discussion replies

 
ust be 100 words minimum each 
1) Module 4 Security Policy Content 
A  key point to consider is to develop a security policy that is flexible  and adaptable as technology changes. Additionally, a security policy  should be a living document routinely updated as new technology and  procedures are established to support the mission of the organization.  The components of a security policy will change by organization based on  size, services offered, technology, and available revenue. Here are  some of the typical elements included in a security policy.

Security  Definition – All security policies should include a well-defined  security vision for the organization. The security vision should be  clear and concise and convey to the readers the intent of the policy.
Enforcement  – This section should clearly identify how the policy will be enforced  and how security breaches and/or misconduct will be handled.
User  Access to Computer Resources – This section should identify the roles  and responsibilities of users accessing resources on the organization’s  network
Security Profiles – A good security policy should also  include information that identifies how security profiles will be  applied uniformly across common devices (e.g., servers, workstations,  routers, switches, firewalls, proxy servers, etc.). The policy should  reference applicable standards and procedures for locking down devices.  Those standards may include security checklists to follow when adding  and/or reconfiguring devices.
Behavior and acceptable use  policies: Stipulate what type of behavior is expected of employees and  your management team, and what forms and documents need to be read,  reviewed, filled out, and followed. Employees should be required to read  and sign the acceptable use policy so that management has the option to  take disciplinary action in the event that the policy is violated.

2) Module 4 Policy Implementation 
Absolute  top priority in implementing a workable security policy is active  support of both senior management and of colleagues from the top to the  bottom of your organization. Without this in place you will almost  certainly fail to achieve your goal. A broad and deep security policy  may well run to a few hundred pages. Further, its very content  represents a security risk in its own right; if you wanted to attack  organization ‘X’ what better start could you have than obtaining a copy  of their security policy. Finally, few of your colleagues will be  required or expected to read the whole thing. The response to all these  points is to break your policy up into, not only manageable size  sections, but also into sections that allow you to easily manage its  distribution to different groups of colleagues. So start with a look at  your organization structure chart, understand the staff group structure  and then design your policy sections to get the required information,  all the required information and nothing but the required information to  each specific staff group (i.e. All Staff, Directors, Senior Managers,  Technical Staff, Non-Technical Staff, Auditors (internal and external)  etc).
When you are finally ready to implement your policy set a  realistic date. Don’t be rushed or bullied into going too early, but  when you do set a date make sure you stick to it. A delayed  implementation date will immediately give the impression that the policy  is not ready and thereby devalue it from the outset. You will also need  to decide whether you do a rolling implementation, perhaps country by  country or office by office or even down to a departmental level. This  very much rests on the size and complexity of your organization’s  operations. This should be reflected at implementation, clearly sending  the message that security is here for everyone at every office and in  all locations.
3) Discussion Question Security Education 
Security policies are only as good as an employee’s understanding and ability to effectively carry out those policies.
Choose and  describe at least two methods that could be used to ensure that  employees receive proper security training and awareness of the  organization’s policies. Justify your response.
4) Discussion Question Security Education Train 
Choose and  describe at least two methods that could be used to ensure that  employees receive proper security training and awareness of the  organization’s policies. Justify your response
Employee behavior  that endangers the security of the organizations information can be  modified through security and awareness training.

Train employees periodically on organizational policies.

A security newsletter is most cost effective method of disseminating security information and news to employees.

Separate  information security functions into four areas including nontechnical  business functions, IT functions, information security customer service  functions and information security compliance enforcement functions.

According to Module 4 Key elements of good security policy are

Clear  Communication, Brief and Clear information, Define Scope and  Applicability, Enforceable by Law, Recognize areas of responsibilities  and Sufficient Guidance.

5) Discussion Question Security Education Employee Security Training 
A  well developed security training program is should change behavior as  you stated to align with organizational policies. Annual training and  newsletters are two good method of increasing employee knowledge and  awareness. I have seen both of these methods used in the past. They  effective it training is emphasized by senior management and tracked by a  dedicated training manager. After a security incident occurs, it is  important to get the lessons learned out to the employees. Using  stronger passwords, being aware of phishing attempts and securing  facilities at the end of the day are all good topics to emphasis  throughout the year. The four areas you identified are a good foundation  for designing a security training program.

6) Discussion Question Security Specific 
System Specific Security Policies (SSSP) provide users with direction on how to configure and maintain a system.
Choose an SSSP and describe what security information and steps should be included.
7) Discussion Question Security Specific System Specific Security Policies 
Choose an SSSP and describe what security information and steps should be included.
System  specific Security Policies frequently do not look like other types of  policy they may function as standards or procedures to be used when  configuring or maintaining system. They can be separated in Management  guidance, Technical specification or combined in a single policy.

General methods of implementing technical controls are Access Control list, Configuration rules,

Access  Control include user access list, matrices and govern rights an  privileges. Similar methods specify subjects and objects users or groups  can access.

Access Control list enable administrations to restrict access according to user, computer, time, duration or particular file.

Access control list regulates

who can use the system

what authorized user can access

when authorized user can access the system, files, printers, excommunication and applications

Administrators set user privileges by reading, writing, creating, modify, deleting, comparing or copy

Configuring  rules specific configuration codes entered into security systems a  guide the execution of the system when information passing through the  system.

Rule polices are more specific system operation than ACL’s may or may not deal with user directly 
8) Leaning Team collab 
Security policies are only as good as an employee’s understanding and ability to effectively carry out those policies.
Choose and  describe at least two methods that could be used to ensure that  employees receive proper security training and awareness of the  organization’s policies. Justify your response.
Respond to at least two classmates’ answers.
9) Learning Team Colab 
Security Education 
I personally like the Securing the Human from Sans https://securingthehuman.sans.org/

When you think about training, any training, it has to be meaningful to the users.

Create annually training regiment

Augment it with phishing exercises and other security exercises that provide reinforcement for users that do “bad” things

posters

swag

rewards for users that alert your staff of events

newsletters, tips and tricks

It all plays together. Keep up with the latest trends and incorporate those into your training plan.

Finally don’t forget targeted training for high risk personal, IT and Developers
10) Learning Team Security Education Training and Awareness 
The objectives are: 

Define security education, training and awareness
List situations where each category is appropriate
identify how organizations can use each strategy to mitigate threats to information security

Things to keep in mind:

Focus on people both as a part of the problem and as a part of the solution
Refrain from using technical jargon, speak the language the users understand
Use every available venue to access all users
Define  at least one key learning objective, state it clearly and provide  sufficient detail and coverage to reinforce the learning of it
Keep things light, refrain from “preaching” to users