virtulisation 2
alisgh
ASSIGNMENT COVER SHEET
Please note that assignments will not be accepted after 8pm.
Student ID: 12345678 Family name: CAPITAL Given names: CAPITAL Subject name: ICT MANAGEMENT AND INFORMATION SECURITY Subject code: ITC358 Lecturer: Assignment No: ASSIGNMENT 1 PENALTY ON LATE ASSIGNMENTS Penalty for late submission of assignment without obtaining lecturer’s approval for an extension will be 10% deduction per day, including weekends, of the maximum marks allocated for the assignment, i.e. 1 day late = 10% deduction, 2 days late = 20% deduction. PLAGIARISM The University treats plagiarism very seriously. Plagiarism is included under the Student Academic Misconduct Rule as published in the Rules and Regulations section of the academic handbook. I am aware of the University’s requirement for academic integrity (http://www.csu.edu.au/division.studserv/learning/_plagiarism/) and I declare that my assignment is my own work and conforms with these requirements. I certify that the attached assignment is solely my work, based on my personal study and research. I also certify that appropriate and full acknowledgement has been made of all sources used in the preparation of this assignment. Signature of student: Initial Assignment due date: dated Assessment Feedback Additional sheet attached ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
Markers signature
STUDENT ASSIGNMENT RECEIPT
Student ID: ____________ Family name: ____________________________________ Given names: __________________________________________________________ Subject name: ________________________________ Subject code: _____________ Lecturer: _____________________________________ Assignment No: ___________ Date received (stamp and signature): _______________________________________
Total
Less penalty
Grade award
Table of Contents Question 1 .......................................................................................................................................... 1
Question 3 .......................................................................................................................................... 8
Question 4 ........................................................................................................................................ 12
Question 5 ........................................................................................................................................ 15
References ....................................................................................................................................... 17
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 1 of 21
Question 1
Figure 1.1 -‐ Case and Exercise (Whitman & Mattord, Management of information security, 2010, p. 1 -‐ 36)
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 2 of 21
Answer Case Exercises (page 35) from Whitman, M.E. & Mattord, H.J. (2010) Management of
Information Security 3ed Course Technology: Boston.
This case has made an effort to illustrate the problems faced by information security personnel
such as CISO (Chief Information Security Officers), CIO (Chief Information Officer), information
security managers, etc to inform the top management regarding the importance of information
security or ‘InfoSec’ (Whitman & Mattord, 2008, p. 4) in their organisations. According to Vacca,
“management sees security as a drain on the bottom line” (2009, p. 3). Organisations tend to have
low priority for information security to making profit; as a result they are reluctant to spend
adequate money on the matter. Although it is difficult for IT security professionals to convince
management, it falls into their responsibility to aware management that consequence of ignoring
security issues is severe to cutting budget (Whitman & Mattord, 2008).
According to the case, Iris Majwabu was the first CISO appointed in Random Widget Works, Inc.
(RWW) promoted from the position of information security risk manager. Thus she exerted herself
with long hours of work and attending business meetings to define her role at RWW. During an
Information System Security Association (ISSA) meeting, she encountered Charley Moody, a
supervisor from her last job, currently the CIO of the company. Hence she gets an opportunity to
lay out issues and problems she had been facing with her company’s management regarding her
job. Firstly she was distressed that her company’s top management as well as IT managers were
not taking InfoSec issues seriously and made her feel as if she was an extra. Secondly, the
company did not have set policy for InfoSec needs. Moreover she was finding difficult to obtain
approval from the management for establishing such policy. Lastly, the firm was hesitant to lay
the much needed budget for information security issues. After understanding her problem,
Charlie was willing to counsel and guide her towards meeting her objective of creating a secure
firm regarding its information assets.
The first recommendation from Charlie was to hire a suitable project manager or send someone
for training which would help manage her workload. This can also assist in being control when
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 3 of 21
situation demands. Moreover, a meeting with ‘communities of interest’ i.e. a discussion among
managers and professionals of information security department, IT department and non-‐technical
general business department would create an environment to collectively develop a plan to
secure informational assets of the firm and all its stakeholders (Whitman & Mattord, 2008). The
communities of interest must be open with each other which is challenging because IT
professionals and management speak different languages (Vacca, 2009). Whilst it is important for
management to understand the basics of information technology, IT professionals must convey
their concepts and plans in business terms. Hence, in such circumstances, managers equiped with
technical as well as managerial knowledge and skills would come in handy. Charlie can also
recommend Iris to include InfoSec in the company’s strategic plan. With the strategic plan, the
vision and mission for InfoSec would be created which will induce employees to consider
information security measures. Iris should also convince management to construct information
protection policy that contains guildelines for employees on handling and protecting information
(Peltier, Peltier, & Blackley, 2005). As a CISO, she should develop a culture of security in her firm.
This can be achieved by training employees as employees are company’s greatest security assets
(Whitman & Mattord, 2008). Although it take time, employee involvement and support can be
gained which will greatly assist in keeping an organisation’s informaiton secure.
CISO has several responsibilities and duties to ensure the informational security of any
organisation. However, the most important and beneficial advise from Charlie would be to gather
the communities of interest to explain what is InfoSec and why it is crucial. It is because of the fact
that management would not consider any issues that they are not aware of or they do not
understand. Nontheless, she must have strong communication skill to interprete her ideas in
business language so that everyone in the firm can understand her and trust her decisions. A hired
or trained manager could also assist her during the meeting. This would help her instigate other
steps in InfoSec of RWW such as strategic planning, policy making, employee training and so on.
In conclusion, this case study expresses problem faced by technical InfoSec employees while
performing her job. This essay exhibits the reason for those problems and recommends four
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 4 of 21
measures to help solve them. It also suggests effective communication with management on
InfoSec meaning and importance as the most beneficial move towards gaining the attention of
management to improve the firm’s information seurity.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 5 of 21
Question 2 Describe top-‐down strategic planning. How does it differ from bottom-‐up strategic planning?
Which is usually more effective in implementing security in a large, diverse organization?
Strategic planning is an important aspect of planning for any organisation. It provides long-‐term
guideline that steers effort of the organisation and focuses resources towards specific and definite
goals (Whitman & Mattord, 2008). Firstly, organisation creates overall or general strategic plan
which is made more specific towards its departments or divisions. Strategic planning is the highest
level of organisational planning that is rendered into tactical planning which in turn is used to
create operational planning (Whitman & Mattord, 2008). There are bascially four approaches to
strategic planning, namely top-‐down, bottom-‐up, combination of top-‐down and bottom-‐up and
team planning (Steiner, 1979). This essay details top-‐down and bottom-‐up approaches to
implementation of information security and discusses the most effective strategic planning in a
large, diverse organisations. The combination approach is determined suitable for organisations in
context of its size and scale.
Top-‐down strategic planning approach, as the name suggests, is commenced by the top
management and is similar to autocracy. It consists of highly influential upper-‐management that
assigns resources; provides direction; releases policies, procedures and processes; formulates the
goals and expected result of project; and allocates the responsibilities for each required task. Such
instigators are called champions who in regards to information security might be Chief
Information Officer (CIO) or Vice President of Information Technology (VP-‐IT), or other senior
executives. System development lifecycle is considered as the most successful top-‐down approach
(Whitman & Mattord, 2008). Top level managers dictating the route of the organisation is a
palpable advantage of this system (Steiner, 1979). It may engage mid-‐level management at some
point though the plans are devised and decided by the top management alone.
On the other hand, the bottom-‐down strategic planning or grass-‐root approach is similar to
democratic system that is initiated by bottom level employees such as administrators or
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 6 of 21
technicians (Whitman & Mattord, 2008). For instance, obtaining feedback is started by people
belonging to the bottom of the organisational chart and then reviewed by the top management at
the end. Unlike top-‐down, bottom-‐up approach involves information security professionals and
technical experts who understand the issues in their day-‐to-‐day lives and thus are knowledgeable
in solving the issues. However, it often fails as it lacks clear direction from the top management,
coordination between departments and adequate resources. Additionally, it depends highly upon
the nature of employees whom may not prefer to carry out any extra load. Another advantage of
top-‐down is documenting the process and procedures to control change which is clearly lacking in
the bottom-‐up implementation (Whitman & Mattord, 2008).
Large and diverse organisations consist of various divisions, managers and employees that requrie
good coordination among the departments and strong organisational culture. Such organisations
are more formal, documented and information security issues are given great importance. This
nature tends more towards the formal top-‐down approach. However, a pure top-‐down strategic
implementation would not be practical. It is because top management would not be well-‐learned
about the different aspects of each division to create rational goals and objectives. Furthermore,
although divisonal managers recognise goals as unfeasible, they would still be complelled to
pursue the goals. Additionally, the top management holds decisive power over any draft plans or
ideas suggested by the bottom or mid level management (Steiner, 1979). For instance, even if
security manager suggests that the strategic plan must include the information security of
employees in addition to clients; it might be overlooked by the high-‐level managemnet. According
to Hann and Mortimer (1994), most of the large organisations practise mixture of both
approaches based on their culture and structure. Typically large companies draft strategic plans
created by divisional managers and then the plans are amemded and agreed upon by the board of
directors (Grant, 2005). Since the combined effort and devotion of both top level and bottom level
management is required, the best of both top-‐level and bottom-‐level apporaches should be
adopted to create a practical and visionary information security strategic plan.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 7 of 21
Therefore, this essay cleary explains stratgetic planning and its approaches regarding information
security. It also illustrates the differences between the bottom-‐up and top-‐down planning and
their advantages and drawbacks. Futhermore, mixed approach is recommended for large, diverse
organisaion that provide realistic strategic direction to the organisation.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | Student ID | Document Version 1 Page 8 of 21
Question 3 Using a Web search engine, find five examples of corporate vision statements, corporate
mission statements, and corporate goals. Do these examples express concern for the security of
corporate information?
Statements for value, vision, mission and goals are important precursors to planning that state the
corporation’s ‘ethical, entrepreneurial, and philosophical perspectives’ (Whitman & Mattord,
2008). Every corporation and organisation must define these statements to outline their overall
goal and seldom their entire existence. It is crucial for organisations to stand by the ‘ethical,
entrepreneurial, and philosophical perspectives’. If not so then the development plans of the
organisations guided by such statements would be in disarray (Whitman & Mattord, 2008). This
essay examines the statements of five corporations in terms of their concern for the security of
corporate information.
Vision statement is ambitious statement that articulates what the organisation aspires to become.
It presents the situation of the organisation at its very best. On the other hand, mission statement,
created on the basis of the vision statement, specifically defines the purpose and the function of
the organisation. It must be short, precise and remain valid up to four to six years (Whitman &
Mattord, 2008). The corporate goals are specific and realistic objectives created according to the
vision and mission statements suitable for a period of years (Corporate vision, mission, goals and
strategies, nd). Using Google search engine, the vision, mission and goals of five large
corporations belonging differenet industries is outlined for this essay. An investigation is
conducted to determine whether or not such statements embrace informaiton security issues. A
table (Figure 3.1) is used to illustrate the evaluation of the research thus indicating the concern of
corporate information secuirty issues although not plainly evident in the wordings.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 9 of 21
Corporation Industry Corporate Vision Corporate Mission Corporate Goal
The Coca-‐Cola
company
Beverages The Coca-‐Cola company has a fairly large vision
statement which comprises of vision for its
people, portfolio, partners, planet, profit and
productivity. It also states the corporations
winning culture, living with values, focusing on
the market, working smart, acting like owners
and being the brand. It has a broad vision
which shows only little concern for information
security with concepts of integrity and
accountability for action and inactions (The
Coca-‐Cola Company, 2011).
The mission states the purpose of the company
however; it does not display information security
concerns in its statements (The Coca-‐Cola
Company, 2011).
The corporate goals are classified according to
beverage benefit; active healthy living; community;
energy efficiency and climate protection; sustainable
packaging; water stewardship and workplace. It
shows much regard to nature conservation.
However, the workplace goals of achieving 98%
performance level following the guidelines of Human
Rights Statements as well as Workplace Rights Policy
is also concerned with corporate information
security measures (The Coca-‐Cola Company, 2011).
National
Aeronautics
and Space
Administration
(NASA)
Aerospace NASA’s vision is to explore and learn that will
benefit all humankind. It is a vast vision from
which information security plans can be
derived (Wilson, What does NASA do?, 2011)
The mission statement incorporates aeronautics
research, human explorations and operations and
science. Corporate information security is critical
for this type of mission statement (Wilson, NASA
mission directorates, 2011).
NASA has future goals such as landing on Mars; living
on space; building safer, fuel efficient, quieter and
environmentally friendly aircrafts; and other science
missions (Wilson, What does NASA do?, 2011). It is
obvious that in all of these goals, information
security is crucial. Such goals are bound to create a
vast security policy and programs.
British
Broadcasting
Corporation
(BBC)
Broadcasting BBC’s vision is to become most creative
organisation in the world (BBC, 2011). It
doesn’t precisely state information security
issues however security plans can be drawn
from the statement.
BBC’s mission statement of enriching lives of
people with informative, educative and
entertaining programs and services will
incorporate the security of corporate information
and data such as video recordings, articles,
BBC has a list of objectives for the years 2011/12.
Security of such broadcasting corporation is
illustrated in goals such as creating digital projects,
developing high quality website, implementing trust
review conclusions, among many others (BBC, 2011).
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 10 of 21
interview and so on (BBC, 2011).
University of
Technology
Sydney (UTS) :
Business
Education The corporate vision of Business Faculty of UTS
is to become a leader in business education
and research relevant to the industry (UTS:
Business, 2011). Planning to become an
industry leader must adhere to information
security.
UTS: Business had two broad mission namely,
forward-‐thinking and work-‐ready. The statement
such as awareness of business ethics and principles
of governance shows interest in information
security.
It has four main areas of goals namely, research;
teaching and learning; student focus and enterprise
development. The information security department
is sure to derive a comprehensive security plan
based on goals of UTS which associates with
information regarding students, teachers, and
researches.
Koninklijke
Philips
Electronics
Electronics The vision of Philips is related to its slogan
which seeks to bring ‘sense and simplicity’ in
matters of complexity to daily lives of all
people of the world (Koninklijke Philips
Electronics, 2011).
Its mission is to innovate technologies to improve
the quality of lives of people (Koninklijke Philips
Electronics, 2011). Although not clearly stated,
information security plays vital role in securing the
information of research, experiment, and
innovations.
Currently, Philips targes mid-‐term 2013 performance
objectives quantified according to sales growth,
return on investment capitals, etc. Based on the
goals, several information security plans can be
sketched.
Figure 3.1 -‐ Table showing the results of investigation conducted on vision, mission and goals of five corporations to determine their concern for information security
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 11 of 21
Hence, five examples of corporate vision, mission and goals are defined and evaluated against its
concern for corporate information security. Although none of the statements explicitly defines its
vision, mission or goals concerning information security, it can be assumed that security of
information is huge part of their planning and implementation. In addition, all the statements
refer to the highest level objectives and are not detailed towards information security strategies.
It is to be believed that information security is the primary function of businesses that involve in
information security services and consulting. Nevertheless it is an integral element of every
corporation, especially large corporations as demonstrated in the examples.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 12 of 21
Question 4
Find an example of a business recovery plan. Write a report on the elements included in the
plan. Is there anything missing that you think should have been included?
Introduction
In business world, ‘business recovery plan’ is used synonymously to ‘disaster recovery plan’ (DRP)
which includes plans for survival of the business during natural or man-‐made disasters (The basics
of creating a business recovery plan, nd). Although DR Plan may appear as additional cost and
labour, planning for rational actions always outweighs the cost for responsive actions. Therefore a
DR plan is crucial in any operating businesses as it helps organisations to sustain during various
contingencies. DRP is instigated when an incident is diclared as a disaster by IR (Incident Response)
team. Some disasters are easily identified such as flood, nuclear attack, etc. However, there is a
thin line in distinguishing most other incidents and disasters. An incident is said to be disaster
either when the impact of the incident cannot be contained or when the impact of incident is so
severe that the organisation cannot recover quickly (Whitman & Mattord, 2008). The business
recovery process begins when most critical business functions have been restored and business is
operating at its minimum (CPA Australia, 2011). Information Technology DRP of Adams State
College computing services department is included as an example for this paper. Adams State
College (ASC) established in 1923 at regional southern Colorado, USA is an academic institute for
students studying under-‐graduate and post-‐graduate degrees (About Adams State, 2011). This
report aims to identify the business recovery elements included in the DRP and provide
recommendations for improvement of the plan.
Elements of disaster recovery plan of ASC
The purpose of Information Technology DRP of ASC is to ensure restoration of IT services of the
college during a disaster to support its mission statement. The plan includes the organisation’s
comprehensive risk analysis, general steps to reinstate IT functions during a disaster and provides
recommendation for strengthening its IT infrastructure. The document begins with its objective,
scope, assumptions and definitions followed by general guidelines for disaster response and
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 13 of 21
recovery. These guidelines include responsibility of the Chief Information Officer (CIO) as well as
hardware and software replacement plan during a disaster recovery process. Subsequently, a
detailed risk assessment is documented in which risks are catagorised as Level 1, Level 2 and Level
3 based upon the impact upon the most critical IT services of the organisation. The levels of risk
according to their order of importance are –
Level 1 Computing Services Building and Central Computer Room Level 2 ASC Telecommunications Level 2 911 Emergency Services Level 2 Network Services Level 2 Cable Plant Level 3 File and Print Services Level 3 Enterprise Resource Planning Services Level 3 Email Services Level 3 Web Services Level 3 Campus Card Services Level 3 Residential Network Computing Services Level 3 Academic Instructional Technology Classrooms Level 3 Student Computer Laboratory Services
The risks assessment details the security or physical risks; environmental risks; internal systems
risk and external systems risk and presents recovery plan and preventive measures for each of the
risk levels listed above. Finally, it describes CIO as the person responsible in DRP maintenance plan.
Appendices are incorporated at the end for referencing the text however, appendices confidential
to the institute is not published in the plan (Adams State College Computing Services Department,
2006).
Elements omitted in the DRP
The IT DR plan is concise consisting of risk assessment with recovery plan and prevention plan.
However, much is lacking to make a complete and effective DR plan. A DR plan must contain
documentation of seven processes (Whitman & Mattord, 2008). DR plan being a part of
Contingency Planning (CP) may need to review and refer to Business Impact Analysis (BIA)
conducted at the beginning and Incident Response Planning (IRP) prepared just before the DR
plan. Hence, the DR plan will be referenced in the final component of BC i.e. Business Continuity
Plan (BC). Therefore, the missing processes of ACS DR Plan in contrast to a typical DR Plan are DR
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 14 of 21
planning policy statement; BIA; disaster recovery plan document; and testing of the plan, training
and exercises (Whitman & Mattord, 2008). Moreover, there are 8 key elements that must be
included in the plan in which some of them are neglected in the example. They are resource
requirements; training requirements; exercise and testing schedules and recognition of special
considerations. In addition, crisis management is overlooked in this example. It an important part
of DR plan that deals with supporting people affected by the disaster, making a disaster
declaration, communicating with public to keep them informed about the situation and with other
stakeholders of the organisation (Whitman & Mattord, 2008). All the elements such as training
and exercises may not require much detailing due to time and resource constriction however, the
plan must include the missing elements to make it effective and practical during a disaster
occurrence.
Recommendations for improvement of ACS DR Plan
It has been observed that the DR Plan for ACS requires enriching to make it better and easier
reference document during a disaster. Firstly, ACS must conduct and document a business impact
analysis. This will help determine the critical IT operations and help identify most possible threats
to the system. Secondly, the plan should include budget plan that determines the minimum
finance required to keep the business operating (The basics of creating a business recovery plan,
nd). Thirdly, crisis management should be included to handle human resource issues during a
disaster. Finally, planning for disaster must document as much as possible to cover all potentials
of recovery. Furthermore, a quick reference DRP may be created for ease of reference and quick
actions.
Conclusion
This document evaluates a sample of an organisation’s DR plan to identify the elements missing. It
helps in understanding the components of creating a effective and well document plan and its
importance in doing so. It is also found that, even though business recovery planning may not be
perfect, all critical issues must be outlined in the plan and they must be reviewed and updated
over a specified period of time therefore helping business to recover quickly and survive in this
competitive world.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 15 of 21
Question 5 List and describe the three approaches to policy development presented in the text (chapter 4).
In your opinion, which is better suited for use by a smaller organization, and why? If the target
organization were very much larger, which approach would be superior and why?
Policy is one of the six P’s of Principles of Information Security Management. It is the foundation
of quality information security program that provides certain guidelines to dictate the behaviour
in the organisation. Athough effective and least expensive, policy is most difficult to implement.
There are three types or approaches to developing informaion security policy based on NIST
Special Publication 800-‐14namely, Enterprise Information Security Policy (EISP), Issue Specific
Security Policies (ISSP) and System-‐Specific Policies (SysSPs) (Whitman & Mattord, 2008). This
essay details the three general categories of policy and recommends the one suitable to use for
smaller organisation and larger organisation. After understanding each of the approaches, ISSP
approach is suggested beneficial for smaller organisaton and EISP approach is best suited for very
large organisations.
Firstly, EISP simply known as information security policy, is high-‐level policy created by CISO and
CIO which provides ‘strategic direction, scope and tone’ for all security ventures of organisations
(Whitman & Mattord, 2008). It defines the responsibilities for numerous information security
areas including policy maintainence and duties of end users. The development, implementaiton
and management requirements of information security program are guided by EISP. It is vital to
orgnisational information secuirty as it directly supports its vison and mission statements and
moulds corporate philosophy of security in IT environment. Thus the policies are amended only
when the strategic direction of the organisation is changed. (Whitman & Mattord, 2008).
Enterprise Information Security Policy has been adopted by large organisations such as Harvard
University, Department of Finance and Administration in the state of Tennessee, and others.
Secondly, an issue-‐specific policy provides comprehensive and specific guidance for all people in
the organisation while using any system, technology or process. This policy is neither legally
binded nor enforced by the administration; rather it provides understanding to employees about
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 16 of 21
the proper use of technology. However, an effective ISSP is binding agreement between the
organisationa and its employees to ensure that technology will not be mishandled. The
charactristics of ISSP are addressing specific technology-‐based systems, requiring frequent
updates and containing an issue statement that describe the postion of organisation in a specific
issue (Whitman & Mattord, 2008). It is usually adopted by small organisations for example, email,
internet usage, etc.
Lastly, the system-‐specific policy contains procedures and standards when operating or
maintaining systems such as configuring a network firewall, defining user access permissions, etc.
It may be divided into managerial guidance and technical specifications or may be a document
cobminining both SysSPs. The managerial guidance SysSP is created by management to steer the
behaviour of the employees implement and configure the technical aspects of information
security. On the other hand, technical specifications are acutally enforcing the policy set by the
management (Whitman & Mattord, 2008).
Policy for information security is chosen based on size of the organisation on top of other factors
such as amount of assets and risk management (Waugh, 2008). In terms of security managemnt,
large organisations in this essay is characterised by number of devices requiring security. Large or
very large organisations have more than 1000 security devices. They have adequate resources and
can support full time dedicated staff for specific job positions such as security managers, security
adminstrators,etc. Enterprise-‐specific information policy is much effective in such organisations
because larger the organisation, larger the information security program and more complex the
policy. Moreover, large organisations require all the components defined in ESIP. In contrast,
smaller organisations contain less than 100 systems to manage. They have limited resources and
may only have one or two security personnel. Issue-‐specific information policy is most suitable
and often published in small organisations as security administrators may educate other members
in the policy whenever required (Whitman & Mattord, 2008).
Thus, the three approaches to policy development is illustrated and the most appropriate policy
for large and small organisation is identified and justified.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 17 of 21
References About Adams State. (2011, December 20). Retrieved from Adams State College:
http://www.adams.edu/about/
Adams State College Computing Services Department. (2006, October 2). Information Technology
Disaster Recovery Plan. Retrieved from Adams State College:
http://www.adams.edu/administration/computing/dr-‐plan100206.pdf
BBC. (2011). BBC objectives 2011/12. Retrieved from BBC:
http://www.bbc.co.uk/aboutthebbc/insidethebbc/whoweare/mission_and_values/objecti
ves.html
BBC. (2011). Mission and values. Retrieved from BBC:
http://www.bbc.co.uk/aboutthebbc/insidethebbc/whoweare/mission_and_values
CPA Australia. (2011). Steps to business recovery. Retrieved from Queensland Government:
http://www.business.qld.gov.au/documents/Steps-‐to-‐business-‐recovery.pdf
Global Data Consulting. (nd). Corporate vision, mission, goals and strategies. Retrieved from
Global Data Consulting: http://www.globaldataconsulting.net/bi-‐stickers/corporate-‐vision-‐
mission-‐goals-‐and-‐strategies
Grant, R. M. (2005). Contemporary Strategy Analysis (5th Edition ed.). Victoria: Blackwell
Publishing.
Hann, J., & Mortimer, B. (1994). Strategic planning and performance evaluation for operational
policing. Criminal Justice Planning & Coordination: Conference Proceedings (p. 246).
Canberra: Australia.
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 18 of 21
Koninklijke Philips Electronics. (2011). Vision and strategy. Retrieved from Philips:
http://www.philips.com.au/about/company/missionandvisionvaluesandstrategy/index.pa
ge
Peltier, T. R., Peltier, J., & Blackley, J. (2005). Informtion Security Fundamentals. New York: CRC
Press.
Steiner, G. A. (1979). Strategic planning. New York: The Free Press.
The basics of creating a business recovery plan. (nd). Retrieved from Business Recovery Plan:
http://www.businessrecoveryplan.net/
The Coca-‐Cola Company. (2011). Goals and Performance. Retrieved from The Coca-‐Cola Company:
http://www.thecoca-‐colacompany.com/citizenship/goals.html
The Coca-‐Cola Company. (2011). Mission, vision and values. Retrieved from The Coca-‐Cola
Company: http://www.thecoca-‐
colacompany.com/ourcompany/mission_vision_values.html
UTS: Business. (2011). Mission statement. Retrieved from University of Technology Sydney:
http://www.business.uts.edu.au/about/mission/index.html
UTS: Business. (2011). Objectives. Retrieved from University of Technology Sydney:
http://www.business.uts.edu.au/about/mission/objectives.html
UTS: Business. (2011). Vision. Retrieved from University of Technology Sydney:
http://www.business.uts.edu.au/about/mission/vision.html
Vacca, John R.(2009). Computer and Information Security Handbook. Morgan Kaufmann. Retrieved
December 18, 2011, from Ebook Library.
Waugh, B. D. (2008, July). Information security policy for small business. Retrieved from
InfoSecWriters: http://www.infosecwriters.com/text_resources/pdf/BWaugh_Policy.pdf
Assignment 1 | ITC358 – ICT Management of Information Security
Student Named | 12345678 | Document Version 1 Page 19 of 21
Whitman, M. E., & Mattord, H. J. (2008). Management of information security (2nd Edition ed.).
Boston: Cengage Learning.
Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.). Boston:
Cengage Learning.
Wilson, J. (2011, August 25). NASA mission directorates. Retrieved from NASA:
http://www.nasa.gov/about/directorates/index.html
Wilson, J. (2011, August 25). What does NASA do? Retrieved from NASA:
http://www.nasa.gov/about/highlights/what_does_nasa_do.html