Application: Creating a Security Policy

You have just purchased a used car at a fantastic price. You are so excited that you decide to take an extended drive. Unfortunately, you experience a flat tire and discover that you do not have a spare. Now, your vehicle is disabled because you are missing a critical component. You are in a potentially bad situation.

One aspect of security policies that is often neglected is what assets staff members are permitted to use and how they may use those assets. Failure to address staff members in security policies might weaken an organization's legal position. An incomplete security policy, like a missing spare tire, may not be realized until an incident has occurred. Consequently, the organization could find itself in a potentially bad situation.

***

The U.S. Army has hired your firm, Token Tiger Consulting (TTC), to provide IT services to one of their new civilian contractors. Although the exact nature of this contractor is not known to TTC, the Army has indicated that this contractor will be gathering and storing "sensitive" data, and communicating with the Army via the Internet and communications security (COMSEC) equipment. Furthermore, some contractor staff travel often and are required to use their own personal devices for work. 

The Colonel that hired TTC has asked you to begin drafting a security policy for the contractor. You decide to begin with the separation of duties (SoD), staff legal obligations (e.g., bring your own device [BYOD], social media, and acceptable use), and the COMSEC equipment.

For this Assignment, write a 4- to 5-page security policy that:

• Specifies SoD requirements for contractor staff who handle sensitive data
• Addresses the legal obligations that pertain to contractor staff
• Specifies  procedures for COMSEC equipment 

Required ResourcesReadings

• Coleman, K. (2008). Separation of duties and IT security. Retrieved fromhttp://www.csoonline.com/article/446017/separation-of-duties-and-it-security
  This article details separation of duties (SoD) as a key concept of internal controls, and describes strategies for successful achievement.
• Gregg, J., Nam, M., Northcutt, S., & Pokladnik, M. (2012). Separation of duties in information technology. Retrieved from http://www.sans.edu/research/security-laboratory/article/it-separation-duties
  This article discusses the necessity for classic security methods to manage conflict of interest, the appearance of conflict of interest, and fraud.
• Goodwin, J. (2011). Mobile devices spawn new B.Y.O.D. security policies. Retrieved fromhttp://www.gsnmagazine.com/node/25348
  This article discusses the growing interest in B.Y.O.D. (Bring Your Own Device) and a variety of technical issues related to the security of the devices within the IT network system.
• Kim, K. (n.d.). Organizational level (O-Level) production divisions fundamentals. Retrieved fromhttp://www.google.com/url?q=http://www.amdo.org/114_production.doc&sa=U&ei=bD_8T_rUCoKi9QTY9MzTBg&ved=0CC0QFjAJOFA&usg=AFQjCNElFh2fbLq6wt-jEt7ST-sN_rRE1g
  • Section .6, "Discuss the Security/Accountability Procedures for COMSEC Equipment [Ref. E]" (pp. 6-7)
    This section describes procedures for COMSEC equipment.
• Simek, J. W., & Nelson, S. D. (2012). Essential law firm technologies and plans. Law Practice, 38(2). Retrieved fromhttp://www.americanbar.org/publications/law_practice_magazine/2012/march_april/hot-buttons.html