You have been hired as the CSO (Chief Security Officer) for an organization. Your job is to develop a computer and internet security policy for the organization that covers the following areas: Make sure you are sufficiently specific in addressing each area. There are plenty of security policy and guideline templates available online for you to use as a reference or for guidance. Your plan should reflect the business model and corporate culture of a specific organization that you select. Include at least 3 scholarly references in addition to the course textbook.  The UC Library is a good place to find these references. At least two of the references cited need to be peer-reviewed scholarly journal articles from the library. Your paper should meet the following requirements: • Be approximately four to six pages in length, not including the required cover page and reference page. • Follow APA7 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion. NO plagiarism. Due on Friday (09/25/2020) Course textbook: ISBN: 9781119560562 Authors: Keri E. Pearlson, Carol S. Saunders, Dennis F. Galletta Publisher: John Wiley & Sons Publication Date: 2019-12-05

Title: Development of a Computer and Internet Security Policy for an Organization

Introduction

In today’s digital age, organizations face numerous threats to their computer and internet security. As the Chief Security Officer (CSO) of an organization, it is my responsibility to develop a comprehensive security policy that addresses the specific needs and challenges of the organization. This policy will outline guidelines, protocols, and procedures to ensure the confidentiality, integrity, and availability of the organization’s information assets.

Policy Objectives

The computer and internet security policy aims to achieve the following objectives:

1. Protect Confidentiality: Safeguard sensitive and confidential information of the organization, including customer data, financial records, and trade secrets, from unauthorized access, disclosure, or alteration.

2. Ensure Integrity: Prevent unauthorized modifications, tampering, or destruction of data, software, and systems. Maintain the accuracy and trustworthiness of information assets.

3. Enhance Availability: Ensure uninterrupted access to critical systems and applications, minimizing downtime caused by security incidents or system failures.

4. Foster Compliance: Comply with applicable laws, regulations, and industry standards related to computer and internet security, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).

5. Promote Awareness: Educate employees, contractors, and stakeholders about the importance of computer and internet security and their roles and responsibilities in maintaining a secure computing environment.

Policy Guidelines and Procedures

A. Access Control:

1. User Authentication: Implement strong password policies, requiring users to choose complex passwords and change them periodically. Consider implementing multi-factor authentication for sensitive systems or privileged accounts.

2. User Account Management: Create individual user accounts for employees and contractors and assign appropriate access rights based on the principle of least privilege. Disable or remove accounts promptly upon employee termination.

3. Access Privileges: Regularly review and update access privileges based on job roles and responsibilities. Grant access on a need-to-know basis and implement segregation of duties to prevent unauthorized access to critical systems.

4. Remote Access: Establish secure remote access procedures, including the use of virtual private networks (VPNs) and encryption technologies, to ensure secure access to networks and systems from external locations.

B. Data Protection:

1. Data Classification: Classify data based on its sensitivity and criticality. Develop procedures for data handling, storage, transmission, and disposal appropriate to the classification level.

2. Encryption: Implement encryption mechanisms to protect sensitive data at rest and in transit. Use industry-standard encryption algorithms and key management practices.

3. Data Backup and Recovery: Implement regular and automated backup procedures for critical data. Test backup and recovery processes to ensure data integrity and availability in the event of data loss or system failures.

C. Network and Infrastructure Security:

1. Firewalls and Intrusion Prevention Systems: Deploy firewalls and intrusion prevention systems to monitor and control network traffic, preventing unauthorized access and detecting and blocking malicious activities.

2. Patch Management: Establish a process to regularly apply security patches and updates to network devices, servers, and software, ensuring known vulnerabilities are mitigated promptly.

3. Network Monitoring: Implement real-time network monitoring tools and techniques to detect and respond to network anomalies, suspicious activities, and potential security breaches.

Conclusion

By developing and implementing a comprehensive computer and internet security policy, the organization can proactively mitigate risks and safeguard its information assets. It is essential to regularly review and update the policy to address emerging threats and incorporate technological advancements. Continuous education and training programs will further enhance the organization’s resilience against cyber threats, fostering a culture of security awareness among employees and stakeholders.

References:
1. AuthorLastName, AuthorFirstName. (Year). Title of article. Journal Name, Volume(Issue), Page numbers. doi:xxxx
2. AuthorLastName, AuthorFirstName. (Year). Title of article. Journal Name, Volume(Issue), Page numbers. doi:xxxx
3. AuthorLastName, AuthorFirstName. (Year). Title of book. Publisher. ISBN:xxxx