Evaluating Cybersecurity Policies Objective:

Analyze the range of organizational policies (the policy framework) that are needed to effectively manage cybersecurity risks.

Competency: Problem solving

In 8-10 double-spaced pages, evaluates the cybersecurity policy of their or another organization in terms of completeness, compliance, organization and organization related interests, and other aspects, such as how to prevent its failure. Discuss how the policy addresses the cybersecurity issues discussed in the vulnerability identification & exploitation materials presented in the Erickson and Weidman texts.

Select an organization you admire (public sector, private sector, professional association, limited liability corporation, entrepreneurial, other) and solicit its cybersecurity policy. Such document(s) may be available as a link on its homepage, part of the organization's policies and procedures (P&P) manual, the subject or reference used in an academic or trade journal case study in information systems, or any other source-human or Internet. The cybersecurity policy may not necessarily reside as a single document and thus you may find it necessary to synthesize elements to have a resource that reasonably articulates the organization's cybersecurity policy.

Take special note that there is a minimum of three critical aspects to this assignment. One, as emphasized above, is to identify an organization whose cybersecurity policy is available. Federal civil sector organizations may be candidates. A company where you are currently or would like to be employed may be a candidate. Also consider an organization that routinely deals in information gathering and dissemination for the public good, such as a library using content filtering software to curtail questionable Internet browsing by its visitors. Start your search for a suitable organization early and anticipate that you may have to browse several before finding one suitable for this assignment.

A second critical aspect is to identify evaluation criteria or performance measures for the cybersecurity policy. Refer to applicable government, industry, and regulatory standards. In some cases, you may need to consider criminal or civil liability issues, and thus evaluation criteria may emanate from the judicial guidance.

A third critical aspect is application of your evaluation criteria to elements of the cybersecurity policy identified for analysis. Such analysis is likely to be qualitative for some aspects; quantitative for other aspects; and a hybrid for still other aspects of the policy. As such, your choice of measures and analytical techniques must be reasonable and justifiable.

Based on your accumulated reading and knowledge,

1. Evaluate the strengths and weaknesses of the organization's cybersecurity policy along attributes to include the following:

• completeness/thoroughness,
• compliance with recognized industry, government, and regulatory standards,
• the organization's product/service and customers/clients/citizenry, and
• system failure prevention and mitigation aspects.

2. Recommend specific changes to the cybersecurity policy

The assignment is due at the end of Week 6.

Prepare your paper in either Word or PDF format as your instructor requires. It should be double-spaced with one-inch margins all around. The citations and the reference list in the paper should be formatted in accordance with APA 6th edition guidelines. References are NOT included in the page count.