Executive summary
At this digital age, employee compliance to IT security policies is an important issue. It is not an issue that should be wished away because it can cost an organization the many years of its hard work. Aware of this fact, organizations should develop measures that should ensure that employees do not violate IT security policies. This document comprises of the approval draft for the data breach response policy for Baltimore field office. The draft outlines the mechanism that should be followed if data breach was to occur in the company. In addition, the document comprises a documentation review of the policy and an employee survey that should be used to evaluate employees’ awareness and compliance with IT security policies.
Issue specific policy (approval draft)
Title: Data breach response policy
Policy statement
Under the 1998 data protection act, the company is responsible for protecting its data. In line with this act, great care is taken to protect the company’s data from breach. However, in the unlikely event that the data is shared inappropriately or lost, it is always good that appropriate actions should be taken to mitigate risks that might result from such a practice.
Purpose
This policy is intended to provide a standard mechanism that should be followed if the issue was to occur in the company. Among other things, the policy focuses its attention on the roles and responsibilities of the various data protection officers in the company, compliance and types of breaches.
Scope
The policy applies to all the data held by the company and anybody that might be hired on contract basis to offer services to the company.
Appropriate use
Under normal circumstance, employees will have access to certain levels of the data and this will be determined by their roles and responsibilities in the company. When using that data, employees should not share it with anyone including their colleagues. At the same time, employees should not try to gain access to unauthorized data (Johnson, 2013). Doing so will amount to violation of the policy.
Types of breaches
The following are some of the factors that could cause data protection breaches. Employees are advised to take note of them and avoid them.
- Inappropriate access to confidential data
- Inappropriate access controls that give staff members access to confidential data
- Human error
- Equipment failure
- Hacking
- Deception
- Unforeseeable circumstances such as flood, fire or theft
Containment
- The person that discovers or receives a report of the breach should report the matter to the chief information officer (CIO) as soon as possible.
- Upon receiving this report, the CIO should evaluate whether the breach is still going on or it has stopped. If the breach is still going on, the CIO should initiate measures to stop the breach.
- The CIO should share this information with relevant authorities especially the data protection officer. If need be, the police force should be informed about the issue (Banks, & Banks, 2011).
- Effort should be made to limit the damage.
Compliance
To comply with this policy, employees will be expected to receive authorization for using company’s data from the company’s authoring official. For this to happen, employees will be expected to read and sign IT security documents that will be provided to them by their immediate managers who in this case are referred to as group managers. Upon signing these documents, the employees will return the documents to their group managers who will in return forward the signed documents to the company’s authoring official.
Once employees receive permission to use company’s data, they will be expected to treat that data with tremendous respect. They will not be expected to share that data with anyone even their colleagues (Swanson, 2001). Violating this policy will amount to violation of company’s code of conduct and appropriate actions will be taken as soon as possible.
System management
It is the responsibility of the company’s authoring official to ensure that employees do not have access to confidential data. In line with this responsibility, the company’s authoring official with the help of group managers will determine the amount of data that each employee should have access to. Once the issue has been determined, employees do not have the right to change it. However, group managers can advise company’s authoring official to revise the issue depending on employees’ responsibilities that might change from time to time.
Violation of policy
In the event that an employee violates this policy, the company reserves the right to take the necessary actions. The necessary actions include, but they are not limited to, taking legal action and/or terminating employment. Depending on the gravity of the issue, the company may either issue a warning to first-time violators in form of writing or it may fire an employee without issuing such a warning (Banks, & Banks, 2011). All issues that violate this policy should be reported to group managers who in return should report the matter to the company’s authoring official.
Policy review and modification
The company’s information security team will be responsible for reviewing and revising this policy on annual basis and as it might be necessitated by technological changes.
Policy system audits
The policy: this audit focuses its attention on the data breach response policy. The policy defines the process that should be followed if an employee breaches the policy. It starts by defining what is expected of each employee before outlining the actions that should be taken against such an employee. In line with the company’s practices, the policy should be updated on annual basis or any other time when the need to so arises (Swanson, 2001).
Updating: the policy was updated last on 4th January, 2016. Since then, it has not been updated because those tasked with updating it have not found anything warranting updates. More importantly, one year has not lapsed since that time. Based on the company’s practices, the policy might be updated again on 4th January, 2017 or any other time that those tasked with updating it might find it necessary to do so.
Ownership: the policy is solely owned by the company’s information system owners.
Review: before the policy was approved, it was reviewed by the company’s information security team that included the IT manager, chief information officer and chief finance officer as well as the company’s general manager. During the review process, it was determined that the policy was practicable and appropriate for the company. By so doing, the board of directors was assured by the team that it did not have to worry about the implementation of the policy.
Policy approval: after the policy was reviewed, it was then approved for implementation by the company’s top management team that included the board of directors, chief information officer, IT manager and the general manager. Each of these people appended the policy by signing it. The policy started working immediately and since then, it has been applied without favoritism.
Conclusion: based on the system audit that has been conducted, it appears that the company has a policy on the data breach response. It also appears that the policy has been updated within the last one year. More importantly, it appears that before the policy was implemented, it was reviewed and approved by the appropriate authorities.
Awareness and compliance (employee survey)
The following questions have been designed to evaluate employees’ awareness of IT security policies and their compliance to those policies. For effective results, employees are expected to answer the following questions to the best of their knowledge. Employees can give multiple choices for the questions with more than one answer. However, for the questions with yes and no responses, employees should choose either yes or no. For the open ended questions, employees should feel free to elaborate their answers by giving more details (Swanson, 2001). The first set of questions is intended to determine employees’ awareness of the key IT policies in their company. On the other hand, the second set of questions is intended to determine employees’ awareness of their responsibilities in complying with IT security policies.
Questions
Awareness of key policies
- In relation to IT security, what do you understand by the term security policy? _________
- Which type of security policies do you know?
- Issue specific policies
- System specific policies
- Program policies
- Others (specify) ______
- Of the above policies, which policies does your company enforce? _____________
- What do these policies aim to achieve at your company?
- Secure the system
- Mitigate cyber attacks
- Nothing
- Others (specify) ______
- Which policies do you know?
- Data breach response policies
- Shadow IT policies
- Social media account policy
- Email policies
- Others (specify)
- Of the above policies, which policies does your company implement? _________
Personal responsibilities
- In regard to IT compliance, do you know your responsibilities in the company?
- Yes
- No
- If yes, what are your responsibilities? Please explain _______________
- Do you know what you should do to comply with IT security policies in your company?
- Yes
- No
- If yes, what should you do? Please explain _______________
- At a personal level, what do you do to comply with security policies at your company/organization?
- Does your company/organization specify what you should do to comply with IT security policies?
- Yes
- No
- If no, what do you think your company should do? Please explain ___________
References
Banks, T., & Banks, F. (2011). Corporate legal compliance handbook. Austin: Wolters Kluwer Law & Business.
Johnson, L. (2013). Computer incident response and forensics team management: Conducting a successful incident response. Amsterdam: Elsevier.
Swanson, M. (2001). Security self-assessment guide for information technology systems. National institute of standard and technology