Operational Policy
Introduction to Operational Policy
Cybersecurity policies, like other corporate security policies, seek to govern practice and behavior around a wide array of issues in the workplace. These may include which devices are allowed to be used for work purposes and what they are used for, what applications and websites are allowed, what data can be accessed by which employees for what reasons, and generally how information is to be stored and accessed in the environment. This class allowed students to read about and research a variety of policy topics and consider the tradeoffs that must be made in implementing a successful policy. Policies must be clear, detailed, and comprehensive. However, they must also be readable, accessible, and understandable to the audience that they apply to and who are expected to abide by the specific policy or policy set. Knowing the audience the policy is intended for is critical, as is implementing policy that is professionally and ethically legal and responsible. A wide variety of federal, state, and consortium-based laws and standards come into play when writing and implementing policies that the author and cybersecurity practitioner must be familiar with. Finally, good policy considers human psychology and behavior, ensuring that policies in the organization are reasonable, fair, and enforceable. Bad policy can harm the organization and its employees. For these reasons, operational policy is certainly an area that merits careful study and discussion, as was done in this class.
Reflection
As I come from the more technical and engineering-focused area of information and technology, policy writing as taught in the Operational Policy course was a welcomed extension for me. Policies cover the behaviors and actions we expect from employees acting on behalf of the organization. Furthermore, they often cover how customers and 3rd party contractors are allowed to interact with the organization, such as is the case of students in a university or corporate consultants accessing organizational information. A policy could govern items as far-reaching as corporate payroll to travel expense reimbursement. In the cybersecurity realm, they focus on corporate data, systems, and technology assets. Often corporate policy is in place to help ensure that the organization and its employees comply with one or a combination of relevant federal, state, and consortium-based laws and rules. Examples of this include PCI-DSS when taking payments, Sarbanes-Oxley for publicly held organizations, and HIPAA for those organizations that handle medical and patient data.
A major takeaway from this course is that corporate policy (specifically in the cybersecurity domain) requires a great deal of care and attention when it comes to writing realistic and enforceable policies. For example, one could author and have adopted a policy that bans visiting any websites for personal business on corporate devices. This leads questions regarding if the policy really relevant and enforceable? Is personal banking and healthcare-related traffic banned? What happens when an employee violates this policy? In reality, a more moderate policy is likely best for most organizations. Employees often quickly find ways to circumvent or work around policies that are too restrictive or limit their productivity.
The best policies, and the work done in this course, seek to create applicable operation policy that helps protect the business from cybersecurity threats and complies with applicable laws and regulations while also being realistic, understandable, and enforceable. The author must seek to understand the professional and ethical implications of the language in a specific document to ensure that it will benefit the business and its employees. Concise writing is especially desirable here as it is critical that policies are readable by a nontechnical audience when required. “Malware” and “multi-factor authentication” may be common terms amongst the cybersecurity community but may have little meaning or unclear meaning outside of it.
In summary, the work of crafting a good cybersecurity policy is extremely important. Well written policies help protect the organization and its employees from threats, fines, and a host of other issues. Training on how to craft policies that address these issues has been quite valuable, and I look forward to using these skills in the future.
Cybersecurity policies, like other corporate security policies, seek to govern practice and behavior around a wide array of issues in the workplace. These may include which devices are allowed to be used for work purposes and what they are used for, what applications and websites are allowed, what data can be accessed by which employees for what reasons, and generally how information is to be stored and accessed in the environment. This class allowed students to read about and research a variety of policy topics and consider the tradeoffs that must be made in implementing a successful policy. Policies must be clear, detailed, and comprehensive. However, they must also be readable, accessible, and understandable to the audience that they apply to and who are expected to abide by the specific policy or policy set. Knowing the audience the policy is intended for is critical, as is implementing policy that is professionally and ethically legal and responsible. A wide variety of federal, state, and consortium-based laws and standards come into play when writing and implementing policies that the author and cybersecurity practitioner must be familiar with. Finally, good policy considers human psychology and behavior, ensuring that policies in the organization are reasonable, fair, and enforceable. Bad policy can harm the organization and its employees. For these reasons, operational policy is certainly an area that merits careful study and discussion, as was done in this class.
Reflection
As I come from the more technical and engineering-focused area of information and technology, policy writing as taught in the Operational Policy course was a welcomed extension for me. Policies cover the behaviors and actions we expect from employees acting on behalf of the organization. Furthermore, they often cover how customers and 3rd party contractors are allowed to interact with the organization, such as is the case of students in a university or corporate consultants accessing organizational information. A policy could govern items as far-reaching as corporate payroll to travel expense reimbursement. In the cybersecurity realm, they focus on corporate data, systems, and technology assets. Often corporate policy is in place to help ensure that the organization and its employees comply with one or a combination of relevant federal, state, and consortium-based laws and rules. Examples of this include PCI-DSS when taking payments, Sarbanes-Oxley for publicly held organizations, and HIPAA for those organizations that handle medical and patient data.
A major takeaway from this course is that corporate policy (specifically in the cybersecurity domain) requires a great deal of care and attention when it comes to writing realistic and enforceable policies. For example, one could author and have adopted a policy that bans visiting any websites for personal business on corporate devices. This leads questions regarding if the policy really relevant and enforceable? Is personal banking and healthcare-related traffic banned? What happens when an employee violates this policy? In reality, a more moderate policy is likely best for most organizations. Employees often quickly find ways to circumvent or work around policies that are too restrictive or limit their productivity.
The best policies, and the work done in this course, seek to create applicable operation policy that helps protect the business from cybersecurity threats and complies with applicable laws and regulations while also being realistic, understandable, and enforceable. The author must seek to understand the professional and ethical implications of the language in a specific document to ensure that it will benefit the business and its employees. Concise writing is especially desirable here as it is critical that policies are readable by a nontechnical audience when required. “Malware” and “multi-factor authentication” may be common terms amongst the cybersecurity community but may have little meaning or unclear meaning outside of it.
In summary, the work of crafting a good cybersecurity policy is extremely important. Well written policies help protect the organization and its employees from threats, fines, and a host of other issues. Training on how to craft policies that address these issues has been quite valuable, and I look forward to using these skills in the future.