What is the importance of "policy" with respect to information security program management

1. What is the importance of "policy" with respect to information security program management? What is the role of policy enforcement? What are the possible effects of "lack of" policy enforcement? Research and provide details of a recent security incident that may have resulted in lack of policy or policy enforcement. Be sure to state the possible policy violation. What happens when technology moves faster than policy? And has anyone experienced this first hand.

2. TOPIC: The FISMA Legislation - Title III Information Security

Answer the following questions regarding Annual Independent Evaluations
Each evaluation must include what three components? Describe the three components and explain why each component is required.  Who is authorized to complete an independent evaluation? List who is authorized to complete an evaluation and describe the circumstances in which each individual would perform the evaluation.  Describe how and why national security systems are treated differently during an evaluation?

3. Read the May 2011 proposed cyber legislation during week 1. Answer the following questions:

If the legislation had been approved, how do you think this proposed legislation would impact the current security program of the organization you selected for this course? Which parts of the proposal will have the biggest impact? Why?
Provide three (3) recommendations to your selected organization's leadership to ensure the spirit and intent of the proposal is used. Describe why you would make these recommendations?

4. DoD 8570 creates standards whereby IA Workforce personnel, at all levels and functions, obtain a uniform level of competency with regard to DoD information and networks. Focusing on the selected organization for your learning portfolio, what are some advantages and disadvantages of implementing a similar directive for your organization? If the organization you selected is already in scope for DoD 8570, please provide information in regards to the challenges faced so far.

Of the categories outlined on Table AP3.T1: Initial Training, Certification, OJT Evaluation, CE Certification, Maintain Certification Status, Continuous Education or Sustainment Training, Background Investigation, Sign Privileged Access Statement and Experience. Please identify the top 3 you would consider most important for your organization and explain why.

5. To answer this question:

Read Payment Card Industry (PCI) Data Security Standard (DSS) Visit the debit/credit protection policy on your bank's or credit union's website (If you cannot find the required information on your own bank's website you can use Bank of America or Navy Federal Credit Union - They both have plenty of information.)

Read the PCI/DSS material assessing/describing your your bank's policy

Answer the following questions:

How does the bank/credit union card policy comply with the standard? How does the bank/credit union card policy not comply with the standard? What recommendations would you make to close the gaps between the standard and the policy? Should the government force banks/credit unions to comply with all aspects of the standard? Why or why not?

6. One of the toughest challenges for business leaders is that cyber security professionals often "talk in a different language". Some professionals refer to concepts in technical terms (e.g. intrusion prevention, firewalls, malware), while other speak in "auditspeak" (e.g. control regime, risk, business impact analysis). While business leaders easily understand audit/business concepts they have a much harder time with technical references. What can cyber security professionals do to help business leaders understand the true risk of security threats? Give specific examples of what you would do to communicate more effectively with business leaders (especially C?O's).

7. Answer the following: Do NIST policies/standards help or hinder organizations? Why or why not? Are NIST policies/standards easy to use and understand? Why or why not? Should the NIST policies/standards apply to commercial organizations not involved in government contracting? Why or why not?

8. The system development life cycle puts a lot of emphasis on working with the user to get all their objectives and functional requirements.

Research and find one scholarly article that discusses user interaction with system developers.

Summarize the article.

Include a link to the article and/or upload the article to your response. List and describe 3 pros and 3 cons of working so closely with the user.

9. Answer the following:

Is the organization you selected for the learning portfolio FIPS 200 compliant? Why or why not? From a FIPS 200 perspective, what are the weakest areas of the cyber security policy associated with the organization you selected? Discuss at least two weak areas and describe why.

10. If you were the Federal CIO what would you do about organizations that are not FIPS 200 compliant? Why? An enterprise risk management framework should include both program risk and institutional risk.

Define program risk. Define institutional risk.

Decribe how your selected organization incorporates program risk and institutional risk in its security program. Offer examples of both types of risk.

11. This is a scenario based discussion.

Assume you are a technical advisor for the Chief Information Officer (CIO) of your organization. The CIO sends you an email communicating that she wants to be briefed on "OMB M-11-11" because the administrator has just added it to the list of priorities for the organization. She has limited knowledge of the policy, and needs to know how it will effect the organization, and what we have already accomplished towards meeting the requirements within the policy.

12. The damaging scandals of Wikileaks/Bradley Manning and Edward Snowden demonstrate a series of critical failures of existing security policy.

For both scandals describe the policy failures that you believe were responsible for the incidents. Describe what policy changes you would implement to mitigate future risks.

13. Answer the following questions:

What obligations do non-IT executives and managers have concerning cyber security? Should the obligations you discussed in the previous question include criminal charges when executives and managers fail to comply with cyber security polices and standards? Why or Why not?

14. Answer the following question:

Why is cyber security no longer only a technical issue? Provide three examples with sources to support your response.