Create a security management policy that addresses the management and the separation of duties throughout the seven domains of a typical IT infrastructure. You are to define what the information systems security responsibility is for each of the seven domains of a typical IT infrastructure. From this definition, you must incorporate a definition for the separation of duties into the Procedures section of the policy definition template that you will fill out later in this step.

The scenario you are to work with is for the mock Lone Star Credit Union/Bank:

The organization is a regional Lone Star Credit Union/Bank that has multiple branches and locations throughout the region.

Online banking and use of the Internet are the bank’s strengths, given its limited human resources.

The customer service department is the organization’s most critical business function.

The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.

The organization wants to monitor and control use of the Internet by implementing content filtering.

The organization wants to eliminate personal use of organization-owned IT assets and systems.

The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.

The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training.

The organization wants to define a policy framework, including a security management policy defining the separation of duties for information systems security.

Using the following template, create a security management policy with defined separation of duties for the Lone Star Credit Union/Bank organization (this should not be longer than two pages):

Lone Star Credit Union

Policy Name

Policy Statement

{Insert policy verbiage here.}

Purpose/Objectives

{Insert the policy’s purpose as well as its objectives; include a bulleted list of the policy definitions.}

Scope

{Define whom this policy covers and its scope. Which of the seven domains of a typical

IT infrastructure are impacted? All seven must be included in the scope. What elements, IT assets, or organization-owned assets are within the scope of this policy? In this case, you are concerned about which IT assets and elements in each of the domains require information systems security management.}

Standards

{Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards. You need to reference technical hardware, software, and configuration standards for IT assets throughout the seven domains of a typical IT infrastructure.}

Procedures

{Explain how you intend to implement this policy for the entire organization. This is the most important part of the policy definition because you must explain and define your separation of duties throughout the seven domains of a typical IT infrastructure. All seven domains must be listed in this section as well as who is responsible for ensuring CIA and security policy implementation within that domain.}

Guidelines

{Explain any roadblocks or implementation issues that you must overcome in this section and how you will surmount them per defined policy guidelines. Any disputes or gaps in the definition and separation of duties and responsibilities may need to be addressed in this section.}