Policy Review

Organize the existing library of policy documents and then undertake a CTS policy and governance review. Follow these detailed, multi-step instructions to complete each of the multiple parts of the assignment.

Step 1:

Locate the CTS Policy document set you have been given. Using a text editor of your choice, prepare a separate document file for each of the various policy elements.  Each policy must be in a separate and properly named file. This will include isolating the EISP as its own file as well as placing each of the existing ISSP policy texts into separate named policies, each in its own document file, to make future revisions more efficient. 

Step 2:

Make a strategic recommendation to the Board of Directors about how the CTS cybersecurity function should be organized. To accomplish this, please be sure you are familiar with the Case Study and have read and assimilated the entire CTS Draft Policy Manual that has been provided. Prepare the components of your recommendation and then combine them into a single PDF file to be submitted for review.

Start by writing a report that will:

  • Identify any inconsistencies you can find in the roles described in the Case Study and those implied in the Policy Manual. As happens in the real world, sometimes policies are 1) inconsistent with reality (the case study) and/or 2) they are inconsistent with other policies (in detail) or 3) with the EISP (in general usually). In a perfect setting, all policies would be internally consistent, consistent with all other policies, and also consistent with the reality of the organization. Seldom works out that way and has not been done perfectly in this situation either. In this assignment, try to look for one or two examples of each of these types of inconsistencies. You are not expected to find every inconsistency in the entire case + policy environment.
  • Propose an overview and explanation of a new set of roles and organizational structures and also provide a replacement for the entire section of the case titled “Officers and Key Employees” that is complete and consistent and able, in your opinion, to meet the needs of the company. You may make any assumptions and revisions you see fit that are consistent with the balance of the case study and the Policy Manual. This preparation should be the basis for the report that follows.
  • Now use your overview and explanation from above to prepare your report so that it has:
    • a one-line title,
    • an abstract/summary not longer than one page,
    • a statement of the scope of your report that includes your sources and assumptions,
    • a section on inconsistencies,
    • a section on proposed changes and
    • a final section that provides a complete replacement for the entire section of the case study that is titled “Officers and Key Employees”.
  • Prepare a cover memorandum of transmittal. Place it on the first page of the submission. This memorandum should identify what is being transmitted, and frame the context of the report. There must be a hard page break between the memorandum and the report.

Step 3:

The CIO of CTS has become concerned that the current networking environment may not be as secure as it was perceived to have been. To that end, you have been commissioned to undertake a review of the current policy environment and to make specific recommendations for improvements to the policy of the firm as regards the firewall and VPN control systems.

  • Undertake a complete policy review of the CTS policy suite to summarize the current policy regarding firewalls and VPNs. Save your review as it will be the basis for a report you will assemble. This review must include:
    • Review current CTS policy to identify all EISP-level policy provisions that touch on the network firewall and VPN subject area
    • Write a complete review of the current network and VPN policy (from all places including EISP, ISSP, and SysSP) in place now 
    • Write a critique of the current network and VPN policy in place now
    • Your review and your critique must identify and comment on all policy provisions that touch on the network firewall and VPN subject area