CJST 6604/4524 Security Policy Analysis Exercise Fall 2015
Research UNH’s Office of Information Technology Acceptable Usage Policy found at http://www.newhaven.edu/317429.pdf (A copy has also been uploaded) and answer the following questions
1) Identify which of the following topics this policy addresses and how the topics are addressed within the policy:
? The scope and purpose of the policy.
? The relationship of the security objectives to the organization’s legal and regulatory obligations, and its business objectives.
? IT security requirements in terms of confidentiality, integrity, availability, accountability, authenticity, and reliability, particularly with regards to the views of the asset owners.
? The assignment of responsibilities relating to the management of IT security and the organizational infrastructure.
? The risk management approach adopted by the organization.
? How security awareness and training is to be handled.
? General personnel issues, especially for those in positions of trust.
? Any legal sanctions that may be imposed on staff. and the conditions under which such penalties apply.
? Integration of security into systems development and procurement.
? Definition of information classification scheme used across the organization.
? Contingency and business continuity planning.
? Incident detection and handling processes
? How and when this policy should be reviewed
? The method for controlling changes to this policy
2) If possible, identify any legal or regulatory requirements that apply to the organization.
3) Do you believe the policy appropriately address all relevant issues?
4) Are there any topics the policy should address, but does not.
Note: use the readings, McBride et al.: The Information Security Program and Developing an Information Security Policy