Unit 01: LO 1 - 1.4 - Policies

The following questions will hopefully get you started into what to type for each policy. Google things you don't know and put yourself in the shoes of someone who is responsible for this job.

A reminder, do not use bullet points. Create complete paragraphs. 2 to 3 sentences per policy (x 14). If you can describe each policy, then please go ahead and do that. If you're not sure what to 'write', use the rhetorical questions to get you started.

• • acceptable usage policy (AUP) 

Could you look at Facebook in a workplace? Most offices allow some personal time. What could you do with a company laptop? Who can you share your password with, if anyone?

• • bring your own device policy 

Can you use the company's WiFi as a learner, yes, is the answer, but should you be doing personal stuff all day when you're meant to be learning and writing reports? Can you or make personal calls with your device? Common sense would say "tell or ask the tutor, then maybe move to another room". What documents could you print from your device? Personal gaming cheat sheets or questions & answers for a job interview?

• • access control policy

When you login as a learner, do you have access to everything the CEO does? Can everyone in the company print to the printer? Do you have your own space to save your work in OneDrive or is it shared with others? Who has access to the company's financial information, just the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) or anyone who's just started at the company?

• • mobile device and teleworking policy 

If the office shut down because of weather (e.g. a snow day) and everyone had to work from home, if you have access to a phone, what should you do with your work device? If you are allowed to work from home on certain days, what do you think the rule should be? If you're on a trip to London on the train, again, what do you think the policy is on working remotely? Carry on with whatever you are supposed to be doing, regardless of where you are.

• • password policy  

Who should know your password (no one)?

How many characters minimum should it be and should there be any special (£%^) characters or numbers?

How often should you change your password?

• • secure development policy

If you're Microsoft and you're working on the next release of Windows 11 or 12, how secure should the code be so that people can't copy it and make their own versions? If others are reviewing the program code, should that also be in a secure environment?

•  backup policy

What should you backup? How often and where?

• Three Copies:

  • Imagine you have a super-secret document (maybe it's your superhero plan). The first rule is to have three copies of it. That means you keep the original on your computer and make two more copies, just in case something bad happens to one of them.

• Two Different Media:

  • Now, let's think of different places to keep these copies. It's not a good idea to keep all of them in one place, like in your room. So, the second rule is to save your copies on two different types of storage. For example, you could have one on your computer's hard drive and another on an external hard drive or a USB stick.

• One Offsite Copy:

  • Finally, the third rule is to keep one copy somewhere far away from the others. Think of it like a secret hideout for your superhero plan. If something really bad happens, like a fire or a computer-eating monster (okay, maybe not a monster, but you get the idea), you still have a copy safe and sound somewhere else, like in the cloud (online storage) or maybe at a friend's house.

Refer to Unit 03 - Learning Outcome 2 for details on this:
2.2 Explain the benefits of backing up data

2.3 Explain the differences between a range of backup approaches

2.4 Explain considerations to make when backing up data

• disposal and destruction policy  

When should you destroy a hard drive or computer? How would you suggest disposing of it? Is it enough to format the hard drive or do you have to physically destroy it? Should someone else watch you do it and should anyone be able to do that job?

• information classification scheme policy

How would you organise information in a company, from secret, private, semi-private (to certain employess) to public information? Give examples at each stage. Where would the information get saved. Think about the Control policy above.

• IT change management policy

When someone wants to make a change, do you think there should be a process or can anyone make a change to a system without informing others? Would someone, given the right permissions or control have to document the changes or hope that everyone figures out what the changes are? Do you think there are approvals required from bosses further up? What about testing the changes? How would you go about putting the new changes into place? Immediately or a phased-approach or have two systems running at  the same time to ease people into it? What about monitoring the changes?

• information security incident management policy 

Who identifies or analyses security incidents (hacking, breaches, etc.)? Does anyone have to report on the incidents or hopes that everyone figures it out? Think about a process (like Problem solving), there is an initial assessment, containing the problem (if a hack has happened), and getting rid of the problem; recovering lost data (from a backup)? Is there any investigation, Communication and/or documentation?

• information security policy  

1. What are the computer systems (Microsoft Teams or Gmail or an HR system that tracks the number of Annual Leave days you have left), data or processes that this policy applies to? A computer system could be the nightly process that pays people into their bank accounts.
2. Who has access into these computer systems. Think back to the policy on Acceptable Usage that you created. 3. Think about Data Classification (private, like your email and phone number and public, the course material) in the previous a previous policy. 4. What about network security (hackers, angry employees, etc).

There are your 4 sentences.

• information transfer policy  

1. Start off with how you classify information (previous policy: secret, private, public). 2. Do you encrypt certain information? 3. How do you securely transfer files? Secure FTP, HTTPS, TLS, etc. Make sure if you pick one of them you describe in one sentence what it means.
4. Think about network security (firewalls, virus protection). 5. What about logins (authentication - ) and controls (authorisation). Who and how often should a network be monitored (real-time or 1 day a week?)

• IT security policy

Most of this was mentioned before:

1. Who has access to the company's data and to what level: President/CEO, staff like your tutors, learners, anyone who walks in?

2. Network security? Firewall, encrypted emails, logins, password, etc.

3. Patches to Windows Operating systems - these are updates to software to make the more secure

4. Encryption (A = 1, B = 2, C= 3: CAB = 312)

5. How fast do you respond to an incident? Immediately, 1 hour, 3 weeks, never?

6. Do you log any of the information? Of course you do! Where might you save the document and who would you let know.