1. Caoimhe O’HaganA security policy is an evolving document within an organisation with the goal of protecting and securing information. Each is unique to an organisation but have the same end goal. Every policy must be continuously updated as technology develops and employees change.The fundamental principle of basic security is the idea of the CIA triad, which stands for, Confidentiality, Integrity and Availability. Confidentially has the objective of protecting assets from unpermitted entities. Integrity means there’s precise authorization on modified assets. Availability ensures permitted users can access required assets i.e. most highly requested are most readily available. Every security policy will comply by these principles through a list of high level requirements, guidelines and procedures for everyone accessing the company’s information.The policy is usually documented by those with a thorough knowledge of the company’s processes and understand how they can be best carried out. Organisations need a security policy because:They identify threats, prevention strategies and possible action to recoverThey keep those within the organisation on top of important procedures to ensure security i.e. prompts to change passwords regularlyThey layout the security hierarchy of the organisation i.e. who and who within particular roles have access to what. It’s vital in organisations to have different levels of access so that sensitive data and information can only be accessed by those entitled to see it.Clearly lays out the expectations of those within the organisation to abide by the rules and procedures set in place as well as consequences if rules are broken. Ensures each individual within the organisation knows their own responsibilities, and what’s expected of them when handling sensitive information to keep a constant degree of consistency and efficiency across employees.A security policy reflects the organisation’s desire to ensure their employees know how to carry out their daily work and tasks complying by specific rules and regulations that keep everyone in check, and all information protected. As an organisation grows in size there’s an increased exposure to risk so the presence of an internal security policy becomes increasingly important.2. Andrew KyleWe could see an issue arise for an organisation in the event of a security breach on one of their systems if there were missing security policies that should outline the responsibilities for information technology. These policies should outline who is responsible for ensuring that all authorized users of the organisations paper or electronic systems are fully aware of and comply with the associated codes of practice. This is an important role as it makes sure that everyone using the organisations systems is aware of and agrees to the codes of practice they have laid out, the key to this policy is to make sure that the code of practice is adhered to by making it someone’s responsibility to enforce the likes of regular training/ testing to keep track of users knowledge or to ensure users have time to review the information security policies properly before they sign anything to say they agree to it. The importance of making sure that users thoroughly understand and agree to the codes of conduct is that it obviously helps keep all of the information on the systems secure and reduces the threat of a breach, Codes of practice that are not enforced and followed by all users are somewhat useless. In the event of a breech it is also key to show that the organisation has an information security management process in place and takes adequate steps to provide thorough security on their systems. From a legal perspective it would likely be very difficult for an organisation to justify the strength of their information security if they could not trace the source of a breach back to the individual who caused it and the person who was responsible for ensuring that individual was competent with the codes of practice. The inability to do this could be very costly for an organisation as it would show that there was a breakdown in the chain of information security management and could result in them being sued for inadequate storage of user information or simply result in their valuable data being lost. 3. Peter BraniffEmployees will need to understand what a security policy is and what they are used for. What is a security policy it is a set of defined goals and elements made up by the organization. Security policies are enforced by organizational policies or security mechanisms. These are used to determine if a system is secure or insecure.This should be something that they learn about at the start of their employment so that they understand the rules that the company has set regarding their systems and information. As if the employees are not taught early about what they can and cannot do regarding information they handle or work with they could misuse or release information about the company that could put the company at risk. Employees should be taught password etiquette whenever they start employment with any company if they have computer access. This means that they there is a set standard that employees have to follow when creating a password like a minimum length not use re-use passwords, change password periodically do not write down or share password with anyone.Employees shouldn’t leave any work station unattended if they plan to step away for lunch or a break. They should make sure that they either lock their work station or make sure that they remove or close any import documents or projects they are working on. As if someone is in the office that shouldn’t have access to or be seeing that information that is a security risk to the company.Employees should be aware that any information that they are provided or are working on should never be shared or sent to anyone outside of the office. As all of the work related to the organization is private and should only be used by the company until it is released by the company to the public. So they should always be careful with delicate information and always talk to a manager or supervisor before sending any information to anyone.Employees should not bring any portable storage devices into the organization. As this is a security risk to any machine that the device is plugged into. As the device could have any files or software on it such as a virus and if this was put onto a secure workspace in the organization there is a possibility that the workspace could be infected and this could lead to a loss of data, stolen information or damage to more workspaces on the internal network. 4. Caoimhe O’Hagan, Andrew Kyle, Peter BraniffWhen creating a security policy for an email server we would include the following:An email etiquette policy should be included the communications will be between senior management and important clients so the standards should be set to a high level to maintain professionalism, the email etiquette policy should include:Do not forward any chain emails.Do not use your professional email for personal use.Email accounts should only be accessed from devices that are either remotely or directly managed by the organisation.All attachments must be scanned with an antivirus application before they are opened.Only click on links from trusted sources.Digital signatures should be added to all emails and users should not open any links or attachments on emails that are not digitally signed.A server access policy should be included to outline what access levels exist and who they apply to. The server access policy should include:What the different access levels are, ie. User level and administrator level.The responsibilities of the administrator for keeping the server software up to date and secure, ie. patching, upgrading and configuration of the server.How individuals can request access and who is responsible for granting/ removing access.Password protection details outlining how to make a strong, secure password and what to do if you suspect your password has been compromised.Who to contact if you suspect any breech loss or theft of information on the email server, ie. a suspected phishing email, or interception of data.Outline what levels of monitoring all emails that go through this server will be subject to provide traceability and evidence in the event of a breach. Email Server Policies will need to be included to outline encryption and archiving measures implemented on the actual server.How and when archiving will take place for the emails stored on the server, ie. all emails archived for 6 months then deleted.What level of content scanning will take place on the emails on the server.What kind of encryption should be applied to emails sent between clients and management.How server access will be controlled and monitored through the use of access control methods and logs.We believe the above policies are relevant to secure an email server containing sensitive information. Other policies that incorporate general security of devices and other standard security measures would also apply but the policies noted are those specific to the email server.5. Caoimhe O’Hagan, Andrew Kyle, Peter BraniffBoth security policies have various similarities as they share a common goal of keeping a secure system within the university for both staff and students, however both universities take quite different approaches to this. In UCL, it is a very basic whereas Harvard take a much more dynamic approach to how they share their security policy with the user. In UCL the user has to read through the large list of documents with a substantial amount of text to find what they’re looking for and what’s relevant whereas Harvard approaches to it allow the user to navigate to the area that is relevant to them in the first place and it takes them on a journey through the policy making it less of a chore.Both policies include references throughout to external resources and supporting documents relevant to a particular statement. This helps deepen readers knowledge and eliminates any misunderstanding. Also, neither policy use unnecessary technical language which keeps it at a baseline understanding for users of all technical abilities. At the end of the UCL Policy there is clear evidence of thorough review of the policy from the time it was first approved by the Information Services Government Committee on 17 July 2013. It is said that good security policies can survive up to 2 to 3 years (S, Scott-Hayward. 2018) and the first sign of renewing the policy was dated at 11th July 2016 with ongoing maintenance approved on 6th September 2016. In contrast, there is no clear indication on the Harvard Security Policy of when it was first published and how long it has been in its current state and therefore no information on how recently it has been updated or maintained. Within the Harvard Security Policy the Data Type Levels are the first thing the user is introduced to when opening the policy. This section gives the user a clear indication of what level of protection is required for data and is classified in different levels i.e. higher the level, the greater amount of protection required. This makes it easy for the user to understand the sensitivity of the information they are dealing with in the case of a breach. On UCL the policy that we can access only describes and gives an overview of the different policies that are in place and accessible to the user, who then has to access a different policy (supporting documents) based on their role or the information they are dealing with. Within the general security policy, the statements are long and not direct which makes them difficult to read. I would expect these documents are much more detailed since we as outsiders cannot access them. It is said that a good policy is not too specific and therefore should be able to be accessed by any general user (S, Scott-Hayward. (2018) so there is a risk here of too much detail when authentication is required. Within the Harvard policy, there are 15 short, directive statements visible to all users. They are all hyperlinked to supporting information regarding that particular statement with information on how the user can comply and action steps in case of a breach. This is a much more efficient approach. Within the Harvard policy there is a specific policy relating to the system’s server whereas there is very little information in the UCL policy’s supporting document on this topic and no mention of server security in the general policy document.With the UCL policy since the user will see the general policy at the top of the page, it’s likely they will read this prior to finding the one specific to them further down the page. Within the Harvard policy different roles are categorized i.e. users, devices, vendors, servers, so those working with that particular part of the system can see the policy specific to them without looking through irrelevant information. Harvard contains a ‘How To’ guide which consists of instructions for users on how to implement security measures such as setting up firewalls and how to use Identity finders to further secure the system as a whole, since it’s accessible to all. This is a useful feature which isn’t readily available in the UCL policy.Neither policy defines any exception rules which tells us that there are no circumstances where user’s cannot comply by the policy. In my opinion, this is a valid section to leave out in this scenario, if there is a situation where the policy can be broken then the policy should be changed or updated to allow for this and to avoid a complicated process with non compliance. In the UCL policy there is a section clearly titled ‘Compliance with Legislation’ which states the agreement made with user’s to respect the rules and regulations put in front of them when agreeing to work within the organisation as an employee or a student. However, from analyzing the Harvard policy I cannot see an area dedicated to complying by the policy or stating sanctions for not abiding by regulations put in place. This should be something that cannot be overlooked by a user reading the policy online and is a vital part of any policy agreement. Overall, we believe that both policies display strengths and weaknesses in different areas. the UCL policy was more appropriate for the general user with the aim of gaining an overview of the policy and a general understanding of security expectations within the organisation. However, it lacked detail and was difficult to locate specific points you may need clarification on i.e. in the case of a breach or instructions on how to secure a specific device. We believed the Harvard policy was more detailed with regards to technical guides i.e. the ‘How To’ section, which outlined clearly for the user how to handle certain scenarios that may arise to keep a level of expectation for the security of the system. This can be accessed quickly by the user and contain short summaries and action points to reduce risk of misunderstanding. However, we feel that the policy put forward by Harvard is too advanced for the general user within the university that is likely to be using the policy i.e. administration staff or students. It may also be an intimidating platform to work through for the general user who may find it difficult to locate relevant information efficiently. This in turn could result in non compliance and a risk to the security of the system. A security policy is unique to an organisation so it is important that the user(s) is taken into consideration during the drafting and approval to ensure it’s appropriate.