The following three case studies review how to develop or implement a policy framework. You will look at cases from the private sector and the public sector.
The Cyprus Shipping Chamber wanted to address the security requirements of smart shipping. Having digital records, interconnected ships, and electronic data exchange increased the efficiency of shipping, but also increased risk.1
In order to facilitate addressing these new security challenges, the company employed a case study approach. It took a case study of a specific subset of the company and used that as a template to study security. This can be an effective way to examine security policies. The approach includes:
During an internal review, American Imaging Management (AIM) decided it needed to improve its due diligence practices. AIM decided to expand its corporate security program. The company began by performing a risk assessment on its current security program.
The assessment used the ISO 27001 gap assessment methods. When complete, AIM delivered a recommended course of action. These activities were intended to address and remediate areas that were either under- or overcontrolled.
Using the Plan-Do-Act-Check cycle from the ISO standards, AIM’s activities included:
By the end of the project, AIM was able to create a road map for building a security program that could be registered to the ISO 27001 standard.
To improve security in California’s IT infrastructure, the Office of the State Chief Information Officer (OCIO) issued a new policy that includes employee remote access security standards for working from home or off-site. The policy also requires that state agencies complete a compliance form.
The policy was issued to help state agencies develop secure remote access for employees and minimize security risks. The corresponding standard highlights important measures that IT agencies must adopt to certify their remote access programs. It includes controls related to the use of up-to-date operating system software and security software for every remote connection.
The standard also requires that all computing equipment connected to the state’s IT infrastructure network for remote access purposes be state-owned and securely configured. Remote access users can only connect through secure encrypted channels—virtual private networks—authorized by agency management. The security measures also apply to paper files and mobile devices like tablets and smart phones.
According to the information policy letter, agency heads must comply with the following:
California was among the first governments in the country to establish enterprise-wide policies for remote access, joining states such as Virginia and Arizona, and the federal government.