Chapter 1. Understanding Policy

We live in an interconnected world where individual as well as collective actions have the potential to result in inspiring goodness or tragic harm. The objective of Information Security is to protect each of us, our economy, our critical infrastructure, and our country from the harm that can result from inadvertent or intentional misuse, compromise, or destruction of information and information systems. The United States Department of Homeland Security defines critical infrastructure sectors as agriculture, food, water, public health, emergency services, government, defense industrial base, information technology and telecommunications, energy, transportation, banking, finance, chemical industry, and postal and shipping. The services provided by critical infrastructure sectors are “the backbone of our nation’s economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family. Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”¹

Policy is the seminal tool used to protect both our critical infrastructure and our individual liberties. The role of policy is to provide direction and structure. Policies are the foundation of companies’ operations, a society’s rule of law, or a government’s posture in the world. Without policies, we would live in a state of chaos and uncertainty. The impact of a policy can be positive or negative. The hallmark of a positive policy is one that supports our endeavors, responds to a changing environment, and potentially creates a better world.

In this chapter, we will explore policies from a historical perspective, talk about how humankind has been affected, and learn how societies have evolved using policies to establish order and protect people and resources. We will apply these concepts to information security principles and policies. We will discuss in detail the seven characteristics of an effective information security policy. We will acknowledge the influence of government regulation on the development and adoption of information security policies and practices. Lastly, we will tour the policy lifecycle.

We are going to look back through time at some examples of written policies that had and still have a profound effect on societies across the globe, including our own. We are not going to concern ourselves with the function of these documents. Rather, we will begin by noting the basic commonality we can see in the why and how they were created to serve a larger social order. Some are called laws, some codes, and some canons, but what they all have in common is that they were created out of a perceived need to guide human behavior in foreseeable circumstances, and even to guide human behavior when circumstances could not be or were not foreseeable. Equal to the goal of policy to sustain order and protection is the absolute requirement that our policy be changeable in response to dynamic conditions.

Not to use false weights and measures

Not to charge excessive interest

To be honest in all dealings

To pay wages promptly

To fulfill promises to others

These are behavior directives—or what we now refer to as policies. We can clearly see similarities between these ancient social rules and our modern social standards. As mentioned earlier, we are not concerned with the content of these ancient documents as much as the reason for their creation. The various common experiences of all peoples led to common behaviors and choices, which all too often led to the ills plaguing their social systems. With careful thought, clearly stated and communicated in written form, many of these social problems could be avoided by giving people rules to guide them through their daily lives. Any person who could follow these rules would certainly find life easier to navigate. Moreover, if everyone followed the rules, the entire community would become more stable. Time previously spent avoiding problems could instead be spent improving the community.

The Constitution and the Torah were created from distinct environments, but they both had a similar goal: to serve as rules as well as to guide our behavior and the behavior of those in power. Though our information security policies may not be used for such lofty purposes as the Constitution and the Torah, the need for guidance, direction, and roles remains the same.

Not all guiding principles and hence corporate cultures are good. As a matter of fact, there are companies for whom greed, exploitation, and contempt are unspoken-yet-powerful guiding principles. You may recall the deadly April 24, 2013 garment factory collapse in Bangladesh where 804 people were confirmed dead and more than 2,500 injured.³ This is a very sad example of a situation where the lives of many were knowingly put at risk for the sake of making money.

Let’s consider a tale of two companies. Both companies experience a data breach that exposes customer information; both companies call in experts to help determine what happened. In both cases, the investigators determine that the data-protection safeguards were inadequate and that employees were not properly monitoring the systems. The difference between these two companies is how they respond and learn from the incident. Company A is quick to respond by blaming the department management, firing key employees, and looking for ways to avoid legally required customer notification. Company B leadership shares the report with the department, solicits internal and external feedback on how to improve, researches new controls, methodically implements enhancements, and informs customers in a timely manner so they can take steps to protect themselves.

A positive corporate culture that focuses on protecting internal and customer information, solicits input, engages in proactive education, and allocates resources appropriately makes a strong statement that employees and customers are valued. In these organizations, policy is viewed as an investment and a competitive differentiator for attracting quality employees and customers.

Endorsed—The policy has the support of management.

Relevant—The policy is applicable to the organization.

Realistic—The policy make sense.

Attainable—The policy can be successfully implemented.

Adaptable—The policy can accommodate change.

Enforceable—The policy is statutory.

Inclusive—The policy scope includes all relevant parties.

Taken together, the characteristics can be thought of as a policy pie, with each slice being equally important, as illustrated in Figure 1.1.

Consider this situation: Company A and Company B both decide to purchase iPhones for management and sales personnel. By policy, both organizations require strong, complex email passwords. At both organizations, IT implements the same complex password policy on the iPhone that is used to log in to their webmail application. Company A’s CEO is having trouble using the iPhone and he demands that IT reconfigure his phone so he doesn’t have to use a password. He states that he is “too important to have to spend the extra time typing in a password, and besides none of his peers have to do so.” Company B’s CEO participates in rollout training, encourages employees to choose strong passwords in order to protect customer and internal information, and demonstrates to his peers the enhanced security, including a wipe feature after five bad password attempts.

Nothing will doom a policy quicker than having management ignore or, worse, disobey or circumvent it. Conversely, visible leadership and encouragement are two of the strongest motivators known to humankind.

Consider this situation: Company A’s CIO attends a seminar on the importance of physical access security. At the seminar, they distribute a “sample” policy template. Two of the policy requirements are that exterior doors remain locked at all times and that every visitor be credentialed. This may sound reasonable, until you consider that most Company A locations are small offices that require public accessibility. When the policy is distributed, the employees immediately recognize that the CIO does not have a clue about how they operate.

Policy writing is a thoughtful process that must take into account the environment. If policies are not relevant, they will be ignored or, worse, dismissed as unnecessary and management will be perceived as being out of touch.

Consider this situation: Company A discovers that users are writing down their passwords on sticky notes and putting the sticky notes on the underside of their keyboard. This discovery is of concern because multiple users share the same workstation. In response, management decides to implement a policy that prohibits employees from writing down their passwords. Turns out that each employee uses at least six different applications, and each requires a separate login. What’s more, on average, the passwords change every 90 days. One can imagine how this policy might be received. More than likely, users will decide that getting their work done is more important than obeying this policy and will continue to write down their passwords, or perhaps they will decide to use the same password for every application. To change this behavior will take more than publishing a policy prohibiting it; leadership needs to understand why employees were writing down their passwords, make employees aware of the dangers of writing down their passwords, and most importantly provide alternative strategies or aids to remember the passwords.

If you engage constituents in policy development, acknowledge challenges, provide appropriate training, and consistently enforce policies, employees will be more likely to accept and follow the policies.

Consider this situation: In order to contain costs and to enhance tracking, Company A’s management adopted a procurement policy that purchase orders must be sent electronically to suppliers. They set a goal of 80% electronic fulfillment by the end of the first year and announced that regional offices that do not meet this goal will forfeit their annual bonus. In keeping with existing information security policy, all electronic documents sent externally that include proprietary company information must be sent using the secure file transfer application. The problem is that procurement personnel despise the secure file transfer application because it is slow and difficult to use. Most frustrating of all, it is frequently offline. That leaves them three choices: depend on an unstable system (not a good idea), email the purchase order (in violation of policy), or continue mailing paper-based purchase orders (and lose their bonus).

It is important to seek advice and input from key people in every job role to which the policies apply. If unattainable outcomes are expected, people are set up to fail. This will have a profound effect on morale and will ultimately affect productivity. Know what is possible.

Consider this situation: Company A and Company B are in a race to get their mobile app to market. Company A’s programming manager instructs her team to keep the development process secret and not to involve any other departments, including security and compliance. She has 100% faith in her team and knows that without distractions they can beat Company B to market. Company B’s programming manager takes a different tack. She demands that security requirements be defined early in the software development cycle. In doing so, her team identifies a policy roadblock. They have determined that they need to develop custom code for the mobile app but the policy requires that “standard programming languages be used.” Working together with the security officer, the programming manager establishes a process to document and test the code in such a way that it meets the intent of the policy. Management agrees to grant an exception and to review the policy in light of new development methodologies.

Company A does get to market first. However, their product is vulnerable to exploit, puts their customers at risk, and ultimately gets bad press. Instead of moving on to the next project, the development team will need to spend their time rewriting code and issuing security updates. Company B gets to market a few months later. They launch a functional, stable, and secure app.

An adaptable information security policy recognizes that information security is not a static, point-in-time endeavor but rather an ongoing process designed to support the organizational mission. The information security program should be designed in such a way that participants are encouraged to challenge conventional wisdom, reassess the current policy requirements, and explore new options without losing sight of the fundamental objective. Organizations that are committed to secure products and services often discover it to be a sales enabler and competitive differentiator.

Consider this scenario: Company A and Company B both have a policy stating that Internet access is restricted to business use only. Company A does not have any controls in place to restrict access; instead, the company leaves it up to the user to determine “business use.” Company B implements web-filtering software that restricts access by site category and reviews the filtering log daily. In conjunction with implementing the policy, Company B conducted a training session explaining and demonstrating the rationale for the policy with an emphasis on disrupting the malware delivery channel.

A workstation at Company A is infected with malware. It is determined that the malware came from a website that the workstation user accessed. Company A’s management decides to fire the user for “browsing” the web. The user files a protest claiming that the company has no proof that it wasn’t business use, that there was no clear understanding of what “business use” meant, and besides everyone (including his manager) is always surfing the web without consequence.

A user at Company B suspects something is wrong when multiple windows start opening while he is at a “business use” website. He immediately reports the suspicious activity. His workstation is immediately quarantined and examined for malware. Company B’s management investigates the incident. The logs substantiate the users claim that the access was inadvertent. The user is publicly thanked for reporting the incident.

If a rule is broken and there is no consequence, then the rule is in effect meaningless. However, there must be a fair way to determine if a policy was violated, which includes evaluating the organizational support of the policy. Sanctions should be clearly defined and commensurate with the associated risk. A clear and consistent process should be in place so that all similar violations are treated in the same manner.

An information security policy must take into account organizational objectives; international law; the cultural norms of its employees, business partners, suppliers, and customers; environmental impact and global cyber threats. The hallmark of a great information security policy is that it positively affects the organization, its shareholders, employees, and customers, as well as the global community.

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, Safeguards Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

On March 1, 2010, Massachusetts became the first state in the nation to require the protection of personally identifiable information of Massachusetts residents. 201 CMR 17: Standards for the Protection of Personal Information of Residents of the Commonwealth establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records and mandates a broad set of safeguards, including security policies, encryption, access control, authentication, risk assessment, security monitoring, and training. Personal information is defined as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following: social security number, driver’s license number or state-issued identification card number, financial account number, or credit or debit card number. The provisions of this regulation apply to all persons who own or license personal information about a resident of the Commonwealth of Massachusetts.

Regulatory compliance is a powerful driver.

In response, untold dollars and workforce hours have been invested in achieving this objective. For some organizations, compliance is the only reason they have an information security policy. Conversely, there are industry sectors that recognize the inherent operational, civic, and reputational benefit of implementing applicable controls and safeguards. Two of the federal regulations mentioned earlier in this chapter—GLBA and HIPAA—were the result of industry and government collaboration. The passage of these regulations forever altered the security landscape. You will learn more about federal and state regulatory requirements and their relationship to information security policies and practices in subsequent chapters.

1. The seminal planning task should identify the need for and context of the policy. Policies should never be developed for their own sake. There should always be a reason. Polices may be needed to support business objectives, contractual obligations, or regulatory requirements. The context could vary from the entire organization to a specific subset of users. In Chapters 4 through 12, we will identify the reasons for specific policies.

2. Policies should support and be in agreement with relevant laws, obligations, and customs. The research task focuses on defining operational, legal, regulatory, or contractual requirements and aligning the policy with the aforementioned. This objective may sound simple, but in reality is extremely complex. Some regulations and contracts have very specific requirements whereas others are extraordinarily vague. Even worse, they may contradict each other.

For example, federal regulation requires financial institutions to notify consumers if their account information has been compromised. The notification is required to include details about the breach; however, Massachusetts Law 201 CMR 17:00: Standards for the Protection of Personal Information of Residents of the Commonwealth specifically restricts the same details from being included in the notification. You can imagine the difficult in trying to comply with opposing requirements. Throughout this text, we will align policies with legal requirements and contractual obligations.

3. In order to be effective, policies must be written for their intended audience. Language is powerful and is arguably one of the most important factors in gaining acceptance and, ultimately, successful implementation. The writing task requires that the audience is identified and understood. In Chapter 2, “Policy Elements and Style,” we will explore the impact of the plain writing movement on policy development.

4. Policies require scrutiny. The vetting task requires the authors to consult with internal and external experts, including legal counsel, human resources, compliance, information security and technology professionals, auditors, and regulators.

5. Because information security policies affect an entire organization, they are inherently cross-departmental. The approval task requires that the authors build consensus and support. All affected departments should have the opportunity to contribute to, review, and, if necessary, challenge the policy before it is authorized. Within each department, key people should be identified, sought out, and included in the process. Involving them will contribute to the inclusiveness of the policy and, more importantly, may provide the incentive for them to champion the policy.

6. The authorization task requires that executive management or an equivalent authoritative body agree to the policy. Generally, the authority has oversight responsibilities and can be held legally liable. Both GLBA and HIPAA require written information security policies that are Board-approved and subject to at least annual review. Boards of Directors are often composed of experienced albeit nontechnical business people from a spectrum of industry sectors. It is helpful to know who the Board members are, and their level of understanding, so that policies are presented in a meaningful way.

1. The objective of the communication task is to deliver the message that the policy or policies are important to the organization. In order to accomplish this task, visible leadership is required. There are two very distinct types of leaders in the world: those who see leadership as a responsibility and those who see it as a privilege.

Leaders who see their role as a responsibility adhere to all the same rules they ask others to follow. “Do as I do” is an effective leadership style, especially in relation to information security. Security is not always convenient, and it is crucial for leadership to participate in the information security program by adhering to its policies and setting the example.

Leaders who see their role as a privilege have a powerful negative impact: “Do as I say, not as I do.” This leadership style will do more to undermine an information security program than any other single force. As soon as people learn that leadership is not subject to the same rules and restrictions, policy compliance and acceptance will begin to erode.

Invariably, the organizations in which leadership sets the example by accepting and complying with their own policy have fewer information security–related incidents. When incidents do occur, they are far less likely to cause substantial damage. When the leadership sets a tone of compliance, the rest of the organization feels better about following the rules, and they are more active in participating. In Chapter 4, “Governance and Risk Management,” we will examine the relationship between governance and security.

2. Disseminating the policy simply means making it available. Although the task seems obvious, it is mind boggling how many organizations store their policies in locations that make them, at best, difficult to locate and, at worst, totally inaccessible. Policies should be widely distributed and available to their intended audience. This does not mean that all polices should be available to everyone because there may be times when certain polices contain confidential information that should only be made available on a restricted or need-to-know basis.

3. Companywide training and education build culture. When people share experiences, they are drawn together; they can reinforce one another’s understanding of the subject matter and therefore support whatever initiative the training was intended to introduce. Introducing information security policies should be thought of as a teaching opportunity with the goal of raising awareness, and giving each person a tangible connection to the policy objective. Initial education should be coupled with ongoing awareness programs designed to reinforce the importance of policy-driven security practices.

Multiple factors contribute to an individual’s decision to comply with a rule, policy, or law, including the chance of being caught, the reward for taking the risk, and the consequences. Organizations can influence individual decision making by creating direct links between individual actions, policy, and success. Creating a culture of compliance means that each participant not only recognizes and understands the purpose of a policy, they also actively look for ways to champion the policy. Championing a policy means being willing to demonstrate visible leadership and to encourage and educate others. Creating a culture of information security policy compliance requires an ongoing investment in training and education, measurements, and feedback.

1. Implementation is the busiest and most challenging task of all. The starting point is ensuring that everyone involved understands the intent of the policy as well as how it is to be applied. Decisions may need to be made regarding the purchase and configuration of supporting administrative, physical, and technical controls. Capital investments may be need to be budgeted for. A project plan may need to be developed and resources assigned. Management and affected personnel need to be kept informed. Situations where implementation is not possible need to be managed, including a process for granting either temporary or permanent exceptions.

2. Post-implementation, compliance and policy effectiveness need to be monitored and reported. Mechanisms to monitor compliance range from application-generated metrics to manual audits, surveys, and interviews as well as violation and incident reports.

3. Unless there is an approved exception, policies must be enforced consistently and uniformly. The same is true of violation consequences. If a policy is enforced only for certain circumstances and people, or if enforcement depends on which supervisor or manager is in charge, eventually there will be adverse consequences. Once there is talk within an organization that different standards for enforcement exist, the organization is open to many cultural problems, the most severe of which involve discrimination lawsuits.

1. Continuing acceptance of information security policies hinges on making sure the policies keep up with significant changes in the organization or the technology infrastructure. Policies should be reviewed annually. Similar to the development phase, feedback should be solicited from internal and external sources.

2. Policies that are outdated should be refreshed. Policies that are no longer applicable should be retired. Both tasks are important to the overall perception of the importance and applicability of organizational directives. The outcome of the annual review should either be policy reauthorization or policy retirement. The final determination belongs with the Board of Directors or equivalent body.

We applied our knowledge of historical policy to the present day, examining the role of corporate culture, specifically as it applies to information security policy. Be it societal, government, or corporate, policy codifies guiding principles, shapes behavior, provides guidance to those who are tasked with making present and future decisions, and serves as an implementation roadmap. Because not all organizations are motivated to do the right thing and because weaknesses in one organization can directly affect another, there are times when government intervention is required. We considered the role of government policy—specifically the influence of groundbreaking federal and state legislation related to the protection of NPPI in the public and privacy sectors.

The objective of an information security policy is to protect the organization, its employees, its customers, and also its vendors and partners from harm resulting from intentional or accidental damage, misuse, or disclosure of information, as well as to protect the integrity of the information and ensure the availability of information systems. We examined in depth the seven common characteristics of a successful information security policy as well as the policy lifecycle. The seven common characteristics are endorsed, relevant, realistic, attainable, adaptable, enforceable, and inclusive. The policy lifecycle spans four phases: develop, publish, adopt, and review. Policies need champions. Championing a policy means being willing to demonstrate visible leadership and to encourage and educate others with the objective of creating a culture of compliance, where participants not only recognize and understand the purpose of a policy, they also actively look for ways to promote it. The ultimate goal is normative integration, meaning that the policy and corresponding implementation is the expected behavior, all others being deviant.

Throughout the text, we build on these fundamental concepts. In Chapter 2, you will learn the discrete components of a policy and companion documents as well as the technique of plain writing.

A. Rules

B. Expectations

C. Patterns of behavior

D. All of the above

2. Without policy, human beings would live in a state of _______.

A. chaos

B. bliss

C. harmony

D. laziness

3. A guiding principle is best described as which of the following?

A. A financial target

B. A fundamental philosophy or belief

C. A regulatory requirement

D. A person in charge

4. Which of the following best describes corporate culture?

A. Shared attitudes, values, and goals

B. Multiculturalism

C. A requirement to all act the same

D. A religion

5. Which of the following is a true statement?

A. Corporate culture is the same as policy.

B. Guiding principles set the tone for a corporate culture.

C. All corporate cultures are positive.

D. Guiding principles should be kept secret.

6. Which of the following best describes the role of policy?

A. To codify guiding principles

B. To shape behavior

C. To serve as a roadmap

D. All of the above

7. An information security policy is a directive that defines which of the following?

A. How employees should do their jobs

B. How to pass an annual audit

C. How an organization protects information assets and systems

D. How much security insurance a company should have

8. Which of the following is not an example of an information asset?

A. Customer financial records

B. Marketing plan

C. Patient medical history

D. Building graffiti

9. What are the seven characteristics of a successful policy?

A. Endorsed, relevant, realistic, cost-effective, adaptable, enforceable, inclusive

B. Endorsed, relevant, realistic, attainable, adaptable, enforceable, inclusive

C. Endorsed, relevant, realistic, technical, adaptable, enforceable, inclusive

D. Endorsed, relevant, realistic, legal, adaptable, enforceable, inclusive

10. A policy that has been endorsed has the support of which of the following?

A. Customers

B. Creditors

C. The union

D. Management

11. Who should always be exempt from policy requirements?

A. Employees

B. Executives

C. No one

D. Salespeople

12. “Attainable” means that the policy ___________.

A. can be successfully implemented

B. is expensive

C. only applies to suppliers

D. must be modified annually

13. Which of the following statements is always true?

A. Policies stifle innovation.

B. Policies make innovation more expensive.

C. Policies should be adaptable.

D. Effective policies never change.

14. If a policy is violated and there is no consequence, the policy is considered to be which of the following?

A. Meaningless

B. Inclusive

C. Legal

D. Expired

15. Who must approve the retirement of a policy?

A. A compliance officer

B. An auditor

C. Executive management or the Board of Directors

D. Legal counsel

16. Which of the following sectors is not considered part of the “critical infrastructure”?

A. Public health

B. Commerce

C. Banking

D. Chemical industry

17. Which term best describes government intervention with the purpose of causing a specific set of actions?

A. Deregulation

B. Politics

C. Regulation

D. Amendments

18. The objectives of GLBA and HIPAA, respectively, are to protect __________.

A. financial and medical records

B. financial and credit card records

C. medical and student records

D. judicial and medical records

19. Which of the following states was the first to enact consumer breach notification?

A. Kentucky

B. Colorado

C. Connecticut

D. California

20. In 2010, Massachusetts became the first state in the nation to require _________.

A. minimum standards for the protection of personally identifiable information of non-residents

B. minimum standards for the protection of personally identifiable information of Massachusetts residents

C. maximum standards for the protection of personally identifiable information of Massachusetts residents

D. consumer notification of a breach

21. Which of the following terms best describes the process of developing, publishing, adopting, and reviewing a policy?

A. Policy two-step

B. Policy aging

C. Policy retirement

D. Policy lifecycle

22. Who should be involved in the process of developing policies?

A. Only upper-management-level executives

B. Only part-time employees

C. Personnel throughout the company

D. Only outside, third-party consultants

23. Which of the following does not happen in the policy development phase?

A. Planning

B. Enforcement

C. Authorization

D. Approval

24. Which of the following occurs in the policy publication phase?

A. Communication

B. Policy dissemination

C. Education

D. All of the above

25. Normative integration is the goal of the adoption phase. This means ________.

A. Ahere are no exceptions to the policy.

B. The policy passes the stress test.

C. The policy becomes expected behavior, all others being deviant.

D. The policy costs little to implement.

26. How often should policies be reviewed?

A. Never

B. Only when there is a significant change

C. Annually

D. At least annually or sooner if there is a significant change

27. Which of the following phrases best describes the concept of “championing a policy”?

A. A willingness to lead by example, encourage, and educate

B. Winning a compliance award

C. Voting to authorize a policy

D. None of the above

28. Which of the following phrases best describes the philosophy of “honoring the public trust”?

A. Being respectful of law enforcement

B. Contributing to political campaigns

C. Being a careful steward of information in your care

D. Visiting government monuments

29. Who should authorize policies?

A. Directors or executive management

B. Operational managers

C. Employees

D. Legal counsel

30. Which of the following statements is not an objective of information security?

A. To protect information and information systems from intentional misuse

B. To protect information and information systems from compromise

C. To protect information and information systems from destruction

D. To protect information and information systems from authorized users

1. Reread the sidebar titled “FYI: Guiding Principles and Practices” in this chapter.

2. Choose one of the listed guiding principles at Toyota and describe how a car company could achieve that objective.

Exercise 1.2: Identifying Corporate Culture

1. Identify a shared attitude, value, goal, or practice that characterizes the culture of your school or workplace.

2. Describe how you first became aware of the campus or workplace culture.

Exercise 1.3: Understanding the Impact of Policy

1. Either at school or workplace, identify a policy that in some way affects you. For example, examine a grading policy or an attendance policy.

2. Describe how the policy benefits (or hurts) you.

3. Describe how the policy is enforced.

Exercise 1.4: Understanding Critical Infrastructure

1. Reread the “FYI: National Security” sidebar presented at the beginning of this chapter.

2. Explain what is meant by “critical infrastructure.”

3. What concept was introduced in Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience (2013) and why is this important?

Exercise 1.5: Understanding Cyber Threats

1. What is the difference between cybercrime, cyber-espionage, and cyber-warfare?

2. What are the similarities?

3. Are cyber threats escalating or diminishing?

1. Banks and credit unions are entrusted with personal financial information. By visiting financial institution websites, find an example of a policy or practice that relates to protecting customer information or privacy.

2. Hospitals are entrusted with personal health information. By visiting hospital websites, find an example of a policy or practice that relates to protecting patient information or privacy.

3. In what ways are the policies or practices of banks similar to those of hospitals? How are they different?

4. Do either the bank policies or the hospital policies reference applicable regulatory requirements (for example, GLBA or HIPAA)?

Project 1.2: Understanding Government Policy

The passage of the Affordable Care Act requires all U.S. citizens and lawful residents to have health insurance or pay a penalty. This requirement is a government policy.

1. The hallmark of a good policy is that it is endorsed, relevant, realistic, attainable, adaptable, enforceable, and inclusive. Choose four of these characteristics and apply it to the health insurance requirement. Explain why or why not the policy meets the criteria.

2. Policies must be championed. Find an example of a person or group who championed this requirement. Explain how they communicated their support.

Project 1.3: Developing Communication and Training Skills

You have been tasked with introducing a new security policy to your campus. The new policy requires that all students and employees wear identification badges with their name and picture and that guests be given visitor badges.

1. Explain why an institution would adopt this type of policy.

2. Develop a strategy to communicate this policy campus-wide.

3. Design a five-minute training session introducing the new policy. Your session must include participant contribution and a five-question, post-session quiz to determine if the training was effective.

2. “Guiding Principles at Toyota,” official website of Toyota, accessed 05/10/2013, http://www.toyota-global.com/company/vision_philosophy/guiding_principles.html.

3. “Bangladesh building collapse death toll over 800,” BBC News Asia, accessed 05/08/2013, http://www.bbc.co.uk/news/world-asia-22450419.

4. “Cyber,” Merriam-Webster Online, accessed 05/09/2013, http://www.merriam-webster.com/dictionary/cyber.

5. “Gramm-Leach-Bliley Act,” Federal Trade Commission, Bureau of Consumer Protection Business Center, accessed 05/08/2013, http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act.

“Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection,” official website of the Department of Homeland Security, accessed 05/06/2013, http://www.dhs.gov/homeland-security-presidential-directive-7#1.

“16 CFR Part 314 Standards for Safeguarding Customer Information: Final Rule,” Federal Register, accessed 05/06/2013, http://ithandbook.ffiec.gov/media/resources/3337/joisafeguard_customer_info_final_rule.pdf.

“The Security Rule (HIPAA),” official website of the Department of Health and Human Services, accessed 05/06/2013, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.

“State of California SB 1386: California Security Breach Information Act, CIVIL CODE SECTION 1798.80-1798.84,” official California legislative information, accessed 05/06/2013, http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84.

“201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH,” official website of the Office of Consumer Affairs & Business Regulation (OCABR), accessed 05/06/2013, http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

“Family Educational Rights and Privacy Act (FERPA),” official website of the U.S. Department of Education, accessed 05/10/2013, http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

Krause, Micki, CISSP, and Harold F. Tipton, CISSP. Information Security Management Handbook, Fifth Edition. Boca Raton, Florida: CRC Press, Auerbach Publications, 2004.