Requirements

MEMORANDUM

To:

From:

Subject:

IT Security Team

Director, Human Resources & Training

Action Plan & Checklist for Submitting Your Work

Action Plan

Your group has been asked to critique the policy that is currently governing C–Bay’s security protocols. As you can see from the document sent to you, the policy does not entirely cover all of C-Bay’s current concerns. However, you are not being asked to rewrite the policy, only to discuss its major flaws (omissions, inconsistencies, impossibilities, etc.) and prepare a presentation for the IT Director.

    1. Review the e-mail and the documents sent by the IT Director. Use them to identify C-Bay’s security needs:
    2. What are the key assets the policy needs to protect? What are C-Bay’s pressing business needs? What could go wrong?
    3. To identify the most important priorities, consider which of C-Bay’s assets are most important—what can the business not function without? In general, customer service and business issues are the most important areas to protect. Software bugs are often prioritized in the following way:

Priority 1: A required function that is missing or not functioning. The existence of this issue has the potential of stopping business.

Priority 2: Any function that should work but doesn't. The absence of this function may generate an error or the wrong results.

Priority 3: A feature or function that works but only in an awkward way. To make this feature work, the user needs to go through extra steps that would be unnecessary if the bug did not exist.

Priority 4: A feature or function that works but can be slightly improved if done differently. Example: A misspelled text label or a clash in screen colors.

Considering future plans, what areas will need to be addressed? The evolution of the policy document may offer clues regarding gaps, e.g., it was designed when there was only one branch and five employees. Now there are three branches and over 50 employees.

What areas, if any, reflect bad security practice?

    1. After you have outlined C-Bay’s security problems and gaps, prioritize the issues so that you can ensure your team addresses the most important ones first.
    2. Review other security policies online. (The Resources section provides some links to get you started.)
    3. What are some general considerations about security and about security policies that are being neglected? How should a policy be organized and formatted so that it’s easy to read? (Record or bookmark any resources that you found particularly helpful - you may need them later, and you may also need them to justify your decisions to the IT Director.)
        • A good policy explains the reasons for its existence. That is, it should include the purpose of the policy and of the subsections. These provide high-level guidelines for the employees who read the policy and also a framework for future revisions.
        • A good policy is both reactive and proactive: It attends to problems that have occurred and it anticipates potential problems and potential developments (e.g., acquisitions, etc.).
        • The policy should identify who is responsible for different areas of security: being specific in terms of employees and functions helps with the management of any problems that occur.
        • A good policy balances security and productivity. Over-complicated guidelines are likely to be ignored or circumvented.
        • Remember that a policy is a guideline for employees and can be used by Human Resources to take action against any employees who fail in their duties.
    4. Create a list of recommended changes that your team feels would benefit the security policy. In addition, identify any problems you are unable to solve at this time due to time constraints and priorities. (This will help you during the discussion of your presentation in case you are asked about areas you have missed.)
    5. Review your list of recommendations and consider the two additional directions that the IT Director has left for you
        • What areas of the new policy may generate push-back from the from the business and legal sides of the company? How much should the IT department be willing to give to keep an optimal balance of security and other needs?
        • What areas of the new policy are most urgent in terms of implementation? (Keep in mind both general security needs and the specific problems C-Bay has been experiencing of late.)
      1. Also keep in mind the scalability of the policy: as the business expands, will these recommendations successfully address the company's future business and security needs?
    6. Prepare the presentation for the IT Director using PowerPoint. Decide which team member will present each section and rehearse your presentation together. Ideally, all team members will participate in the presentation. Check the Orientation section of this site for additional training on effective professional presentations.

Checklist for Submitting Your Work

Before your presentation to the IT Director, check that you’ve attended to the following areas of the task:

    • Have you identified C-Bay’s key assets and assessed the potential risks posed against them?
    • Have you attended to the problems C-Bay has been having, as identified in the meeting notes?
    • Have you considered the impact of C-Bay’s expansion plans on the security policy?
    • Have you prioritized the issues C-Bay is facing?
    • Have you identified the purpose of the policy and the subsections of the policy? Do your recommendations fit into those purposes?
    • Have you identified parties/colleagues responsible for addressing problems and abuses?
    • Have you selected the problems you are resolving? Have you clearly identified the problems that you cannot solve or cannot attend to in this presentation?
    • Are your suggested additions viable and cost-effective? That is, do they effectively balance security and productivity?
    • Do your suggested additions create any inconsistencies among different sections of the policy?
    • Have you considered the organization and readability of the policy?
    • Have you identified areas where the business and legal teams may push back against your recommendations? Have you prepared for their objections?
    • Have you selected the top three priorities for implementing of the policy?
    • Have you decided how your team will present the Power Point?
    • Have you reviewed presentation standards – and met them?

When you're ready, you need to submit the following:

PowerPoint presentation critiquing C-Bay's Security Policy