Posted: April 25th, 2025

Discussion

What would be your approach to introduce potential information systems security (ISS) risks to management? Also, how could you enforce the security controls if policies were created based on your recommendations? 

Course Textbook(s) Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett Learning. https://online.vitalsource.com/#/books/9781284200034 

CYB 4304, Cybersecurity Law and Policy 1

Upon completion of this unit, students should be able to:

2. Assess an acceptable use policy implementation plan for an organization.
2.1 Define an acceptable use policy.
2.2 Plan an acceptable use policy for an organization.

Chapter 1: Information Systems Security Policy Management

Chapter 2: Business Drivers for Information Security Policies

Chapter 3: Compliance Laws and Information Security Policy Requirements

Information Security Systems, Defined

We all know that information security is essential, both in our personal lives and in a business context. But
how do we define the concept of information systems security (ISS), and what essential functions should an
ISS policy address? These considerations form a cornerstone element of our initial unit on information
security systems and policy management.

Many organizations consider ISS as the practice for protecting the network, information, resources, and
assets. When a business undertakes such an effort, it must consider that not all employees will know how to
best protect the information they encounter as part of their duties. Therefore, policies and procedures should
be created to assist employees in properly handling information and ultimately lead to better and more
consistent ISS outcomes.

Information Systems Security Frameworks

Typically, ISS-focused policies utilize a lifecycle process to reduce errors and ensure all requirements are
considered. The lifecycle process breaks up tasks into more minor, manageable phases. For instance, the
control objectives for information and related technology (COBIT) is a widely accepted best practice
framework that provides a structure for managing and governing information technology (IT) practices that
allow businesses to align themselves to outcomes that they and their customers expect.

Johnson and Easttom (2022) state that frameworks like COBIT contain four domains that collectively
represent a conceptual information systems security management lifecycle on which policies are built.

1. Align, plan, and organize: This domain contains the basic details of an organization’s necessities and
goals.

2. Build, acquire, and implement: This domain deals with schedules and deliverables.
3. Deliver, service, and support: This domain adjusts the environment to lessen risks.
4. Monitor, evaluate, and assess: This domain consists of the testing and monitoring of controls and

analyzing the results.

UNIT I STUDY GUIDE
Security Governance
and Policy Management

CYB 4304, Cybersecurity Law and Policy 2

UNIT x STUDY GUIDE
Title

Each phase builds on the next, and a failure in one phase can lead to vulnerability in the next—commonly
referred to as the “single point of failure.”

This simplified ISS management lifecycle uses COBIT 5.0. (Johnson & Easttom, 2022, p. 6)

Information Assurance

Information assurance (IA) is a form of ISS that ensures information is protected while being utilized or
transferred. IA contains several security tenets that are known as the five pillars of the IA model. Johnson and
Easttom (2022) discuss in Chapter 1 that the pillars below are important to guarantee the integrity of data
while it is routed or stored.

• Confidentiality: Only authorized personnel should be able to access confidential information, and
employees should only be granted access to the specific information needed to perform their job—
commonly referred to as the need-to-know principle.

• Integrity: This principle is concerned with confirming whether any data changes have been approved
by the owner of that data.

• Availability: This principle is concerned with guaranteeing users will be able to access information.
• A significant challenge for availability is the denial of service (DoS) attack, which overwhelms and

crashes a system.
• Authentication: This principle is concerned with verifying a user’s identity, which requires good

housekeeping practices such as periodic password changes.
• Nonrepudiation: This principle refers to the ability to confirm that someone can’t dispute or deny that

he or she digitally signed a contract or was party to a transaction. This showing would require the
transaction was unique to a certain person.

Governance

Governance is both a concept and a specific set of actions an organization takes to ensure compliance with
its policies, processes, standards, and guidelines (Johnson & Easttom, 2022). The idea is to have a structure
in place so everyone in the organization follows the same rules.

Information Security Policies

Security policies generally consist of a variety of items that lay out rules that apply across the business.
Collectively, they set up mandatory controls and processes. These policies address threats to all of the
various physical assets, data, and employees of the business. The documents in this framework usually
consist of principles, policies, standards, procedures, guidelines, and definitions.

CYB 4304, Cybersecurity Law and Policy 3

UNIT x STUDY GUIDE
Title

It is essential to distinguish policies from the standards themselves, which are laws or industry norms that
evolve into agreed on practices. Likewise, policies and procedures are distinguishable. While policies impose
some type of control on a process, procedures help to achieve those goals by laying out individual, necessary
steps to get there.

ISS policies ensure the organization is consistent and is protected through the process. Foundational reasons
for using and enforcing security policies include the following.

• Ensure that insider users with authorized access cannot attack the systems. Information should not
be vulnerable, either when it is in transit, or when it is at rest. Information at rest is on backup tape,
whereas information in transit is flowing through the system.

• Confirm that there is a great deal of oversite as to who can make any changes to IT infrastructure
because during these times, the system is vulnerable.

• Verify that the business can reliably deliver.

It can be expensive to develop responsible and effective policies, but it can be just as costly to discover you
did not have the proper policy in place. Examples include lack of regulatory compliance and customer
dissatisfaction. Further, not having the proper policies will make any data open to attack. However, it should
be noted that there are barriers to policy acceptance and enforcement, such as employees taking shortcuts
and lack of organizational support, policy awareness, and understanding. Further, policy language may be
vague or even unenforceable if it is not well-crafted.

Maintaining Compliance

Effective policies need to be clear as to how compliance will be achieved. Unclear policies can lead to
confusion and incorrect choices. If the policies are clear and are followed correctly, they should work and
result in some compliance metric that can be measured and shows effectiveness of the policy. Accurate
measurements give an organization the ability to understand its risks, which forms the basis of finding
solutions to any identified problems.

Security Controls

Security controls provide the ability to enforce a security policy. Controls ensure confidentiality, integrity, and
availability of information, protect physical resources, and provide the means to measure security compliance
(Johnson & Easttom, 2022). In a way, security policies and controls are intertwined. Without security controls,
you would not have a viable information security policy, but there would be no security controls without the
security policy.

U.S. Compliance Laws

The ubiquity of the internet has fueled economic growth and opportunity and the potential to invade personal
privacy and cybercrime. Therefore, governments must intervene with laws and regulations intended to control
better the information upon which the digital economy relies. Johnson and Easttom (2022) displayed the most
important laws related to consumer rights and personal privacy, summarized below.

• Federal Information Security Management Act (FISMA): These regulations only apply to government
agencies. It requires certain types of information security standards to be utilized. Security control
requirements include consideration of inventory, risk level, controls, risk assessment, system security
plan, certification and accreditation, and continuous monitoring.

• Health Insurance Portability and Accountability Act (HIPAA): This is enforced by the Privacy Rule of
the Department of Health and Human Services that governs the documentation and dissemination of
all patients’ protected health information (PHI) by medical providers, insurance companies, and third
parties such as billing companies and clearinghouses.

• Gramm-Leach-Bliley Act (GLBA): This is also known as the Financial Services Modernization Act of
1999. It was enacted to control the ways that financial institutions deal with the private information of
individuals. To be compliant, security policies must include critical components such as information
governance, information security risk assessment, information security strategy, controls
implementation, monitoring, and updating.

CYB 4304, Cybersecurity Law and Policy 4

UNIT x STUDY GUIDE
Title

• Sarbanes-Oxley (SOX) Act: The SOX Act protects shareholders and ordinary citizens from
accounting errors and fraud. SOX defines which records are stored and for how long.

• Family Educational Rights and Privacy Act (FERPA): Federal law requires that education records be
protected and that students be able to access their records.

• Children’s Internet Protection Act (CIPA): Libraries cannot allow explicit sexual material like
pornography on their computers. This material must be blocked.

In each of the regulations mentioned above, the laws help protect or control information. This can only be
done through adequate security controls and policies. Therefore, security controls need to be developed and
implemented to enforce the control.

Knowing which regulatory concept is applicable to one’s field is also essential to protecting information
systems. Each regulatory law is explicitly created for different areas. For example, HIPAA is developed for
health care facilities only; however, FERPA is created for academic colleges and universities. HIPAA will not
work in an academic environment, nor will FERPA work within a health care facility. All security professionals
need to know which regulatory law to embed in the correct organization to protect the organization’s
information assets successfully.

There are also international laws of which ISS professionals should be aware. Johnson and Easttom (2022)
provide the following regulations to review.

• General Data Protection Regulation (GDPR)
• European Telecommunications Standards Institute (ETSI)
• Asia-Pacific Economic Framework (APEC)

Reference

Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett

Learning. https://online.vitalsource.com/#/books/9781284200034

Course Learning Outcomes for Unit I

Required Unit Resources

Unit Lesson

Information Security Systems, Defined

Information Systems Security Frameworks

Information Assurance

Governance

Information Security Policies

Maintaining Compliance

Security Controls

U.S. Compliance Laws

Reference