In this assignment, you play the role of chief information technology (IT) security officer for the Quality Medical Company (QMC). QMC is a publicly traded company operating in the pharmaceutical industry.
QMC is expanding its arena of work through an increase in the number of clients and products. The senior management of the company is highly concerned about complying with the multitude of legislative and regulatory laws and issues in place. The company has an internal compliance and risk management team to take care of all the compliance-related issues. The company needs to make important decisions about the bulk of resources they will need to meet the voluminous compliance requirements arising from the multidimensional challenge of expansion.
QMC will be required to conform to the following compliance issues:
Compliance with regulatory requirements implies encrypting sensitive data at rest (DAR) and allowing access to role-holders in the enterprise who require the access. It also implies that sensitive data in motion (DIM) or data that is being communicated via e-mail, instant message (IM), or even Web e-mail must be suitably protected and sent only to the individuals who have a right to view it. The company is conscious about the loss they may face in terms of penalty and brand damage if they fail to abide by the compliance laws, especially in the online information transfer phase. Therefore, as a dedicated employee, your task is to develop a content monitoring strategy using PKI as a potential solution. You will need to determine a process or method to identify multiple data types, processes, and organizational policies. Incorporate them into a plan, and select a PKI solution that will effectively address the content management needs of your company.
You need to present your PKI solution in the form of a professional report to the senior management.
Discuss with your peers which of the two remote access solutions, virtual private networks (VPNs) or hypertext transport protocol secure (HTTPS), you will rate as the best. You need to make a choice between the two remote access solutions based on the following features:
•Consider the organization where you work, or an organization where you would like to work if you are not currently employed.•Create a Policy that would benefit your organization•Suggest some controls for your policy•Suggest an audit mechanismUse the following Format for your policy:
You should put one or two sentences here that summarize the policy and its purpose for management. This is typically an explanation of why the policy exists. Don’t be too technical.
This is where you define who or what the policy applies to, from all employees to only cashiers that handle cash in the front office. If it applies to equipment, it could be all equipment, all servers, all network connected equipment, or just company issued cell phones. Be specific.
This is where the policy is actually defined. Don’t be too specific, leave that to the procedures and controls that support the policy.
For example, a password policy might state that users cannot share passwords, passwords must be complex, help desk personnel never request passwords, and passwords must rotate periodically. The details of good password construction can be then put in a guideline document, instructions for the help desk on reseting passwords can be a procedure, and that Group Policy is used to force password changes every 60 days is a technical control. None of that should be in the policy, but it all needs to be properly documented and communicated to the people that need it – the guidelines to all staff, the help desk procedure to help desk staff, and the technical controls to the domain admins.
If you are in doubt remember that good policy statements talk about what the policy is trying to accomplish, and are addressed to a wide audience. Procedures and controls talk about how it is to be accomplished and are addressed to the staff that must carry it out.
Typically, this section includes the job title of the person responsible for overseeing its implementation or the department if multiple people are responsible, a reference to audit mechanisms, and the consequences for failure to abide by policy.
This section usually contains definitions of technical or ambiguous terms, cross-references to applicable regulations, and other policies that relate to this policy. Examples include union contracts, discipline policies, and implementation guidelines. In our password policy example, this where readers would be told to consult the password construction guideline document.
If there any circumstances that might allow temporary exception to the policy, such as during an emergency, define them here. If there is anyone with the authority to temporarily waive the policy, they should be identified by job title. This section is often omitted since many policies do not allow any exceptions.
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more