CIS333 Assignment 1: Creating and Communicating a Security Strategy

CIS333 Assignment 1: Creating and Communicating a Security Strategy


Assignment 1: Creating and Communicating a Security



 Draft Due Week 4, worth 40 points Final Due Week 6, worth 60 points



The specific course learning outcomes associated with this assignment are:


Analyze the importance of network architecture to security operations.


Apply information security standards to real-world implementation.


Communicate how problem-solving concepts are applied in a business environment.


Use information resources to research issues in information systems security.


Write clearly about network security topics using proper writing mechanics and business formats.




  1. Review the essential elements of a security strategy


A successful IT administration strategy requires the continuous enforcement of policies, standards, and practices (procedures) within the organization. Review these elements to see how they compare:


Policy             The general statements that direct the organizati communication and goals.


Standards     Describe the requirements of a given activity related to the policy. They are more detailed and specific than policies. In effect, standards are rules that evaluate the quality of the activity. For example, standards define the structure of the password and the numbers, letters, and special characters that must be used in order to create a password.


Practices       The written instructions that describe a series of steps to be followed during the performance of a given activity. Practices must support and enhance the work environment. Also referred to as procedures.


  1. Describe the business environment


You are the IT professional in charge of security for a company that has recently opened within a shopping mall. Describe the current IT environment at this business. You can draw details from a company you work for now or for which you have worked in the


company allow cell phone email apps? Does the company allow web mail? If so, how will this affect the mobile computing policy? Describe all the details about this business environment that will be necessary to support your strategy.



CIS333   Assignments and Rubrics


  1. Research sample policies


Familiarize yourself with various templates and sample policies used in the IT field. Do not just copy


them to yours. Use these resources to help structure your policies:


Information Security Policy Templates


Sample Data Security Policies


Additional Examples and Tips





With the description of the business environment (the fictional company that has opened in a shopping mall) in mind and your policy review and research complete, create a new security strategy in the format of a company memo (no less than three to five pages) in which you do the following:


  1. Describe the business environment and identify the risk and reasoning


discovered in your research. Be sure to identify the reasons that prompted the need to create a security policy.


  1. Assemble a security policy


Assemble a security policy or policies for this business. Using the memo outline as a guide, collect industry-specific and quality best practices. In your own words, formulate your fictional cies. You may use online resources, the Strayer Library, or other industry-related resources such as the National Security Agency (NSA) and Network World. In a few brief sentences, provide specific information on how your policy will support the business’ goal.


  1. Develop standards


Develop the standards that will describe the requirements of a given activity related to the policy. Standards are the in-depth details of the security policy or policies for a business.


  1. Develop practices


Develop the practices that will be used to ensure the business enforces what is stated in the security policy or policies and standards.


Format your assignment according to the following formatting requirements:


This course requires use of Strayer Writing Standards (SWS). The format is different than other Strayer University courses. Please take a moment to review the SWS documentation for details. Review this resource to learn more about the important features of business writing: The One Unbreakable Rule in Business Writing.


You may use the provided memo outline as a guide for this assignment, or you may use your own. Get creative and be original! (You should not just copy a memo from another source.) Adapt the

company standard documents for this type of communication.


evaluate your submissions.







CIS333      Assignments and Rubrics


Note: This assignment will be run through SafeAssign plagiarism detection software and an originality report will automatically be sent to the instructor.




Grading for this assignment will be based on answer quality, logic/organization of the memo, and language and writing skills, using the following rubric.



40 Draft/ Assignment 1: Creating and Communicating a Security Strategy
60 Final
Criteria Unacceptable Minimum Fair Proficient Exemplary
Below 60% F Expectations 70-79% C 80-89% B 90-100% A
60-69% D
1. Describe the Does not Insufficiently Partially Satisfactorily Thoroughly
business and describe the describes the describes the describes the describes the
identify the risk business and business. business. business. business.
and reasoning does not
submit or The risk is The risk is The risk is The risk is
Weight: 20% incompletely unclear and stated but the identified and the clearly
identifies the there is not a reasoning needs reasoning has identified and
risk and clear more supporting some supporting the reasoning
reasoning. connection to details. details. has well-
a reason. supported
More details and detail to
a clear connect the
connection to risk to the
the risk would reasoning.
improve this
2. Assemble a Does not The policy is The policy The policy The policy
security policy submit or missing major includes some includes most includes all
or policies for incompletely elements and elements and elements and the necessary
the business assembles a does not partially satisfactorily elements and
security policy communicate indicates how it indicates how it clearly
Weight: 25% or policies for how it would would support would support the indicates how
the business. support the the it will support
business goal. goal, but was but was lacking
lacking supporting goal.
supporting details.
3. Develop Does not The standards The standards The standards The standards
standards submit or are not fully partially satisfactorily thoroughly
incompletely developed and describe some describe many of describe all
Weight: 25% develops do not of the the requirements the
standards. describe the requirements of of the activity but requirements
requirements the activity but could use more of the activity
of the activity. lack the details details. and include
necessary to sound, in-
make them depth details.




CIS333   Assignments and Rubrics


40 Draft/ Assignment 1: Creating and Communicating a Security Strategy
60 Final
Criteria Unacceptable Minimum Fair Proficient Exemplary
Below 60% F Expectations 70-79% C 80-89% B 90-100% A
60-69% D
4. Develop Does not The practices The practices The practices The practices
practices submit or do not include partially satisfactorily thoroughly
incompletely enough describe how to address how to address how
Weight: 25% develops description to ensure the ensure the to ensure the
practices. ensure the business can business can business can
business can enforce what is enforce what is enforce what
enforce what stated in the stated in the is stated in the
is stated in the policies and policies and policies and
policies and standards. standards. standards.
The written The written The written
The written instructions instructions instructions
instructions do include some include many of include all the
not include steps, but they the necessary necessary
steps or could be steps, but steps and
enough steps expanded to additional steps have well-
to make them make them and details would supporting
complete. complete. improve the details.
The writing The writing The writing is The writing is The writing is
5. Clarity, lacks clarity. lacks some beginning to mostly clear and professional
clarity. show clarity. business and clear.
Formatting is formatting is
not Formatting is Business apparent. The formatting
and business
appropriate not formatting is is excellent
for business. appropriate for partially applied. Some minor and aligned
business. adjustments with business
Weight: 5% would improve requirements.
the overall
























CIS333   Assignments and Rubrics


Additional Examples and Tips


Example 1: XYZ Inc. Company-Wide Employee Password Strategy




All users must have a password.

Passwords must be changed every six months.




A password must have a minimum of six characters.

A password must have a maximum of 12 characters.

A password must contain letters, numbers, and special characters other than $.




Create a password. The UserID should be an EmployeeID already generated by HR.

Send a request to create the account to the Information Technology (IT) department.

User receives a temporary password.

Users must change their temporary password the first time they log in.


Example 2: Security Policy and Standards


Password Policy: Passwords are an important part of computer security at your organization. They often




In order to define the password policy, it is important to identify the standards.


  1. Multi-factor authentication
  2. Password strength standard


  1. Password security standards; how to keep the password secure


Tips and Points to Consider When Identifying Risks or Security Vulnerabilities


Flaws in operating systems due to constant attack by malware

Denial of services attacks

Employees data theft

User set a weak password or password that is easy to guess,  User leaves sensitive data on an unlocked, unattended computer

Organization allows sensitive data on a laptop that leaves the building Data can be accessed remotely without using proper security