C841 Legal Issues in Information Security.pdf

B1: Information Security Policies  Intellectual Property Policy: In order for a company to protect its proprietary information and that of its customers, a strong intellectual property policy is vital. It should clearly dictate the company’s expectations, such as how private information can be used, whom it can be shared with, and where it should be stored (Saha, n.d.). In addition, the policy should also address how this information is to be secured in order to protect it from internal and external attacks (Saha, n.d.). Addressing these factors would have helped protect the data of TechFite and its clients from unauthorized access and disclosure.  Two-Factor Authentication: There are three types of credentials that can used to perform authentication: something you are, something you have, or something you know (McElroy, 2015). Two-factor authentication requires credentials from two of these categories be used in conjunction to enhance security (Rosenblatt & Cipriani, 2015). One of the most common examples of this is the use of a smart card (something you have) and a PIN (something you know). This policy would have deterred the use of dummy accounts by the BI Unit and prevented Carl Jaspers from using the email accounts of former employees. B2: SATE Key Components: The first component of any successful SATE program is awareness. The purpose of this phase is to bring attention to the importance of security and demonstrate how to recognize and respond to IT security concerns. This is followed by training, which begins with security basics and literacy for all users involved with IT systems. Individuals will then be provided additional specialized training based on their functional roles and responsibilities relative to IT systems. IT security specialists and professionals will be provided education and professional development opportunities such as college programs and certification tracks in order to integrate “all of the security skills and competencies of the various functional specialties into a common body of knowledge” (Wilson & Hash, 2003, p. 9).  B2a: SATE Communication: A tiered approach should be employed to maximize the program’s effectiveness. The first step will be yearly, in-person training that explains the threats to Tech Fite’s information security, and demonstrates how to recognize and report these activities. This ought to be supplemented by sending the staff monthly security tips to notify them of new developments, and to keep information security at the forefront of their minds (Patrick, 2017). Finally, threat emulation tools should be used to determine the effectiveness of the training by observing how employees respond to simulated security incidents (Patrick, 2017). Based on the results, individuals can be enrolled in additional training if necessary. Varying the time, delivery method, and content of training in such a manner will help to prevent the development of an apathetic attitude towards the subject.