You are here: Wireless Security Technology > Subtopic 3 > Activities

IS Policy, Standards, and Guidelines Activities

The instructor will lecture on management's role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines. This will include what contingency planning is and how incident response planning, disaster recovery planning and business continuity plans are related to contingency planning. Some helpful resources include:

• Principles of Information Security (2nd Ed.), by Michael E Whitman and Herbert J. Mattord,
Chapter 5: "Planning for Security."

• Contingency Planning Guide for Information Technology Systems, a NIST publication

Students will then be divided into teams. Each team will choose and perform one of the following activities. The results of the chosen activity will be presented to the entire class.

1. Using a graphics program, design a number of security awareness posters on the following themes: updating anti-virus signatures, protecting sensitive information, watching out for e-mail viruses, prohibiting use of company equipment for personal matters, changing and protecting passwords, avoiding social engineering, and protecting software copyrights.
2. Search the Web for a listing of security education and training programs in your area. Keep a list and see which category has the most examples. See if you can determine the costs associated with each example. Which do you feel would be more cost effective in terms of both time and money?
3. Draft a simple issue-specific policy, using the provided template, outlining “Fair and Responsible Use of College Computers” based on the rules and regulations you have been provided in your institution. Does your school have a similar policy? Does it contain all the elements listed in the text?
4. Use the library or the Web to find a reported natural disaster that occurred in the past 180 days. From the news accounts determine if local or national officials had prepared disaster plans and if they were used. See if you can determine how the plans helped the officials improve the response to the disaster. How do the plans help the recovery?
5. Classify each of the following occurrences as an incident or disaster. If an occurrence is a disaster, determine whether or not business continuity plans would be called into play. List the items, the purpose, and the intended result the business continuity plan should address.
   a. A hacker gets into the network and deletes files from a server.
   b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are damaged, but the fire is contained before it moves out of the area.
   c. A tornado hits a local power company and the company will be without power for three to five days.
   d. Employees go on strike and the company could be without critical workers for weeks.