Your group is working for a global organization that handles highly classified intellectual property. In many situations and scenarios, the implementation and operations teams have been creating and setting up environments that violate your vision for security. After discussing the situation with various parties, they all admit they do not fully know or understand what is expected from them as they set up and configure the environment. To solve this situation, your group has been asked to create a network security policy for the organization.
Each group member will choose an element of the policy to design, and the group will collaborate on what the overall design and outline should look like and include components from end-user behavior, a training plan, file and folder access, social engineering safeguards, bring-your-own-device policies, use of external drives on company assets, security hardware, penetration testing, and affiliation of the information security department with law enforcement agencies. Students may either interview someone in the local FBI field office or research the FBI and DHS Web sites related to information-sharing programs that the government offers; this could be advantageous to the organization’s information security program.
To keep the scope narrow, your group should first describe what should be included and what should not be included in the policy (remember that a policy should clearly set management’s expectations).
After the scope has been defined, research the various components, and create an appropriate policy.