensitive data and assets
are kept confidential and that only the authorized employees can access the protected
information. In addition, an information policy should be concerned with the integrity of the
organization's data. It should preserve sensitive data in a secure, complete, and intact form to
avoid unauthorized modification by hackers. Also, the policy should aim to increase the
4
availability of IT systems to users when required. As a result, it will ensure continuous flow and
the right to limit data access. Everyone in the organization should be trusted and have data
security insights that help them make correct decisions on the kind of information that can be
shared or not. The policy should ensure an access control policy that correctly shows who has
authorized information sharing in the organization. Additionally, the section should indicate
every organization's authority over the IT systems. Furthermore, it should clarify how to handle
sensitive data, the access controls of the company, who is responsible for these controls, and the
e) Data classification
The data should be classified into various security levels, for example, assigning it into different
categories, such as confidential information, secret and top secret, public, etc. The policy can
also group the data depending on the security levels, for instance, level1- information accessible
by the public, level2- information considered to be private but no harm if it reaches the public,
and level 3- information that can have severe consequences to the organization if it goes to the
public, etc. (Sabillon et al., 2017). Every category of non-public data in the ICT systems needs
more protection since a slight breach can highly cost the organization.
5
This includes the measures and operations the organization should implement for
handling each category of classified information assets. Syafrizal et al. (2020) define three
essential data support and operations categories. The first one is data protection regulations,
whereby under this category, the business should ensure organizational standards are set for
protecting personally identifiable and sensitive data. The other category is the data backup
requirements, where the organizations should have enough and secure backups. In addition, the
backups should be encrypted to prevent modification of the data contained within. The last
category under data support and operation is the movement of data, where there should be strict
security measures to govern the movement of data. Data should be transferred over secure
It is paramount to have better strategies put in place within the organization, to heighten
the security awareness among the employees and prevent data breaches. The policy must be
structured to encourage some employee behaviors and bolster their awareness. As a result, it will
help to thwart all the potential attacks and losses within the organization. According to Syafrizal
et al. (2020), the best way to achieve this in an organization is through an employee training
policy. The staff should be familiarized with what information is highly sensitive, the protection
strategies already in place, and the access protection measures implemented. The security
training for employees should cover briefing them on the social engineering techniques used by
hackers and ways to fight. Employees should also be aware of a clean-up desk policy and ensure
that sensitive data is kept out of reach. Additionally, the employees should be trained on the
internet use policy and be aware of some illegitimate websites that hackers use to lure users.
6
This is the final component of the information security policy, where it should clearly
outline the employees' rights, duties, and responsibilities concerning data protection. Employees
should be given responsibilities by delegating specific persons to conduct access reviews, carry
out employee training, oversee change management procedures and handle incidents. There
should also be the right people to provide a basic oversight for the organization's information
security. As a result, it helps the organization avoid management errors that pose security risks.
All the above components should be considered when developing a security policy for an
organization. As a result, it leads to a robust policy covering all aspects and ensuring that data
References
Calderaro, A., & Craig, A. J. (2020). Transnational governance of cybersecurity: policy
Quarterly, 41(6), 917-938.
Sabillon, R., Serra-Ruiz, J., Cavaller, V., & Cano, J. (2017, November). A comprehensive
Sunkpho, J., Ramjan, S., & Ottamakorn, C. (2018, March). Cybersecurity policy in ASEAN
Syafrizal, M., Selamat, S. R., & Zakaria, N. A. (2020). Analysis of cybersecurity standard and