Creating and Communicating a Security Strategy

Creating and Communicating a Security Strategy

CIS 333

Assignment 1

Acting as the IT security administrator for CARE4ALL, a company that provides various tiers of medical insurance coverage to individuals, families and companies. The corporate facilities structure has buildings in multiple cities within the DMV (District of Columbia, Maryland and Virginia). Each CARE4ALL site houses people from multiple departments to include, but not limited to, Human Resources, Sales, Marketing, Information Technology, Security, and a Customer Contact Center. Each person will have access to security areas within the buildings while certain areas are secured to individuals who do not need access to designated areas.

The corporate IT infrastructure has several servers, workstations, laptops, mobile devices, customer contact phone banks, and tablets. Each employee has a unique login, email, and access card that includes all of their access to the systems and facilities they are allowed to access. Within the IT systems, there are proprietary applications tailored to the individual’s type of work. These applications are loaded on the corporate systems and in some cases on personal devices for those that bring their own device for work (BYOD)

Within the corporation, each department has designated roles for each employee in that department, and the IT assets are designed to function according to the profile of the individual logged into that device. For example, a customer contact employee will have physical access to all areas within the facilities for maintaining the physical security of the company but may only have access to certain applications within the corporate network. All of the positions access will be tailored by the IT security and the physical security teams. Each role within the organization will be granted access to the network according to role and responsibilities. Please find the draft of the Security Memo being generated for all employees defining security policies and procedures for CARE4ALL Company.


From: IT Security Department
Date: November 13, 2017
Re: Security Policy

General Policies and Motivation

To define policy and establish procedures related to corporate computer systems and to provide guidance and standards for configuring computers and systems within the company. The standards provided are subject to change based on new or existing requirements. The Corporate Information Systems Officer (CISO) and/or the Chief Information Officer (CIO) must approve any changes or deviations from this policy. Guidance and standards are provided for the following areas:

1. Access Control

2. Physical Security

3. Email Policies

4. Breach Reporting Responsibilities

5. Mobil Policy and BYOD (Bring Your Own Device)

Section 1: Access Control Standards

Permanent or temporary access to the corporate network will be restricted to corporate employees, temporary employees, or contracted employees. Access to IT systems will require a unique login, password, biometric data, or token depending on the IT systems required access type. Below will outline the requirements for each:

Unique login Practices:

Unique logins will include the individual’s alphaloc, a 2 digit number, 2 lower case alpha and a number (i.e. oc22wc8).

If an individual login duplicates another existing login, a number will be added to the end the newly created login (i.e., oc22wc89)

Unique logins will be deactivated after 30 days of no activity or when no longer needed.

Unique logins will be deleted after 45 days of inactivity.

Data from unique logins will be maintained for a period of 3 years or in accordance with state and federal laws.

Password Practices:

All passwords must be at least 14 characters long.

Passwords must contain at least 1 upper case letter (A-Z), 1 lower case letter (a-z), 1 number (0-9), and 1 non-alphanumeric character (i.e. $,#,%)

Passwords will expire every 60 days.

All systems will be set remember at least 10 historical passwords that cannot be reused.

User passwords must not be shared with anyone for any reason.

Passwords must be different on each system the user has access to.

Biometrics Standards and Practices:

Corporate policy is to protect and store biometric data in accordance will all state and federal laws and standards. This includes, but is not limited to, state of residence Biometric Information Privacy Acts.

An individual’s biometric data will not be collected or obtained by the corporation without prior written consent of the individual. The corporation will inform the individual for the reason the biometric data information is being collected and the length of time the data will be maintained.

The corporation will not sell, lease, trade, or otherwise profit from an individual’s biometric data.

Biometric data will not be disclosed by the corporation without written consent from the individual, court-ordered, or disclosure is required by law.

Biometric data will be stored using a reasonable standard of care and in a manner that meets or exceeds the corporate standards of storing Personal Identifiable Information (PII) and Protected Health Information (PHI)

The biometric data will be destroyed when the purpose of obtaining or collecting the data has been fulfilled, or the employee is no longer with the company.

Token Standards:

Hardware tokens will be used when necessary for IT systems as designated by the corporate IT department guidelines.

Hardware tokens do contain PII & PHI such as individuals name, username, email, and contact information.

Hardware tokens must be safeguarded by individuals in such a manner that the PII & PHI will not be disclosed or lost.

Hardware tokens will be turned in to the corporate IT department or physical security department when no longer needed, or the individual is no longer with the company.

Section 2: Physical Security Standards

Physical security will be maintained by all corporate employees, temporary employees, and contracted employees. Physical security comprises of, but is not limited to, locked doors, access card, surveillance, alarms, and employee awareness. Below will outline the requirements for each:

Locked Door Practices:

All doors to access the corporate buildings and within a controlled area in the buildings will remain locked at all times. These doors will be accessible by individual access cards are given to all individuals as needed.

Corporate visitors must be signed in at the access control desk and escorted by a cleared individual to the areas requested.

Access cards must be used on all locked doors by each individual as they access that door and no “piggy backing” (using another individual’s access card) will be tolerated.

Access Card Standards and Practices:

Access cards will be used to gain entrance to all corporate buildings and doors to certain controlled areas within the buildings (i.e., IT server room).

Access cards do contain PII & PHI such as individuals name, photograph, and contact information.

Access cards must be safeguarded by individuals in such a manner that the PII & PHI will not be disclosed or lost.

Access cards will be turned in to the corporate physical security department when no longer needed, or the individual is no longer with the company.

Lost access cards must be reported to corporate physical security immediately so the card can be deactivated and a new one issued to the individual.

Surveillance Practices

Surveillance of all corporate buildings will be monitored 24 hours a day and 365 days a year.

Surveillance consists of physical security personnel roving the areas and video monitoring systems that record all activity within the buildings and in the exterior of the buildings.

Video surveillance will not be conducted in areas where personal privacy is required (i.e., restrooms). But, physical security will regularly do spot checks in those areas for physical and personnel safety reasons.

Video surveillance will be recorded and maintained on and off-site for a period not less than 120 days.

Video surveillance will not be disclosed by the corporation without written consent from the Chief Security Officer, court-ordered, or disclosure required by law.

Alarm Standards:

Alarms will be installed in corporate buildings for fire detection and physical access.

Fire alarms will be installed on all floors and in all rooms in accordance with local building codes.

Physical access alarms will be installed on all doors, windows, or other access points into corporate buildings and controlled spaces within the buildings.

All alarms will be monitored by physical security personnel and linked to local fire and police as appropriate.

Each controlled area will also include a manual activation for the alarm in case an intrusion is detected.

Employee Awareness Practices:

All employees will be briefed and provided a copy of all physical security policies upon hire, annually, and in the event of any changes to policies.

Each employee will be given policies tailored to the area of access within the corporate buildings.

Any employee found to be violating physical security policies will be subject to administrative discipline up to dismissal from the company as deemed necessary by the management team.

All employees are directed to report physical security violation immediately to the physical security office and their direct supervisor.

Physical security is the responsibility or all employees to help maintain a safe work environment for all personnel.

Section 3: Email Policy Standards

Email policies regarding corporate email will be defined as use of email, email forwarding, and email back up procedures. Access to corporate email will follow the policies in place for Access Control.

Email Practices :

Corporate email is for use for official company business and is not for personal correspondences.

Corporate emails are subject to monitoring by the IT security team without notification to the user.

Corporate emails will be deactivated after 30 days of inactivity.

Corporate emails will be deleted after 45 days of inactivity.

Data from corporate emails will be maintained for a period of 3 years or in accordance with state and federal laws.

All corporate emails will contain a signature block from the sender containing, at a minimum, the full name, title, phone number, email address, work location, and the email disclaimer provided by the IT department (This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and deleted this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.).

All corporate emails will also include a digital signature generated by the IT department unique to the individual.

Email Forwarding Standards:

Employees must exercise the utmost caution when forwarding any email form inside or outside the corporation. Sensitive information must not be forwarded unless that email is absolutely necessary to corporate business.

Any corporate email being forwarded outside of the company must also be copied (CC) to the individual’s direct supervisor for tracking and accountability.

Email Back Up Standards:

Email residing on the corporate email servers will be backed up and retained for a period of no less than six weeks and can be recovered by request of the sender if needed.

An email will be recovered in emergency recovery procedures within in the six week retention period.

Email may be locally archived by the user on the corporate file server. Locally archived emails will not be the responsibility of the IT department for recovery purposes.

Emails may be printed for local retention by the users but must be safeguarded in the same manner as the email itself.

Section 4: Breach Reporting Responsibilities Standards and Practices

It is the responsibility of all employees, temporary employees, and contracted employees to report data breaches immediately to the IT Security department. These breaches include, but are not limited to, data loss or disclosure, unauthorized systems access, the disclosure of corporate data or PII & PHI. Data security breaches will be handled by the IT Emergency Breach Response Team in accordance with the Corporate Breach Response Policy.

Section 5: Mobile Policy and BYOD (Bring Your Own Device) Standards

This section will outline the corporate guidelines of use of mobile devices and BYOD within corporate buildings and the surrounding property.

Mobile Device Practices:

Employees are directed to not use their personal mobile devices while on company time. The corporation does recognize that all employees have personal emergencies or personal items that need to be taken care of. Supervisors will make case by case exceptions for individual employees as need for these situations. It is recommended that personal situation accommodated for be taken care of outside of corporate buildings as to not interfere with other individuals work.

Personal mobile devices should be turned off and put away in a safe place while at work. The corporation will take no responsibility for lost or stolen mobile devices.

Corporate mobile devices are the responsibility of the assigned user and must be retained by that user at all times.

Corporate mobile devices are not to be used for personal business and any personal phone calls or data usage will be the financial responsibility of the assigned user as outlined in the Mobile Device User Policies.

Employees that have a user agreement for BYOD will conduct corporate business on these devices the same corporate devices.

  • Bring Your Own Device (BYOD) Standards:

The security and procedures for a BYOD will adhere to corporate polices in regards to all corporate related items.

BYOD items are the sole responsibility of the individual and the corporation accepts no liability for damage, loss, licensing, support, or other issues that arise with the device.

Corporate IT will provide support on BYOD only to functions that directly related to the individuals work needs.


Biometrics. (n.d.). Retrieved October 27, 2017, from

Fingerprints and Other Biometrics. (2016, May 03). Retrieved October 30, 2017, from

Pironti, J. (n.d.). Developing an Information Security and Risk Management Strategy . Retrieved October 30, 2017, from

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & management51(2), 217-224.

Place an Order

Plagiarism Free!

Scroll to Top