Access Controls and Security Technologies
Part 1: Cybersecurity Policy Review
Role of Cybersecurity Policy
Cybersecurity policy has multifaceted functions in securing public organizations, private organizations, government organizations, and the nation’s infrastructure. The cybersecurity policy guarantees the proper assignment of roles and responsibilities among information system experts. (Lubua & Pretorius 2019; Kahyaoglu & Caliyurt, 2018). This approach ascertains that each party accounts for events within their jurisdiction area. Baleva (2021) explains that cybersecurity professionals perform some of these roles, including threat intelligence, maintaining network safety, safeguarding data files, and managing vulnerabilities. The duties are relatively demanding, and a lack of proper assignments can potentially amount to role conflicts. Without adequate role designation, IT experts would occupy inappropriate positions that would otherwise lead to erroneous events, placing an organization at risk of attack.
In the current age of complex technology, organizations must have well-defined standards. For this reason, Mcafee (2022) shows that the policies are integral in setting standards of behavior for paramount activities such as encryption of email attachments and other online communications. Ideally, messages in transit are vulnerable to online attacks, including man-in-the-middle attacks, creating a dire need for end-to-end encryption protocols. The modern cybersecurity policy articulates strict protective measures to address various weaknesses. Drastic advancements such as gradually improving and releasing better versions of Transport Layer Security (TLS) edify cybersecurity policy. This proves that the guidelines are incredibly essential in improving organizational security.
Organizations constantly require procedures to handle sensitive data, and Asanify (2020) postulates that cybersecurity policy plays an irreplaceable role in categorizing sensitive data, the appropriate methods of data destruction, and the necessary sharing permission. Attacks on sensitive data such as business details, personal information, and classified information may have impactful consequences. Therefore, the policy ensures that such data is protected in the best way possible for easier retrieval and utilization. Unlike in the past, organizations have learned the art of data destruction when the need arises. Lenhard (2022) highlights that firms are obligated to delete personal information upon the legal retention period elapsed or its storing purpose ceases. In this instance, the policy goes a long way in embracing the appropriate data sanitization measures. According to Blancco (2019), the recommendable data sanitization methods include cryptographic erasure, physical destruction, and data erasure. The policy further ensures that data is shared with the appropriate members for confidentiality and privacy purposes. Do you need help with your assignment ?
Cybersecurity policy is relevant in the current age of exponential data breaches. It acknowledges that each company is prone to various risks depending on its industry, location, regulatory, and technical circumstances (Hartman, 2021). In return, it works in the best interest of ascertaining that a business identifies the odds of possible data breaches and consequently implements proactive measures. This approach warrants that risks do not materialize, leading to business continuity. IBM (2021) estimates that the average annual cost of data breaches skyrockets to $4.24 million in the US. Prominent companies such as Yahoo and Facebook have suffered the negative impacts of data breaches in the past. As a result, the cybersecurity policy is highly regarded nowadays as it paves a way out from malpractice. Companies are expected to comply with the policy continuously for better outcomes.
Cybersecurity policy has surfaced as an appropriate mechanism for streamlining the country’s infrastructure. Gupta and Sharma (2018) state that the infrastructure entails multiple components, including software, hardware, networking systems, and special-purpose tools. Lack of concise monitoring of the resources, especially in the modern age of aggressive innovations such as smart cities and e-government services, places the country at a higher risk of ineffective efforts. The policy provides critical guidelines to maintain the resources optimally for maximum productivity. Minor attacks in the related information systems would majorly affect the government’s development. Therefore, cybersecurity policy ensures the technical team is well-versed in proper system maintenance strategies. Besides, it goes a long way in warranting frequent audits conducted for timely infrastructure assessment. Audits help detect the potential loopholes within the system and propose the appropriate controls. As such, the power of cybersecurity policy cannot be underestimated.
The use of social media is inevitable in organizational settings and is a double-edged sword, implying that it can have positive or negative impacts depending on its usage. Asanify (2020) opines that social media is the number one avenue intruders can access information. For this reason, it must be brought under control as a strategic way of ascertaining it is exploited for the benefit of an organization rather than serving as a weak point. Therefore, the cybersecurity policy ensures that only the appropriate information is shared on social platforms to avoid data violation. In addition, the policy controls social media usage by defining the extent of use allowed during work hours. Creating such standards minimizes unnecessary disruption to organizational operations and overall productivity. Most importantly, the policy certifies that pertinent information is withheld from the public.
Nevertheless, cybersecurity policy plays a significant role in verifying that nation’s infrastructure and organizations comply with legal and ethical requirements. It is critical to knowledge of what is right or wrong in daily operations (SCI, 2021). The state and federal governments set multiple legal obligations that enterprises must adhere to. The extent of adherence, especially to the technology-oriented laws, highly depends on cybersecurity policy. Using healthcare as a case example, Imperva (2022) explains that data issues are highly regulated by stringent regulations such as Health Information Technology for Economic and Clinical Health (HITECH) and the Health Information Portability and Accountability Act (HIPAA). However, a facility can hardly abide by these expectations without the relevant cybersecurity policy, as it guides employees at a personal level. At the same time, the policy doubles up to ensure that organizations do not infringe on ethical stances such as disclosure issues.
It is worth noting that cybersecurity policy plays a critical role in the contemporary era of working remotely and cloud computing. Mcfee (2022) asserts that the policy features the necessary steps for remote access to work applications in response to the escalating demand for online work. According to Steward (2022), more than 4.3 million persons in the country work online, and 85% of managers believe that remote working is projected to be the new norm. For this reason, the cybersecurity policy keeps redefining itself as a tactical way of keeping employees on the right track. The policy caters to strategic affairs such as enforcing the appropriate access software and ensuring remote workers receive the necessary training. The prevalence of cloud computing, including cloud storage, keeps surging, given that 72% of enterprises use private cloud and 91% use public (Galov, 2022). As a result, an effective cybersecurity policy becomes an integral aspect of ensuring data is stored and retrieved without raising concerns.
Finally, cybersecurity policy provides the direction necessary for creating a control framework to secure an entity from internal and external threats. The procedure helps identify an organization’s vulnerabilities, which are used to develop effective control measures. This interdependence is crucial for the implementation of practical solutions. It becomes feasible for a company to develop evidence-based strategies to confront current and future challenges. This approach has proven efficacious rather than creating a framework from mere guesswork. Indeed, cybersecurity policy plays an integral role in public organizations, private organizations, government organizations, and the nation’s infrastructure. Its contributions are essential in fostering cybersecurity by setting the appropriate standards and guidelines.
Main Categories of an In-depth Cybersecurity Policy
An in-depth cybersecurity policy constitutes a series of well-layered security components that collectively promote confidentiality, availability, and data integrity. It is classified into control and security layers, each having distinct contributions. The control layers are entrusted with physical, technical, and administrative controls. The biological control comprises alarms and locks, specialized installs controls such as firewalls and antivirus software, while administrative control pertains to data classification, separation duties, and auditing. Walkowski (2019) identifies that the control functions may entail preventative, detective, or corrective measures.
The security category entails tactical activities such as data protection, system monitoring, access measures, network protection, and endpoint protection (Petcu, 2021). Data protection seeks to defend data from potential degradation and compromising factors, while system monitoring tracks the system to detect available faults. Access measures look forward to guaranteeing that only the authorized parties access and utilize the stored data. Network protection is usually interested in safeguarding the connections to avoid external threats. Endpoint protection focuses on individual devices from which a network is accessed. An in-depth cybersecurity policy is quite detailed and is perceived as a fruitful method of protecting infrastructure and systems. Layering ensures that the successive layer blocks a threat if the preceding fails.
A Well-Designed Cybersecurity Policy Program in Securing a Government Agency
Due to its exceptional characteristics, a well-designed cybersecurity policy program would help secure a government agency such as the Department of Homeland Security (DHS). For instance, it would achieve this by encompassing the reality of the agency’s environment. Being realistic is an irreplaceable effort toward realizing a fully operational and productive policy as it proposes guidelines based on real-time affairs. Besides, the approach would enhance security by catering to all the pertinent aspects of the department. Inclusivity is crucial to ascertain that a policy addresses all potential vulnerabilities without bias.
Nevertheless, a well-designed cybersecurity policy would foster security by accommodating change over time. Stahl (2016) explains that cybercriminal behaviors evolve with time, implying that an approach that solved security issues in 2015 would not be impactful in 2016. Therefore, the flexibility of a well-designed policy would significantly foster its viability. Moreover, the policy would support security by championing the goals and principles guiding the agency. Metivier (2016) emphasizes that the relevance of an approach makes it more practical and applicable within the intended context. Finally, a well-defined policy would enhance the agency’s security by enforcing technical, physical, and administrative controls. Such a multidisciplinary perspective would ensure the most critical security aspects are addressed.
Challenges of Enforcing Cybersecurity Policy in an Organization
Ensuring everyone in an organization follows cybersecurity policy is invariably constrained by multiple challenges. Mariani et al. (2015) propose that the skills gap is a significant barrier to the full realization of the policy. Employees not knowledgeable about multiple regulations, current cyber threats, and cybersecurity technologies are less likely to appreciate the developed procedures. They are more likely to express resistance, making it relatively hard for the management to enforce various policies. Cyrebro (2021) adds that the increasing sophistication and frequency of technologies and strategies create a significant hurdle in bringing all employees on the same page regarding cybersecurity policy. The dynamic landscape makes it challenging for employees to get along.
Communication issues present significant challenges in convincing workers to buy into the created policies. Everyone in the workplace deserves to be well informed of the upcoming policies to the best of their understanding. Therefore, failure to integrate multiple methods of communication and the use of complex language makes it impractical for the workforce to observe the policy. Ignorance may also contribute to resistance, whereby the members of an organization fail to understand the need for policy change. Finally, irrelevant cybersecurity policies can rarely be followed as employees do not find the need to do so.
Part 2: Cybersecurity Policy Foundation – Overview
Reasons for Policy Compliance Challenges in an Organization’s Management
Policy compliance challenges can also be perceived from the management’s side, as demonstrated in this section. First, the lack of a compliance culture renders the management non-compliant, as the members are accustomed to laxity and defiance (Vcomply, 2021). Compliance is an essential yet underestimated aspect of any organization. The nature in which management handles organizational change equally dictates their approach toward cybersecurity policy. An ineffective culture hardly trains the direction on how to navigate real-life situations in an organizational context. As a result, the members find it hard to get along with new policies due to a lack of adequate exposure. This applies in all circumstances regardless of whether the board member or national bodies design the cybersecurity policy. A non-compliance culture goes a long way in inhibiting organizational productivity as it invariably amounts to inter-departmental misunderstandings.
A misguided incentive is another critical reason for compromising management’s propensity to comply. Generally, the CEO and board members often recommend incentives to the management as sources of motivation. However, they fail to realize that such a habit may have long-reaching impacts in other aspects. For this reason, the administration expects to be appreciated through bonuses and other incentives as a requirement for compliance. Failure to provide such demands leads to compliance crises (Vcomply, 2021). Even if the incentives are offered, they secure temporary observation, implying that the members will likely undervalue the cybersecurity policy in the future. Either way, misaligned incentives have significant impacts on management’s compliance.
Neglecting risk assessment protocols has also emerged as a significant cause of compliance failure in cybersecurity policy. This scenario mainly manifests when an organization articulates a newer business model or ventures into a new market. At this juncture, the management pays more attention to becoming more competitive in the new endeavor at the expense of compliance. Minimal time and resources are channeled to internal and external risk assessment, making it relatively hard to focus on security issues. Management that neglects risk has a low probability of focusing on its vulnerabilities. Non-compliance with international cybersecurity policy occurs when a company expands its operation beyond its country of origin. If it fails to examine and understand the risks and policy in the new location, it may involuntarily fail to abide by the predefined regulations. These arguments suggest a lack of compliance can happen at organizational and international levels. In either case, inadequate risk assessment is deemed as a contributing factor.
According to Erstad (2022), failing to acknowledge that your organization is a potential target increases the likelihood of non-compliance with cybersecurity policy. Unfortunately, small businesses fail to recognize their data is attractive to intruders. For this reason, the management is hardly concerned with cybersecurity policy and tends to focus on developmental agendas. Every organization has something the attackers admire; hence, small businesses also deserve to observe the procedure. According to Witts (2022), small-scale business management exposes their enterprises to phishing, ransomware, malware, and insider threats due to a lack of compliance. In the end, they lose data and incur significant financial losses. As such, it can be deduced that lack of awareness is a considerable management influencer to the perception of cybersecurity policy compliance.
On a different note, maintaining a cybersecurity policy is labor-intensive, making it challenging for management to comply as expected. As technology grows, related policies equally increase, leading to a demanding workload. This aspect seems inconvenient for the management team as they must keep reviewing cybersecurity policy as time progresses. In addition, they are mandated to guarantee that the rest of the employees observe the procedure, making the overall work burden unbearable. In such an instance, the management is compelled to override the policy as a strategic way of offloading tasks in their daily routine. For example, leadership in a digital-based corporation with minimal outsourcing options will likely be overburdened with policy management tasks. As a result, it might end up sublining some policies or not adhering to all in the long run. This is a severe crisis in the modern world and is a wake-up call for organizations to consider expanding their management base to cater to compliance issues in the best way possible.
The trickle-down leadership effect is also considered a substantial contributor to policy non-compliance for an organization’s management. This argument holds that the top-tier leadership is responsible for setting the pace for the entire company (Vcomply, 2021). Therefore, the management team will likely show less interest in cybersecurity compliance once the administration seems uncommitted and articulates vague approaches to the issue. Essentially, the higher power serves as a role model to the subordinates, implying that what management portrays will equally be copied by the employees. The trickle-down effect is expected in the contemporary world, creating the need for more composed leadership. Normalizing an environment of undervaluing compliance has long-term detrimental impacts if not rectified. In this case, the administration is deemed the chief cause of the non-compliance incidences.
Lack of involvement is another critical impediment hindering policy compliance in the management. This postulation primarily applies to organization-based policy, where some management members strive to be featured in the policy development. Since establishing a cybersecurity policy is quite demanding and requires a multidisciplinary approach, gathering diversified views is always imperative. The opinions can be collected through questionnaires and interviews, among other methods. Suppose the management is unconcerned; it is more likely to rebel against the developed policy. The members feel underestimated and invariably have minimal commitment to the procedure. For instance, it is assumed that the management performs the functional duties and has more knowledge of cybersecurity issues. Not involving such a team in policy development increases loopholes in the developed guidelines. This aspect further serves as another influencing factor. The management tends to believe that the implemented cybersecurity policy is ineffective and thus finds no reason for compliance.
Moreover, lack of accountability leads to significantly higher rates of non-compliance. Each party is assigned specific roles and responsibilities in an ideal business environment. Therefore, the lack of such protocols makes the management depend on each other for policy reinforcement. Such an approach leads to a blame game if things run out of control. It invariably amounts to non-compliance as no one is passionately dedicated to driving forward cybersecurity policy. Managers at every level of compliance function deserve to be well-versed in the expected deliverables to avoid inconsistencies. Individual responsibility is a sure way to track various incidences and create interest among the stakeholders to become active participants in policy compliance.
Erstad (2022) claims that the conflicting views on cybersecurity policy are notable contributors to non-compliance. Some management members believe cybersecurity is an IT issue, while others deem it financial. As such, each party feels the counterpart has a higher compliance obligation than itself. Interestingly, Erstad (2022) highlights cybersecurity as an economic issue rather than IT. The average cost of data breaches is increased, implying that organizations feel massive financial blows due to the consequences of non-compliance. Regardless of either approach, companies must agree on the best way forward. The central aim is to foster cybersecurity compliance despite the multifaceted managerial roles. This section shows multiple reasons why an organization’s management presents unique challenges in policy compliance. Each contributing factor is unique and meaningful but controllable.
Part 3: Access Control
Different Types of Access Controls and Their Roles in “Defense In-depth” Strategy
Discretional Access Control (DAC) is a type of access control that grants permission to specific users based on defined rules. It gives the subjects authority to filter out who accesses their objects for security reasons. Townsend (2018) highlights that systems implementing this approach utilize capability tables and Access Control Lists (ACLs). This is because the capability tables possess an ‘object’ column and a ‘subject’ row, making it possible for the security kernel to reference the table in determining the allowable access. For instance, it is used in Unix file mode to define every user’s write, read, and execute permissions. DAC is considered a less restrictive measure as it gives users exclusive control over their objects and related programs. Though this could be regarded as an essential privilege to the user, it is equally deemed a significant weakness, given that the end-users can even run malware without knowing. However, DAC plays a substantial role in defense-in-depth strategy as it embraces authentication of users before they access specific resources. This mechanism goes a long way in barring intruders from potentially harming organizational data. Therefore, the potency of DAC cannot be underestimated whatsoever.
Mandatory Access Control (MAC) is the second category in which the administrator entirely defines access. The central authority allows access to only the owner and custodian management, which implies that access is highly restricted (Martin, 2019). The control settings in the system can hardly be altered or removed without the administrator’s permission. For this reason, it is considered the most secure methodology, hence prioritized by most organizations. Licenses are only executed by the operating systems based on their configuration to respond to various requests. MAC articulates a hierarchal approach to control files and is mainly used by the government. Its operation is primarily derived from two pieces of information: classification and category. Sort can be low, medium, or high, while a class may entail a specific project or a department (Townsend, 2018). The type and category are assigned to each user account, and one is allowed access if only their properties match. For instance, if a system user has a medium classification but is absent in the category, he cannot gain access to the object. This approach is task intensive, requiring high system management for frequent object updates and account labels. MAC is highly related to administrative controls in the defense-in-depth. The administration is deemed the primary party privileged to set policies and procedures guiding the system use. It defines specific security requirements escalating protection mechanisms and is thus considered adequate.
Role-Based Access Control (RBAC) is viewed as an alternative to the DAC due to its mode of operation. It is mainly referenced when an organization considers access rights assignment according to an organizational role rather than the individual user accounts. Its mechanism allows a party only to conduct their jobs, given that access is primarily related to their specific obligations. As such, it can be deduced that its working mechanism makes it viable to integrate crucial principles such as ‘separation of privilege’ and ‘least privilege.’ As the name suggests, users are only privileged to access data and perform activities related to their duties at the workplace. For instance, given that RBAC assigns access to job titles rather than particular users, as in MAC, it plays an irreplaceable role in slicing downtime required to change user control (Gentry, 2022). For instance, suppose a company has two accountants and 15 salespersons; it will only have to create two profiles instead of 17. From this juncture, an employee will only have to receive credentials fitting his role upon promotion or demotion. This is a significant achievement in terms of workload and efficiency. However, its benefits come with potential security threats since other accountants and salespeople can acquire unauthorized file access. RBAC plays a technical role in the defense-in-depth strategy as it bars access to the system’s content but not the system itself, like in the case of physical control. Strategic measures such as software protection might be used in this classification to reinforce security.
Attribute-Based Access Control (ABAC) is a unique technique that grants user access based on attributes. This approach is fundamentally founded on authorization and authentication models to provide access depending on the subject’s features, the requested resource, the user’s action for the help, and the request context. Examples of subject details may include age or security clearance, while the object’s attributes pertain to the characteristics of the requested resource. Users’ actions are relatively broad and may comprise reading, viewing, deleting, and transferring, while the environmental attributes/context of the request stretches to the location, time, and device being used (Hu et al., 2015). This method is exceptional in relating objects to their environments as a strategic way of developing access rules depending on whether certain conditions are fulfilled. For instance, if an organization would not like the entire organization to view information on potential leads, ABAC ensures that the privilege is granted to only salespeople within a specific geographical location. This approach is related to several benefits since it targets security and dynamic access control. Unlike RBAC, ABACA considers multiple variables before granting access and dynamically applies one policy to many roles. However, ABAC’s primary challenge is its implementation is complex and demanding. This is because the developer has to define countless attributes and establish policies. ABAC plays a significant security role in defense-in-depth security. It employs perimeter defense to ensure that the entire system is accessible to only authorized persons.
Risk-Based Access Control (RBAC) is a dynamic model that grants access depending on the extent of evaluated risk. Gentry (2022) explains that this approach comprises several authentication measures for effective permission approval. If a user attempts to log into a system, his risk profile is proactively examined. Suppose the user device used for logging is not recognized; such a situation creates suspicion on the user’s credibility. As a result, the system prompts extra authentication measures for additional confirmation. Risk-based prompts are usually generated based on the level of risk. For example, trying to modify banking details is categorized as a high-risk factor and thus triggers multiple risk-based prompts. Atlam et al. (2020) explain that RBAC is entirely founded on mathematical probability since the main components are risk factors, risk estimation, access decision, and access policy. Its major drawback is that people perceive some measures, such as two-factor authentication, as cumbersome. Its defense-in-depth strategy entails passwords and authentication to help strengthen the system’s security.
Identity-Based Access Control (IBAC) is the final set of access controls that grants or denies access permission based on one’s biometric or visual identity. The identity is usually matched with the details embedded on the access control list to determine whether one can utilize the electronic resource. This approach enables administrators to manage activities more effectively as per individual needs. It applies in a data-driven context and in the physical entries into various premises. IBAC uses high-standard technology to capture the identity details and relate them to the merits. It is advantageous because it controls who is supposed to use a particular resource and for what reasons. Besides, it can be enforced on various devices, including tablets, smartphones, and PCs. IBAC is highly ingrained in defense-in-depth based on its operational mechanisms. It is a technical control with elements of vulnerability scanners. The authenticated scanners are relatively accurate, creating minimal chances for a data breach. Generally, each examined access control plays an integral role in revolutionizing access measures by removing traditional keys.
References
Atlam, H. F., Azad, M. A., Alassafi, M. O., Alshdadi, A. A., & Alenezi, A. (2020). Risk-based
Access control model: A systematic literature review. Future Internet, 12(6), 103.
Asanify, (2020). Designing a Cybersecurity Policy. Why a Strong Cybersecurity Policy in the Need of the Hour.
Baleva, J. (2021). Key Roles and Responsibilities of Cyber Security Professionals. EXODI Training Institute.
Blancco, (2019). What is Data Destruction? Technical Article.
Cyrebro, (2021). Challenges that Stand in the Way of Your Compliance Efforts.
Erstad, W. (2022). The Top Cyber Security Problems Organizations Are Facing. Cyber Security Problems Nearly Every Organization Struggles with. Rasmussen University.
Gupta, J, N, D. & Sharma, S, K. (2018). Globalization and Information Management Strategy.
Encyclopedia of Information Systems.
Galov, N. (2022). Fascinating Cloud Adoption Facts. Cloud Adoption Statistics for 2022.
Hu, V. C., Kuhn, D. R., Ferraiolo, D. F., & Voas, J. (2015). Attribute-based access control. Computer, 48(2), 85-88.
Gentry, S. (2022). Access Control: Models and Methods in the CISSP. INFOSEC Article.
Hartman, (2021). Benefits of Creating Cybersecurity Awareness Within Your Organization. Executive Advisors.
Hu, V. C., Kuhn, D. R., Ferraiolo, D. F., & Voas, J. (2015). Attribute-based access control. Computer, 48(2), 85-88.
Imperva, (2022). Developing a Data Privacy Framework. Data Privacy.
IBM, (2021). How Much Does a Data Breach Cost? Cost of Data Breach Report 2021.
Kahyaoglu, S. B., & Caliyurt, K. (2018). Cyber Security Assurance Process from The Internal
Audit Perspective. Managerial Auditing Journal.
Lenhard, T. H. (2022). Data Destruction. In Data Security (pp. 55-60). Springer, Wiesbaden.
Lubua, E. W., & Pretorius, P. D. (2019, July). Cyber-Security Policy Framework and Procedural
Compliance in Public Organizations. In Proceedings of the International Conference on Industrial Engineering and Operations Management (pp. 1-13).
Mcafee, (2022). How Cybersecurity Policies and Procedures Protect Against Cyberattacks.
Cybersecurity Article.
Mariani, D. M. R., Mohammed, S., & Mohammed, S. (2015). Cybersecurity challenges and
Compliance issues within the US healthcare sector. International Journal of Business and Social Research, 5(02).
Metivier, B. (2016). Seven Characteristics of a Successful Information Security Policy. Sage Advice.
Martin, J A. (2019). What is Access Control? A Key Component of Data Security.
Petcu, A, G. (2021). Defense in Depth in a Respected Cybersecurity Strategy. The Basics of Defense in Depth Cybersecurity.
Swiss Cyber Institute (SCI), (2021). A Holistic Approach to Ethical Issues in Cyber Security.
Steward, J. (2022). The Ultimate List of Remote Work Statistics for 2022. Key Remote Work Statistics in 2022.
Stahl, A. (2016). Characteristics of a Successful Cybersecurity Policy. Cybersecurity Article.
Townsend, R. (2018). Access Control Models. Cybersecurity. University of Hawaii.
Vcomply, (2021). Reasons for Compliance Failure. Compliance Insights.
Walkowski, D. (2019). An Overview of the Types of Countermeasures Security Practitioners
Use to Reduce Risk. What are Security Controls?
Witts, J. (2022). The Top Five Biggest Cyber Security Threats Small Businesses Face and How to Stop Them. Expert Insights.
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
Part 1: Cybersecurity Policy Review
1) In a minimum of 1,250 words, explain the role of cybersecurity policy in securing private organizations, public organizations, government organizations, and the nation’s infrastructure.
2) In 200 or more words for EACH answer, respond to the following:
a) What are the main categories of an in-depth cybersecurity policy?
b) How would a well-designed cybersecurity policy program help secure a government agency like the Department of Homeland Security (DHS)?
c) What are some challenges to ensuring everyone in an organization follows the cybersecurity policy?
Part 2: Cybersecurity Policy Foundation-Overview
In a minimum of 1,250 words, answer the following question:
1) Why does an organization’s management present unique challenges regarding policy compliance? Provide examples.
Part 3: Access Controls
In a minimum of 1,250 words, answer the following:
1) Evaluate the different types of access controls and their roles in a “defense-in-depth” strategy.
NB: Your submission should:
Include a cover sheet.
Be double-spaced.
Be typed in Times New Roman, 12-point font.
include correct citations
be written in Standard English with no spelling or punctuation errors; and
have at least eight accurate references at the bottom of the last page.