Security Policy Design Report

Introduction
The purpose of this assignment is for students to demonstrate proficiency in creating and implementing a comprehensive security policy program for the case company that includes the development of an Enterprise Information Security Policy (EISP) document.
The following steps are necessary to successfully complete the assignment:
• Thoroughly read the case study material and all supporting documents
• Specify areas of legal or regulatory compliance related to the primary and ancillary activities of the case company. Include references to authoritative documents. Research the objectives for security services planned for the case company that have been documented in the Security Services Plan already in preparation
• Complete the requirements noted below.
Requirements / Grading Rubric:
Upon submission of the completed assignment, the work will be evaluated based on the following criteria:
• Formatted in accordance with APA style guidelines
• Prepared using the included template. This includes following all italicized instructions that are found throughout the document
• Your response must be completed within the context of the previously prepared Group Security Services Master Plan – any deviations from the scope or stated expectations in that group-level plan must be documented in this report
• Review the case document policy environment. Design a policy management program that provides the case company with proposed improvements to their policy environment. This process encompasses:
o Policy creation, review, and approval
o Policy distribution, training, validation/enforcement, and ongoing awareness
o Policy exceptions, maintenance, and retirement
• Design a policy improvement development program (a series of interlinked projects) with as many component project plans as are needed for the entire improvement program.
• Create a complete draft of an enterprise information security policy (EISP). The EISP is the top level of organizational policy as has been defined in the CYBR 7300 course
• Identify the initial suite of issue-specific security policies (ISSP) relevant to the case company. The ISSPs should encompass concepts and material presented in the CYBR 7300 course and any additional ISSP documents you determine as being required
• Create a complete draft of one ISSP
• Compose high-level budgets for all costs for the policy management plan. Provide detailed resource forecasts necessary to accommodate the policy needs for the entirety of the information security program spanning the next three years.

Report Structure:
• Current Policy Environment – Fully describe and document the current approach used for policy creation, management, dissemination, and maintenance. Critique the current state of the EISP and the suite of ISSP documents in use.
• Targeted State for Policy – Define the objectives for policy management at the company to include:
o Policy creation, review, and approval
o Policy distribution, training, validation/enforcement, and ongoing awareness
o Policy exceptions, maintenance, and retirement
• Design a policy improvement development program plan (a series of interlinked initiatives). that includes all necessary component project plans for the entire improvement program. This task includes providing a budget for the program and each of its projects.
• Prepare an updated EISP
• Provide a plan to update the ISSP in the company (e.g., what should it include and what is the plan to make it match that intention). Identify and write one complete ISSP as an example.
• Prepare a budget for ongoing Policy Operations for three years.
Submission:
• Just as you are expected to do for all business communications, you must prepare a cover memorandum that serves to convey this report and serves as an executive summary of your findings.
• Save the combined report (cover memo + report) with a page break between each to a PDF file and submit one file for the team by the date assigned.