Security Policies & Risk Identification

Task1:

Security Policies :

This week, I’d like you to do a bit of discovery and evaluation.  Find an Information Security Policy for an organization (try to find one that is no more than a page).

Post the policy, telling your classmates

1. What company is it for?
2. Who is the intended audience?
3. Are there any issues with the policy in terms of ease of understanding?
4. Does the policy have a well-defined scope?
5. What, if anything, would you change about the policy?

Other than citing where you got the policy, supporting references are not required for this discussion, (although they will help to make your response more supportable)

Task2:

Risk Identification:

Your company has decided to implement a human resource demographic portal.  Under the system envisioned, employees would be able to change various personal information items themselves, such as name, address phone, marital status, etc.  In addition, the employees would be able to change various payroll related items, such as 401k deduction percentages, the number of federal and state exemptions, as well as be able to view and print current and YTD pay information, including the current paycheck and check “stub”.  Under the current system, employees must go to the HR office to make any changes – there is no online access.

Your company already requires direct deposit for all employees, and under the new system, pay stubs would no longer be printed.  Employees would be able to do this as needed through the portal.

There are many potential risks associated with this project.

1. Your task is to Identify as many risks as you can (4 is the minimum, but feel free to identify more risks if you so desire).
2. Determine the relative likelihood of each risk occurring (low, medium high)
3. Propose at least one strategy for addressing each risk
4. Describe the strategy in terms of the 4 risk responses (Avoidance, Transference, Mitigation, or Acceptance).

Remember that sometimes, risks are acceptable and can be taken, so long they are identified and a strategy to address the risk is presented.  For example, driving a car is a risky venture, but to address that risk we have driver’s education (mitigation), manufacturing safety standards (mitigation), insurance (transference), and staying at home (avoidance). Driving an older, unsafe vehicle by an unlicensed and uninsured motorist could be considered Acceptance.

Turn in as much as needed. (Sometimes less is more, sometimes more is more; it’s your call.)

Support your strategies as needed.