Fluent Essays

In this Project Final you are to update, refine and combine the past seven weeks of Labs to create the Information Security Plan into final document. Remember that you are the Information Security Officer of Mahtmarg Manufacturing a small manufacturing company worth approximately $5 Million who provides fiber cable to local businesses, individual customers and to government organizations. You are creating the final Information Security Plan (Issue-Specific Security Policy in Table 4-3 of the textbook). eTextbook: Management of Information Sec... descriptionCover Page descriptionTitle Page descriptionCopyright Page descriptionPreface descriptionAuthor Team descriptionAcknowledgments descriptionOur Commitment descriptionForeword keyboard_arrow_rightChapter 1. Introduction to the Management of Infor...1 descriptionIntroduction to Security3 descriptionCNSS Security Model5 keyboard_arrow_rightThe Value of Information and the C.I.A. Triad7 descriptionConfidentiality8 descriptionIntegrity descriptionAvailability descriptionPrivacy9 descriptionIdentification descriptionAuthentication descriptionAuthorization descriptionAccountability descriptionKey Concepts of Information Security: Threats and ...10 keyboard_arrow_rightThe 12 Categories of Threats descriptionCompromises to Intellectual Property12 descriptionDeviations in Quality of Service14 descriptionEspionage or Trespass15 descriptionForces of Nature19 descriptionHuman Error or Failure20 descriptionInformation Extortion descriptionSabotage or Vandalism22 descriptionSoftware Attacks23 descriptionTechnical Hardware Failures or Errors descriptionTechnical Software Failures or Errors29 descriptionTechnological Obsolescence34 descriptionTheft descriptionSome or All of the Above35 descriptionWhat Is Management?36 keyboard_arrow_rightBehavioral Types of Leaders descriptionManagement Characteristics37 descriptionPlanning38 descriptionOrganizing descriptionLeading descriptionControlling39 descriptionGovernance40 descriptionSolving Problems descriptionStep 1: Recognize and Define the Problem descriptionStep 2: Gather Facts and Make Assumptions descriptionStep 3: Develop Possible Solutions41 descriptionStep 4: Analyze and Compare Possible Solutions descriptionStep 5: Select, Implement, and Evaluate keyboard_arrow_rightPrinciples of Information Security Management42 descriptionPlanning43 descriptionPolicy descriptionPrograms descriptionProtection44 descriptionPeople descriptionProjects45 descriptionChapter Summary46 descriptionReview Questions47 descriptionExercises48 descriptionClosing Case49 keyboard_arrow_rightChapter 2. Compliance: Law and Ethics52 keyboard_arrow_rightInfoSec and the Law53 descriptionTypes of Law54 descriptionRelevant U.S. Laws55 descriptionInternational Laws and Legal Bodies72 descriptionState and Local Regulations73 descriptionPolicy versus Law keyboard_arrow_rightEthics in InfoSec76 descriptionEthics and Education80 descriptionDeterring Unethical and Illegal Behavior83 keyboard_arrow_rightProfessional Organizations and Their Codes of Cond... descriptionAssociation for Computing Machinery (ACM) descriptionInternational Information Systems Security Certifi...84 descriptionSANS85 descriptionInformation Systems Audit and Control Association ... descriptionInformation Systems Security Association (ISSA)86 keyboard_arrow_rightOrganizational Liability and the Need for Counsel87 descriptionKey Law Enforcement Agencies88 descriptionChapter Summary90 descriptionReview Questions91 descriptionExercises92 descriptionClosing Case93 keyboard_arrow_rightChapter 3. Governance and Strategic Planning for S...98 keyboard_arrow_rightThe Role of Planning100 descriptionPrecursors to Planning101 keyboard_arrow_rightStrategic Planning103 descriptionCreating a Strategic Plan descriptionPlanning Levels105 descriptionPlanning and the CISO106 keyboard_arrow_rightInformation Security Governance108 descriptionThe ITGI Approach to Information Security Governan...109 descriptionNCSP Industry Framework for Information Security G...111 descriptionCERT Governing for Enterprise Security Implementat...113 descriptionISO/IEC 27014:2013 Governance of Information Secur...115 descriptionSecurity Convergence117 keyboard_arrow_rightPlanning for Information Security Implementation119 descriptionIntroduction to the Security Systems Development L...124 descriptionChapter Summary134 descriptionReview Questions135 descriptionExercises descriptionClosing Case136 keyboard_arrow_downChapter 4. Information Security Policy140 keyboard_arrow_rightWhy Policy?141 descriptionPolicy, Standards, and Practices145 keyboard_arrow_rightEnterprise Information Security Policy descriptionIntegrating an Organization’s Mission and Objectiv... descriptionEISP Elements147 descriptionExample EISP Elements148 keyboard_arrow_downIssue-Specific Security Policy152 descriptionElements of the ISSP153 descriptionImplementing the ISSP155 keyboard_arrow_rightSystem-Specific Security Policy descriptionManagerial Guidance SysSPs158 descriptionTechnical Specification SysSPs159 keyboard_arrow_rightGuidelines for Effective Policy Development and Im...163 descriptionDeveloping Information Security Policy descriptionPolicy Distribution descriptionPolicy Reading164 descriptionPolicy Comprehension165 descriptionPolicy Compliance descriptionPolicy Enforcement166 descriptionPolicy Development and Implementation Using the Se...167 descriptionAutomated Tools171 descriptionOther Approaches to Information Security Policy De...172 descriptionSP 800-18, Rev. 1: Guide for Developing Security P...174 descriptionA Final Note on Policy descriptionChapter Summary176 descriptionReview Questions177 descriptionExercises178 descriptionClosing Case179 keyboard_arrow_rightChapter 5. Developing the Security Program keyboard_arrow_rightOrganizing for Security descriptionSecurity in Large Organizations descriptionSecurity in Medium-Sized Organizations descriptionSecurity in Small Organizations descriptionPlacing Information Security Within an Organizatio... descriptionComponents of the Security Program keyboard_arrow_rightInformation Security Roles and Titles descriptionChief Information Security Officer descriptionConvergence and the Rise of the True CSO descriptionSecurity Managers descriptionSecurity Administrators and Analysts descriptionSecurity Technicians descriptionSecurity Staffers and Watchstanders descriptionSecurity Consultants descriptionSecurity Officers and Investigators descriptionHelp Desk Personnel keyboard_arrow_rightImplementing Security Education, Training, and Awa... descriptionSecurity Education descriptionSecurity Training descriptionTraining Techniques descriptionSecurity Awareness keyboard_arrow_rightProject Management in Information Security descriptionProjects versus Processes descriptionPMBOK Knowledge Areas descriptionProject Management Tools descriptionChapter Summary descriptionReview Questions descriptionExercises descriptionClosing Case keyboard_arrow_rightChapter 6. Risk Management: Identifying and Assess...250 keyboard_arrow_rightIntroduction to Risk Management251 descriptionKnowing Yourself252 descriptionKnowing the Enemy descriptionAccountability for Risk Management253 keyboard_arrow_rightRisk Identification254 descriptionIdentification and Prioritization of Information A...255 descriptionThreat Assessment264 descriptionThe TVA Worksheet271 keyboard_arrow_rightRisk Assessment and Risk Appetite descriptionAssessing Risk274 descriptionLikelihood descriptionAssessing Potential Impact on Asset Value (Consequ...275 descriptionPercentage of Risk Mitigated by Current Controls descriptionUncertainty descriptionRisk Determination276 descriptionLikelihood and Consequences278 descriptionDocumenting the Results of Risk Assessment279 descriptionRisk Appetite281 descriptionChapter Summary282 descriptionReview Questions283 descriptionExercises284 descriptionClosing Case285 keyboard_arrow_rightChapter 7. Risk Management: Controlling Risk288 keyboard_arrow_rightIntroduction to Risk Control289 descriptionRisk Control Strategies290 descriptionDefense descriptionTransference291 descriptionMitigation descriptionAcceptance293 descriptionTermination keyboard_arrow_rightManaging Risk295 descriptionFeasibility and Cost–Benefit Analysis298 descriptionOther Methods of Establishing Feasibility304 descriptionAlternatives to Feasibility Analysis306 keyboard_arrow_rightRecommended Risk Control Practices308 descriptionQualitative and Hybrid Measures descriptionDelphi Technique309 descriptionThe OCTAVE Methods310 descriptionMicrosoft Risk Management Approach311 descriptionFAIR312 descriptionISO 27005 Standard for InfoSec Risk Management313 descriptionNIST Risk Management Model314 descriptionOther Methods descriptionSelecting the Best Risk Management Model317 descriptionChapter Summary318 descriptionReview Questions319 descriptionExercises320 descriptionClosing Case322 keyboard_arrow_rightChapter 8. Security Management Models325 descriptionIntroduction to Blueprints, Frameworks, and Securi...326 keyboard_arrow_rightAccess Control Models327 descriptionCategories of Access Controls328 descriptionOther Forms of Access Control334 keyboard_arrow_rightSecurity Architecture Models descriptionTrusted Computing Base335 descriptionInformation Technology System Evaluation Criteria descriptionThe Common Criteria337 keyboard_arrow_rightAcademic Access Control Models descriptionBell-LaPadula Confidentiality Model338 descriptionBiba Integrity Model339 descriptionClark-Wilson Integrity Model340 descriptionGraham-Denning Access Control Model descriptionHarrison-Ruzzo-Ullman Model descriptionBrewer-Nash Model (Chinese Wall)341 keyboard_arrow_rightOther Security Management Models descriptionThe ISO 27000 Series342 descriptionNIST Security Publications346 descriptionControl Objectives for Information and Related Tec...352 descriptionCommittee of Sponsoring Organizations355 descriptionInformation Technology Infrastructure Library descriptionInformation Security Governance Framework356 descriptionChapter Summary358 descriptionReview Questions359 descriptionExercises360 descriptionClosing Case keyboard_arrow_rightChapter 9. Security Management Practices364 keyboard_arrow_rightIntroduction to Security Practices descriptionBenchmarking365 descriptionStandards of Due Care/Due Diligence366 descriptionSelecting Recommended Practices369 descriptionLimitations to Benchmarking and Recommended Practi...370 descriptionBaselining371 descriptionSupport for Benchmarks and Baselines372 keyboard_arrow_rightPerformance Measurement in InfoSec Management descriptionInfoSec Performance Management374 descriptionBuilding the Performance Measurement Program377 descriptionSpecifying InfoSec Measurements378 descriptionCollecting InfoSec Measurements379 descriptionImplementing InfoSec Performance Measurement382 descriptionReporting InfoSec Performance Measurements385 keyboard_arrow_rightTrends in Certification and Accreditation386 descriptionNIST SP 800-37, Rev. 1: Guide for Applying the Ris...387 descriptionChapter Summary392 descriptionReview Questions393 descriptionExercises descriptionClosing Case394 keyboard_arrow_rightChapter 10. Planning for Contingencies398 keyboard_arrow_rightIntroduction to Contingency Planning399 descriptionFundamentals of Contingency Planning401 descriptionComponents of Contingency Planning405 descriptionBusiness Impact Analysis406 descriptionContingency Planning Policies412 keyboard_arrow_rightIncident Response descriptionGetting Started413 descriptionIncident Response Policy414 descriptionIncident Response Planning415 descriptionDetecting Incidents420 descriptionReacting to Incidents423 descriptionRecovering from Incidents425 keyboard_arrow_rightDisaster Recovery432 descriptionThe Disaster Recovery Process434 descriptionDisaster Recovery Policy435 descriptionDisaster Classification436 descriptionPlanning to Recover438 descriptionResponding to the Disaster descriptionSimple Disaster Recovery Plan439 keyboard_arrow_rightBusiness Continuity444 descriptionBusiness Continuity Policy445 descriptionContinuity Strategies447 descriptionTiming and Sequence of CP Elements448 descriptionCrisis Management450 descriptionBusiness Resumption451 keyboard_arrow_rightTesting Contingency Plans454 descriptionFinal Thoughts on CP455 keyboard_arrow_rightManaging Investigations in the Organization456 descriptionDigital Forensics Team descriptionAffidavits and Search Warrants457 descriptionDigital Forensics Methodology458 descriptionEvidentiary Policy and Procedures461 descriptionLaw Enforcement Involvement462 descriptionChapter Summary463 descriptionReview Questions465 descriptionExercises466 descriptionClosing Case467 keyboard_arrow_rightChapter 11. Personnel and Security470 keyboard_arrow_rightIntroduction to Personnel and Security descriptionStaffing the Security Function472 descriptionInformation Security Positions474 keyboard_arrow_rightInformation Security Professional Credentials description(ISC)2 Certifications486 descriptionISACA Certifications490 descriptionGIAC Certifications493 descriptionEC-Council Certifications494 descriptionCompTIA Certifications496 descriptionISFCE Certifications497 descriptionCertification Costs498 descriptionEntering the Information Security Profession499 keyboard_arrow_rightEmployment Policies and Practices501 descriptionHiring502 descriptionContracts and Employment504 descriptionSecurity as Part of Performance Evaluation descriptionTermination Issues505 descriptionPersonnel Security Practices507 descriptionSecurity of Personnel and Personal Data descriptionSecurity Considerations for Temporary Employees, C...508 descriptionChapter Summary514 descriptionReview Questions515 descriptionExercises descriptionClosing Case516 keyboard_arrow_rightChapter 12. Protection Mechanisms523 keyboard_arrow_rightIntroduction to Protection Mechanisms524 descriptionAccess Controls and Biometrics525 keyboard_arrow_rightManaging Network Security533 descriptionFirewalls534 descriptionIntrusion Detection and Prevention Systems545 descriptionRemote Access Protection549 descriptionWireless Networking Protection552 descriptionScanning and Analysis Tools555 descriptionManaging Server-Based Systems with Logging559 keyboard_arrow_rightCryptography564 descriptionEncryption Operations566 descriptionUsing Cryptographic Controls573 descriptionManaging Cryptographic Controls577 descriptionChapter Summary579 descriptionReview Questions580 descriptionExercises581 descriptionClosing Case582 descriptionAppendix584 Jump to Page Go menueTextbook: Management of Information Securitymenu_openeTextbook: Management of Information Securityhelp_outlineQuick Tour printPrint searchSearch bookAnnotations text_fieldsAccessibilitycloseAccessibility options Font SizeA A Text FontDefault Open Sans Lucida Sans Unicode Tahoma Trebuchet MS Georgia Verdana Times New Roman Arial sans-serif Segoe UI Background ColorDefault Normal Sepia Black Read Aloud Listen to this page replay_5 play_circle_filled forward_5 stop Reading speed Slow Normal Fast Voice Male - Australia Male - United Kingdom Female - United States Male - United States bookmark_borderBookmark more_vertTerms and Conditions Privacy Policy Help & Support keyboard_arrow_leftPrevious pageIssue-Specific Security Policy Next pageImplementing the ISSPkeyboard_arrow_right replay_5 play_circle_filled forward_5 stop cancel 2 The Prohibition Use Section of ISP The Prohibition Use Section of ISP The prohibition use section of the ISP specifies the activities considered unacceptable when using Mahtmarg Manufacturing Company’s network connection. It also indicates the information that should not be accessed using its systems and practices that employees should not engage in (Boiko & Shendryk, 2017). Further, it documents the regulatory stipulations that employees should follow to ensure that they utilize the company’s information systems appropriately. Prohibition of Illegal Conduct Mahtmarg Company will assess and discontinue the accounts and connections of the individuals using its services who will engage in actions that violate its policies. Subsequently, the company may take legal steps against the users who engage in offensive acts (Boiko & Shendryk, 2017). Some of the actions under this category include conveying messages that have sexual intonations, such as pornographic content. Additionally, it comprises information that perpetrates hatred in the populace, or other undesirable practices such as racism and cruelty. System and Network Activity Restrictions Copyright Infringement The company does not permit the users to use the platform to engage in actions that violate the copyright of other individuals by producing their content without their consent. The infringement of copyrights may include the illegal production of third parties’ music or movies. Proprietary Information Disclosure The company does not permit users to infringe upon and expose the confidential business information of other users (Gronwald, 2020). Any individuals found to be guilty of infiltrating the private content of others will face stiff penalties such as termination of their accounts. Unauthorized Use for Personal Business The company does not permit users to utilize the network to participate in activities other than for official business. For example, users cannot use the company’s information systems for personal use, such as browsing social networking sites like Facebook and Twitter. Malicious Business The company will look out for and take action against any activities that compromise the effectiveness of its services. For example, it will not condone illegal activities meant to deceive others, such as gambling (Gronwald, 2020). Further, it forbids any actions that allow harmful elements such as viruses and Trojan horses to access the network. Account Disclosure The company prohibits users from using the network to engage in malicious activities such as accessing the accounts of other individuals. The illegality includes attempts to hack the security information of other users. Email and Communication Activity Restrictions Unsolicited Emails Mahtmarg Company reserves the right to filter out and limit the transmission of unsolicited emails using its networks. Unsolicited emails in this context include bulk transference of promotional messages (Boiko & Shendyk, 2017). Subsequently, it consists of the conveyance of messages with political overtones. Harassment The company does not permit the network to send emails whose contents are meant to harass the recipients. The company will penalize the users who use the platform to spread such content. Chain Letters Users of the Mahtmarg network are not allowed to use the platform to send chain letters, which encourage the transmission of the same content severally to different individuals. Spam The company strictly forbids users of the network from sending messages considered spam (Boiko & Shendryk, 2017). The practices encompassed in this category include sending content to unwilling parties or sending the same content severally to the same recipients. Blogging and Social Media Activity Restriction The company will monitor how users of its services utilize social media to ensure that it does not violate any stipulated statutes. Representation of the Company on Blogs or Social Media The company allows enterprises to use social networking platforms to promote their activities. However, while using the network for this function, users should refrain from engaging in activities that infiltrate the confidentiality of companies or those present therein. Firstly, users are not allowed to share private information about individuals, such as their names, ages, or residential places, without their consent (Boiko & Shendryk, 2017). Subsequently, it is forbidden to share private information about the company, such as its financial health, the products that will be launched in the market in the near future, or the techniques that the company uses in its operations (Gronwald, 2020). Further, the company forbids any attempts to discredit an enterprise by posting damaging content about its employees without due cause. Separations of Personal and Professional Comments The company does not allow inappropriate use of social media in a manner that is harmful to companies. For example, it does not allow users to post content on behalf of companies without adequate consent. It is fundamental for users to indicate whether the information they document on networking sites such as Facebook are their personal comments, or they have the explicit permission of the company to post information on its behalf (Boiko & Shendryk, 2017). Subsequently, the company will not allow inappropriate use of social networking sites, such as posting information on behalf of a company, without seeking permission to do so. Conclusion The prohibition section of the ISP will ensure responsible and effective use of Mahtmarg Company’s network to benefits the users. It will help in eliminating any activities or violations that will interfere with the effectiveness of the services. It will ensure that the network is used without any unprecedented hitches. References Boiko, A., & Shendryk, V. (2017). System integration and security of information systems. Procedia Computer Science, 104, 35-42. Gronwald, K. D. (2020). Integrated Business Information Systems. Springer Berlin Heidelberg. Authorized uses Authorized uses The technology is used by both the customers and the organizations who have expressed their interests. Fiber cable is the current trending technology which has facilitated increasing the speed in the cables and people experience high intensity in transmitting the data files. The technique reduces traffic thus ensuring people can conduct different research at the anticipated speed. The technology can be used by those organization using the internet space to cater to the clients’ requirements (Hall & Minto, 2019). For an extended period, it has been a challenge because of the slow internet speed but introducing the fiber cable has eliminated that challenge. The clients can purchase the entity and use them at their home comforts for communication and internet space exploration. Fair and responsible use expounds on the policies which should be considered. For instance, the office internet should be used strictly for work purposes and not surfing the internet for individual benefits. The employees should comprehend that the fiber cable is extremely costly thus should not be diverted to other non-beneficial use (Hall & Minto, 2019). Additionally, they should be responsible in that the passwords should not be given to external members. It will prevent external threats from maneuvering into the company’s software system. All workers should be responsible and collaborate to protecting the organization from unwarranted attacks which might result from the internet. Companies have to protect personal and propriety information. Such data can be protected by giving limited access towards the storage systems. Few people should have the control over such information and only when it is necessary (Hall & Minto, 2019). Public hotspot should be banned because they have contributed to threats in the organization. the policies should include prohibiting the external forces from accessing hotspot. Another tactic is through encrypting the password and internet information to ensure it is accessible within the organization. Reference Hall, A. J., & Minto, C. (2019). Using fiber optic cables to deliver intelligent traffic management in smart cities. In International Conference on Smart Infrastructure and Construction 2019 (ICSIC) Driving data-informed decision-making (pp. 125-131). ICE Publishing. 1 3 IS311 Security Operations (11-AUG-21 - 05-OCT-21 [80050]) Introduction Mahatmarg Manufacturing is an organization that offers fiber cable to local organizations, government organizations, and individual customers. This information security plan is documentation of the organizations plan and security measures that will be put in place to help in securing the personal and sensitive data of the organization. Purpose The Information Security Plan (ISP) is aimed to create an operational, tangible, and procedural plan which will help in securing the data of the customers of the Mahatmarg Manufacturing organization. The objectives of the plan are to ensure the information assets and customer data of the organization are secure and protected from loss, destruction, and also from being accessed by unauthorized personnel who might have malicious intentions towards the organization. The purpose of this plan is to give an overview of what is required of the employees and also the controls which are in place in the organization (Jayanthi, 2017). The plan will also describe the roles and responsibilities, and the expected behavior from all the individuals who will have access to the information. The ISP will also incorporate the input of all the departments and the managers of the organization. Scope The scope of the ISP represents the definition of information including what is excluded or included. The scope will cover the storage of the information on the computers and databases and the format in which the information is presented to the employees; either printed or in soft copy (Nieles et al., 2017). The scope of the ISP entails the process of assessing the information risks and vulnerabilities and also includes the controls used to ensure that the information in the organization is secure. Roles and responsibilities In regard to this policy, the following are the roles and responsibilities of the different employees in the organization. Chief Information Officer- top executive in the manufacturing organization who will be charged with the responsibility of the implementation of computer technologies and helps in the support of the organizational objectives and goals regarding the information technology systems ( Dhillon et al., 2018) • Information Security Officer- is responsible for maintaining a secure environment for the customers and other stakeholders through monitoring the organizations premises and the systems of the organization. • Information Security Architect- will be responsible for helping enforce and implement the policy by helping recommend the ways and methods in which the manufacturing entity can update and upgrade the security of the organization. • Information Security Coordinator- help in the evaluation and the coordination of the security programs of the organization and they do so by ensuring that the programs put in place are effective and also identifies the needs for any additional resources in the organization. • Data Proprietor (Administrative official)- Has oversight authority over data and also will help in establishing the purpose and the functions of the different data resources. • Data Custodian (Technical staff)- The data custodians will work directly with the data owners and will also be charged with the responsibility of maintenance, protection, and storage of information. References Dhillon, G., Torkzadeh, G., & Chang, J. (2018, June). Strategic planning for IS security: designing objectives. In International Conference on Design Science Research in Information Systems and Technology (pp. 285-299). Springer, Cham. Jayanthi, M. K. (2017, March). Strategic planning for information security-DID mechanism to befriend the cyber criminals to assure cyber freedom. In 2017 2nd International Conference on Anti-Cyber Crimes (ICACC) (pp. 142-147). IEEE Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. NIST special publication, 800(12), 101. 4 Information Security Plan Information Security Plan Authentication and Encryption Authentication is used to determine the identity of a person accessing the information on a site. It involves the use of a user name and a password. Authentication will also be carried out through fingerprints, voice recognition, and retina scans. The authentication will not determine the tasks an individual can engage in or the files that one sees. The process only identifies and verifies the identity of the person or the system. Encryption involves the transformation of data to an unreadable form by anyone without decryption keys. The encryption process utilizes several protocols such as Socket Layer (SSL) protocols and Secure Shell (SSH) protocols. Data that utilizes SSL transactions are usually encrypted between the browser and the webserver. Encryption allows data to be sent across the internet with minimal risks of being intercepted (Safa et al., 2016). This is especially important for critical data such as credit card numbers and social security numbers. Roles and duties of a System Administrator The systems administrator is responsible for monitoring and alerting any key concerns/issues in the organizations infrastructure and applications. A system administrator must know how to set up alerts based on monitoring thresholds to obtain on-call notifications during significant incidents. The systems administrator should be knowledgeable on how to use external system outputs and metrics to determine the health of their systems (Moody et al., 2018). A system administrator is in charge of the administration of all applications and services. The system administrator is also responsible for managing passwords and SSO practices and policies in the organization and aids other employees in accessing the system. The administrator also offers procedures and sets policies on how files are organized and shared within the organization. This offers security from external attacks and allows easy access to files. The system administrator is also responsible for software installation and updates to minimize the threat of attacks. Above all, the administrator should advocate security to all staff during the formulation of policies and installation of servers. User Responsibilities Users are also responsible for cyber security protection within an organization. All users are expected to have a basic understanding of cyber security risks and how to avoid falling victim to cyber-attacks. The users should be willing to engage in educational activities organized by the organizations management (Moody et al., 2018). Users are also expected to abide by cyber security policies and procedures. Such policies include an acceptable usage policy, email usage policy, and BYOD policy, among others.                                                                                                                      Auditing Identifying regular cybersecurity audits helps organizations establish rules for handling sensitive customer and employee information. Auditing also helps the organization remain update with security measures. It also helps identify physical security vulnerabilities Auditing also helps in formulating new security policies for the organization (Moody et al., 2018). It prepares the organization for emergency responses during cybersecurity breaches. Configuration Configuration involves security measures implemented when installing and building computers and networks devices to reduce vulnerabilities to cyber-attacks. Configuration helps in reducing the risk of outages and security breaches (Safa et al., 2016). Accurate records ensure formal configurations in control processes. References Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS quarterly, 42(1). Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. computers & security, 56, 70-82. Running head: Limitations of liability 2 Limitations of liability 2 Limitations of liability Limitations of liability The section covers various forms of liability of the Information Security Plan (ISO). The plan covers limitations on liability under two sections: statement of liability and other disclaimers. 1.0. Statement of liability or disclaimers The liability of the organization is limited to the provisions given on the liability clause of the organization policy. Any other liability not subject to the policies will be subject to negotiations among the parties involved. It is the duty of the company to comply to the provisions outlined below an all employees and members of staff are expected to comply accordingly. 1.1. Liability on foreseeable losses The company will not be liable for losses incurred as a result of incidents that occur after engagement into an agreement with a third party. However, the event must be reasonably unseen by the company before engagement into the agreement with the third party. In case of an employee acting on behalf of the company, there has to be disclosure to the relevant supervisor on the occurrence of the loss and a disclosure that it was not possible to foresee the loss of data before engagement with the third party. 1.2. Liability on the avoidable disasters The company will be liable for loss of client data if there is an occurrence of a breach of safety protocols on client information. The event of breach must be avoidable if certain mechanisms were put in place. However, the liability of the company is based on the nature of breach and one that does not relate to the third party. This excludes errors made by the vendor of an information system or errors made by an employee. It is the duty of the company to ensure information relating to the operations and clients of the company is well-protected against loss. 1.3. Plausible deniability In case of a transaction between a third party and a company official, there has to be formal processes which includes following the protocols into the organization. Any third-party accessing services of the company must report through the reception and gain access to the department in need of. This enable the company to establish presence of the individual into the company and ensure the company is responsible of all transactions done within the company’s premises. In such cases, the company is liable for any loss of information or any other form of damage that may occur in the process of client details management among the members of staff. However, any other form of business that is carried out contrary to the outlined procedure is considered unofficial. The company is not liable for any damages incurred in the process of accessing services contrary to company’s protocols. Without official communication, neither the company nor the top officials are held accountable for any discrepancies in such cases. However, the employee shall be held in contempt of the company’s policies which is subject to disciplinary review. 2.0. Other disclaimers 2.1. Repudiation of employees The company expects all employees and members of staff to comply with the company’s policies. This include ensuring they use company’s technology appropriately and ensure there is no breach that can lead to loss of information from the company’s information systems. Employee’s conduct has a major contribution to the reputation of the company. This requires at most vigilance in ensuring all the conditions are aligned with. However, in case of violation of company’s policies, the employee will be subject to disciplinary action. This include repudiation of the employee to ensure such actions are not repeated. Violation of Policy Violation of Policy Every staff member in the Mahtmarg organization should adhere to the given policy. They are equally responsible for reporting circumstances that might violate the provided guidelines. Breaking the policies is massive damage to the organization and would impact the employees. Managers should be keen to ensure that all policies are incorporated without experiencing challenges (Lammie, 2021). Therefore, they are responsible for ensuring conduct is upheld, and those deliberately violating the policies are punished. Disciplinary is essential because it discourages other workers from violating the provided policies. The punishment could be mild and severe depending on the situation. The primary alternative is ensuring they have eradicated policy breakage. Steps were taken to report a policy violation The first step to reporting the violation has ultimate evidence that the violated policy has damaged the organization. Sometimes the culprit might escape being questioned or punished because the witness lacked enough evidence to incriminate them to the circumstance. Therefore, the evidence should be collected and taken to the next step, where the manager is informed about the occurrences. The step is significant because the supervisors will weigh the accuracy of the evidence and focus on solving the case. The witness should proceed and address the moral conduct department about the occurrence (Lammie, 2021). He can decide to be an anonymous witness and report the incidents without revealing his identity. The significant part is proving that an essential policy has been broken and immediate action should be taken. Hiding identity will protect an individual from unnecessary critics or life threats. Another step is to understand that reporting violations is part of an employees duty and thus should not feel threatened. The primary goal is to develop an institution with the best staff members who care for its welfare. After reporting, the witness provides the platform for the administration process to incorporate various investigations and uncover the reality. Penalties for policy violation Various penalties can be given for policy violations to prevent such occurrences from happening. Minor transgressions are given mild punishments, and the person is allowed to resume their duties. The first penalty that can be given is contract termination, and the victim is sent away from the company. Serious offenses call for permanent solutions because the action might repeat suppose the individual is forgiven (Lammie, 2021). For instance, mistakes like leaking the organizations private information to malicious sources are a policy violation which the administration cannot forgive. Such an individual is extremely dangerous and can repeat the crime if given a chance. Moreover, any other individual in the organization will be tempted to break similar conduct. Therefore, that culprit should be laid off for the organizations future benefit, and legal actions are taken to ensure that they serve their term for violating company codes. Additionally, another penalty that can be given is demoting an individual from their high organization position. It happens for small code breakage, and lowering them to a minor position will strip them of some of the power possessed in the firm (Lammie, 2021). The company will find a more legible person who will take the position and stay away from policy breaching. Penalties are generally significant since people are punished for making mistakes that could break the organizations conduct. Companies that take few actions against the suspect will be affected because different employees will take advantage and compromise the policies, thus leading to its downfall. Reference Lammie, D. Q. (2021). Copyright Violation in the Information and Technology Industry. Available at SSRN 3793340. 4 Policy Review and Modification 6. Policy Review and Modification Scheduled Review of Policy The information security policy will require an annual review to look at whether the policy meets the needs of the organization. The information security policy of the company shall also be reviewed at scheduled intervals when significant changes occur to assess the impact of the changes in policies and procedures. The information policy review shall be conducted in case of the following events: 1) Adoption of new information system or services, or significant changes to the existing information system. 2) Adoption of new critical infrastructure in the organization or any significant changes to the existing infrastructure. 3) Implementation of cloud services for the storage and processing of information as this could pose an information security threat. The annual review will focus on identifying any existing information threats and any incidences of the information getting to unauthorized individuals or use of information for malicious reasons (Moody et al., 2018). The policies and procedures will be reviewed to see whether they comply with all the relevant laws and guidelines provided. In case the policy is not effective then there will be need for modification of the policy. Procedures for modification If the ISP is not working as desired then there will be need for modification which will be done by the Information Technology (IT) team in the organization. During the annual review the threats and risks together with their weight and significant impact on the policy will be analyzed. Once this is done the needed modifications will be identified by the IT team. The modifications and updates will be done according to how significant the risks and threats are. The modifications will be made by the IT team and the modified policy submitted to the IT management and the ISO for review (Sharma & Warkentin, 2019). Once the policy is deemed to have incorporated all the changes it will be available to the employees and the concerned stakeholders. The employees can access the ISP policy through their portals and also within the organization when need be. References Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS quarterly, 42(1). Sharma, S., & Warkentin, M. (2019). Do I really belong?: Impact of employment status on information security policy compliance. Computers & Security, 87, 101397.