Creating and Communicating a Security Strategy

Assignment 1: Creating and Communicating a Security Strategy

CIS 333

January 28, 2018


As an Information Technology professional in charge of security for a company that has recently opened within a shopping Mall. The current state or status of he IT community is to set the appropriate goals to establish the best security policy to enable longevity of network services throughout the mall. The purpose of this security policy is to inform all employees of how this organization operates and how all information is kept a security. Many of the topics that will be covered as as follows.

All IT employees must receive a basic indoctrination during accession training in the basic principles of security. The IT Manager will conduct security indoctrination training for all new command personnel who will handle classified material.

Basic Policy

The IT policy is established in compliance with the Department of the Navy (DOD) Information and Personnel Security Programs to ensure that information classified under the authority of Executive Order 12958 or any predecessor order is protected from unauthorized disclosure, Network IT and that the granting of access to classified information orassignment to other sensitive duties is clearly consistent with the interests of national security.

1. Prevent unauthorized persons from gaining access to classified material.

2. Provide security for classified information consistent with those requirements established by higher authority and sound management principles.

3. Develop security awareness through education and familiarize personnel with the requirements for safeguarding classified information.

4. Security is a means, not an end. Rules that govern the security of classified information do not guarantee protection, and they do not attempt to meet every conceivable situation. All personnel who work with classified information must preserve a balance and common sense approach toward the subject. Ideally, all personnel are indoctrinated to the point they automatically exercise proper discretion in the exercise of their duties. Security of classified information then becomes a natural element of every task and not an additional burden.

5. Provide procedures for internal and subordinate security reviews and inspections.

6. Provide producers for the destruction of classified material.

7. Implement security education and continuous security education to further enhance the security posture of the IT community and educate the personnel within the company.

8. Each individual, staff and managers, is individually responsible for complying with all aspects of this program.


An orientation briefing will be given to all personnel who will have access to classified information as soon as possible after reporting aboard or being assigned to duties involving access to classified information. The briefing will include the IT security structure any special security precautions within the framework (i.e., restrictions on access); and their general security responsibilities.

On-the-Job Training

Supervisors must ensure subordinates know the security requirements impacting on the performance of their duties. This training may consist of oral reminders, meetings, or written instructions. The IT Manager will assist supervisors in identifying appropriate security requirements. Supervision of the on-the-job training process is critical. Supervisors are ultimately responsible for procedural violations or for compromises that result from improperly trained personnel. Expecting subordinates to learn proper security procedures by trial-and-error is not acceptable.


Classified information will not be disclosed at conferences, seminars, exhibits, symposia, training courses, or other gatherings (hereafter called meetings) unless disclosure of the information serves a specificpurpose and adequate security measures are taken to control access to the information and prevent its compromise.

1. Disclosure of classified information at a meeting is in the best interest of national security.

2. The use of conventional channels for dissemination of classified information will not accomplish the purpose of the meeting.

3. Ensuring all PII is not shred amongst other employees and keep all financial records confidential. Adequate security measures and access procedures will be imposed.

4. Attendance will be limited strictly to those persons whose presence is considered necessary in the interests of national security.

5. Conference rooms and areas in which classified information is to be discussed afford adequate security against unauthorized access.

6. Sessions are monitored to ensure discussions are limited to the level authorized.

7. Classified notes received or taken will be controlled.

Emergency Action Plans

Emergency Action Plans (EAP) are vital to the security of classified information and equipment. The absence of viable emergency planning could seriously degrade the security of classified material in the event of natural disaster, civil disorder, terrorist attack, or hostile enemy action. Listed below are different types of emergencies that could occur and the actions that will be enacted to ensure the security of the command’s classified material.In the event of a natural disaster, security of the classified material will be maintained until the natural disaster stabilizes.

Plans to mitigate the effect of hostile action must take into account the possible scenarios that could occur. Correspondingly the risk associated with each scenario in the mall in order to prevent all treats of hacking, fraud or breach.

Protection in contingency situations refers to the employment of security measures. This includes posting an armed perimeter guard force during a mob disturbance, in addition to the normal physical security currently in place at the facility that stores it.

Annual Refresher Briefing

The IT Manager will provide a security refresher brief annually to all personnel who have access to classified information. The briefing will cover new security policies and procedures, counterintelligence reminders, continuous evaluation, security concerns or problem areas, and security safeguards and measures to protect classified and sensitive unclassified information. Other security-related topics may be included as necessary.

Security Education

The purpose of security education is to ensure that all employee personnel, regardless of transfers or newly hired, understand the need and procedures for protecting how the IT environment operates or the classified and sensitive unclassified information. The goal is to develop fundamental security habits as a natural element of each task.

No individual will be given access to classified information or be assigned to sensitive duties unless a favorable personnel security determination has been made regarding their loyalty, reliability, and trustworthiness. A Personnel Security Investigation (PSI) is conducted to gather information pertinent to these determinations. Only the minimum investigation necessary to satisfy the requirements for the level of access required or sensitivity of position occupied will be requested.Access will not be granted automatically and does not have to be granted at the level of eligibility.


Strayer Library

SECNAV M5510.30

National Security Agency