Department of Defense (DoD) Ready
The task is establish security policies for my firm of approximately 390 employees and make them Department of Defense (DoD) compliant. To achieve this goal, a list of compliance laws must be compiled to make sure we me the standard. I will outline the controls placed on the computing devices that are being utilized by company employees. I will develop a plan for implementation of the new security policy.
The task of creating a security policy to make my firm DoD complaint starts with knowing what laws to become complaint with. There an array of laws to adhere to, but I have listed the majors laws that the firm must comply with. The following is a ...view middle of the document...
Enhanced safeguards apply to unclassified DOD information that meets one or more of the following criteria:
• Critical Program Information (as defined in DOD Instruction 5200.39);
• data subject to export controls under International Trafficking in Arms Regulations and Export Administration Regulations;
• data designated for withholding under the FOIA program (as described in DOD Directive 5400.07)
• data bearing current or prior controlled access/dissemination designations (e.g., For Official Use Only, Limited Distribution, and Proprietary);
• technical data, software, or other information subject to DOD Directive 5230.24; and
• personally identifiable information, including (but not limited to) data protected by the Privacy Act and HIPAA.
In addition to the basic safeguards listed above, contractors would be obligated to implement the following measures for data subject to enhanced safeguard requirements:
• reporting any “cyber intrusion incident” to DOD, which includes any event involving unauthorized access to DOD information or an “advanced persistent threat” (meaning a “proficient, patient, determined, and capable adversary”);
• cooperate with and provide support for DOD investigations of reported cyber intrusion incidents;
• encryption when transmitting DOD information across wireless networks (by either encrypting the wireless connection itself or the individual files transmitted across such connections);
• monitoring and control of network traffic through mechanisms such as firewalls and or intrusion detection/prevention systems; and
• implementation of an information security program consistent with NIST Special Publication 800-53.
The new firm wide security policy below outlines the controls placed on the computing devices that are being utilized by company employees.
Acceptable Use of Information Technology Assets Policy
The purpose of this policy is to inform users of the Firm’s Information Technology Assets of what
Information Technology uses are permissible and what uses are prohibited. Compliance
with this policy drives the Firm’s ability to protect its services, employees, and clients.
1. Access and Use
1.1. User Access
All User access to Information Technology Assets:
• shall be approved by the Department Head,
• shall be limited to the Information Technology Assets necessary and appropriate for the User to perform the job duties and functions assigned to him or her.
2. Sensitive Information
2.1. User Responsibility
Users shall be required to know the Classification of the Information of which they have
access, and with which they are permitted to work. Users shall understand the appropriate
Security Controls that should be applied to that Information.
2.2. Dissemination and Confidentiality
Sending, transmitting or otherwise disseminating Sensitive Information shall be strictly