In this module, you explored policies and practices used by organizations to protect information. There are a variety of policies that are intended to improve the security posture of an organization. These policies include but are not limited to: acceptable use policies, privacy policies, authorized access policies, change and configuration management policies, human resource policies, codes of ethics, organizational security policies, password policies, user education and awareness policies, and user management policies, among many others. Many of the aforementioned policies live within an organization$$s overarching information security policy, although they can stand alone, depending on the size of the organization. The size of the organization can also affect the ways in which roles and responsibilities are determined. For example, a smaller organization could have an IT department of one, where a larger organization will have dedicated roles with distinct skill sets and responsibilities that no other role takes ownership of$.$

For the purposes of this activity, you will review a general information security policy of a government organization. Although information security policies can be lengthy, the policy you will be reviewing is considered brief. It is $13$ pages long. Be mindful of the time it will take to not only read the policy but to review specific sections in order to address all of the activity questions.

For this week$$s activity:

Read the information security policy and the resources provided in the Supporting Materials section.

Consider how laws and regulation influence organizational policies, and the various IT roles that might be included in an information security policy.

Respond to the provided activity questions.

Prompt

Most privately owned and publicly traded firms give their employees access only to security policies and private information. Security policies typically remain for internal use only due to the sensitive nature of their contents. However, many education entities, nonprofits, and government$-$affiliated institutions make these documents available to the public via their websites. Read the Information Security Policy of the United States Environmental Protection Agency $($EPA$)$ and respond to the provided activity questions. To access the policy in full for the purposes of this activity, click on the $$Information Security Policy $($PDF$)$ in the link just provided. The Supporting Materials section contains resources that will help you understand the elements of a good policy.

Supporting Materials

These resources will provide you with greater insight into what elements make up a good security policy and help you prepare for your response to the activity questions:

Ten Security Policy Writing Mistakes You Cannot Afford to Make

How to Create a Good Security Policy

Key Elements of an Information Security Policy

What Is FISMA Compliance?

What to Submit

Respond to the activity questions below related to the Module Three Activity. Your submission should be $1$ to $2$ pages, double$-$spaced, and submitted as a Word document $(.$docx$).$ Resources must be appropriately cited using APA style. You are allowed, though not required, to use resources outside of those provided within Module Three and the Supporting Materials section.

Your responses should be in complete paragraphs and should contain the following:

Answer all of the activity questions thoroughly and completely. Write out the questions in your submission.

Make direct connections between the information security policy and the concepts covered in the provided resources in Module Three, as well as in the Supporting Materials.

Support your answers with appropriate examples drawn from the information security policy.

Use correct grammar, sentence structure, and spelling, and demonstrate an understanding of audience and purpose.

Activity Questions

Do you think the law or regulation has influenced the development of this policy? How?

How do the listed IT roles and responsibilities support and improve the EPA$$s security posture?

What audience do you think the policy was intended for? Why?

Are there elements that you would recommend to enhance this policy?