ISA 3300 by zhouwenjuan

VIEWS: 3 PAGES: 33

									Random Widget Works

Information
Security Policy
Recommendations



Kenneth Lahm
ISA 3300
Semester Summer
Date 7/12/2010
RWW Information Security Policy Recommendations                                                                                      Kenneth Lahm


Table of Contents

Overview of the Organization ....................................................................................................................... 4
   Organization Overview ............................................................................................................................. 5
   The Need for Information Security Policy ................................................................................................ 6
Enterprise Information Security Policy......................................................................................................... 8
   Enterprise Information Security Policy..................................................................................................... 9
   ENTERPRISE INFORMATION SECURITY POLICY FOR RANDOM WIDGET WORKS ........... 10
       Purpose ............................................................................................................................................... 10

       Information Security Elements........................................................................................................... 10

       The Need for Information Security .................................................................................................... 10

       Information Security Responsibilities and Roles ............................................................................... 13

       Reference to Other Information Technology Standards and Guidelines............................................ 14

Issue Specific Policies................................................................................................................................. 15
   Issue Specific Security Policies .............................................................................................................. 16
   :FAIR AND RESPONSIBLE USE OF RWW INTERNET AND WWW RESOURCES ..................... 19
       1. Statement of Purpose...................................................................................................................... 19

       2. Authorized Uses ............................................................................................................................. 19

       3. Prohibited Uses .............................................................................................................................. 20

       4. Systems Management ..................................................................................................................... 22

       5. Violations of Policy........................................................................................................................ 22

       6. Policy Review and Modification .................................................................................................... 23

       7. Limitations of Liability .................................................................................................................. 23

   FAIR AND RESPONSIBLE USE OF RWW COMPUTER RESOURCES .......................................... 24
       1. Statement of Purpose...................................................................................................................... 24

       2. Authorized Uses ............................................................................................................................. 24

       3. Prohibited Uses .............................................................................................................................. 25

       4. Systems Management ..................................................................................................................... 26

       5. Violations of Policy........................................................................................................................ 27


                                                                                                                                                               2
RWW Information Security Policy Recommendations                                                                              Kenneth Lahm

    6. Policy Review and Modification .................................................................................................... 27

    7. Limitations of Liability .................................................................................................................. 28

 FAIR AND RESPONSIBLE USE OF RWW EMAIL RESOURCES ................................................... 28
    1. Statement of Purpose...................................................................................................................... 28

    2. Authorized Uses ............................................................................................................................. 29

    3. Prohibited Uses .............................................................................................................................. 29

    4. Systems Management ..................................................................................................................... 30

    5. Violations of Policy........................................................................................................................ 31

    6. Policy Review and Modification .................................................................................................... 31

    7. Limitations of Liability .................................................................................................................. 31

References………………………………………………………………………………………..33




                                                                                                                                                      3
Random Widget Works




Overview of the
Organization
RWW Information Security Policy Recommendations                                 Kenneth Lahm


Organization Overview
        Random Widget Work (RWW) was formed fifteen years ago in 1995 and is located in the
Southeast of the United States. Atlanta, Georgia is one of the fastest growing cities in the US
and has made RWW the largest manufacturer of widgets, gizmos and gadgets. On the first and
second floor of Peachtree Plaza is where RWW has over 350 employees. RWW prides itself on
putting the customers’ needs first. RWW strives to create and maintain truthful and open
communication while providing quality service. RWW plans to stay in the forefront of
competitors and provide excellence in technology. RWW promotes and thrives to maintain an
employee motivation strategy and a committed workforce.
       With the birth of the internet, RWW has strived to be the best internet friendly company
possible. With giving free personal access to the internet for employees during breaks, RWW is
committed to grow the company’s internet skills to the next level.
        RWW rewards all employees for going beyond the call of duty by offering stock
incentives and company benefits. Not only does RWW want their customers to feel pride in their
organization but they also want to make their employees feel appreciated. RWW has donated
over 2.7 million dollars to help environmental issues around the world. RWW’s motto is, “We
want to leave this planet better off than the way we found it.” RWW insures that it is a company
of honesty, integrity and has a strong commitment to social and ethical responsibility. RWW has
the goal to be the “preferred manufacturer of choice for every business’s widget equipment
needs, with an RWW widget in every machine they use.”
        Over the past fifteen years of business RWW has grown to become one of the world’s
greatest companies to work for. RWW has been featured in Time magazine for top 10
companies to work for. Although RWW is a technology company their plans to move in other
directions still remains open. RWW has started looking into expanding their company to other
parts of the world.




                                                                                                  5
RWW Information Security Policy Recommendations                                   Kenneth Lahm


The Need for Information Security Policy
        RWW is in need of an EISP and ISSPs because the world is changing and technology is
being used more and more each day. Information is getting lost, stolen and computers and
equipment are becoming damaged due to viruses and attacks. Data is becoming more valuable
and sensitive which needs to be protected more than it did fifteen years ago. Also if data is lost
or stolen it will result in customer scrutiny and fines from government agencies that might result
in bankruptcies altogether.
        RWW has focused more on developing their widgets and gizmos than they did on
security issues, until now. Preserving the privacy, reliability, and integrity of RWW data, is an
important responsibility that needs to be the shared by all employees of the company. There are
many ways that a company can be damaged due to security measures that are not in place.
Human error, vandalism, theft, software issues and plain espionage are some examples of how a
company could be damaged. And if a company suffers from one or more of these issues then it
is possible that that company could go out of business. Stock holders would lose their money;
employees are out of a job and all because these policies were not in place. In the past, RWW
has not controlled the way they store documents. They leave valuable information on their desks;
some employees took important information home with them, and passwords to their computers
were not stored in a safe and secure manner. There was no way of knowing who had what
information or what information was secure. Important data transactions were never destroyed
properly. And RWW computers and offices equipment were in danger of attacks. Visitors to
RWW were able to just wonder through the building with no regards to security. There are no
visitor security measures to ensure that visitors are not overseeing important confidential
information.
        RWW cannot allow visitors to just roam free inside of the building. Visitors should only
be allowed in certain areas of the company and always escorted by a company representative.
Nametags and badges should be worn in plain sight and every other day the nametags should
change colors so that the nametags are not reused another day by the visitor. Also another reason
RWW is in need of an ESIP is, there are no policies regarding the communications system at
RWW. Employees can call whomever they like whenever they want with no real rules to follow.
In the past RWW has had no real problem regarding the communication system but with this
new EISP, RWW can feel a little safer knowing that there are now policies enforcing how the
communication system should be used. RWW has a high desire to employ a security system that
clarifies the significance of each document in order to avert a security breech. RWW needs to
evaluate each and every piece of information to determine who can see it, who can access that
information and where that information is going to get stored at the end of the day. RWW needs
to not only secure important information but they need to back up all information so in the event
of a disaster, they will not lose any important data. This should be done in an automatic fashion
so that all machines send their information to an offsite storage facility every thirty minutes or
so. This automatic function will provide certainty that all company information is sent and not
put off by an employee.
        Once policies are set in place it is the obligation of each employee to follow them so
damage to the company will not take place. If policies or rules are broken by an employee then
RWW has to have policies in place to determine the course of action to take. The senior level
management of RWW needs to create employee strategies and guidelines that are up to date. The
organization will need to amend its current manual in order to initiate what is required of

                                                                                                 6
RWW Information Security Policy Recommendations                                   Kenneth Lahm


employees, and how they should act in a particle situation. These policies should be created to
reflect a professional environment. After guidelines are established and implemented, RWW
needs to revisit these rules frequently to adjust for any gaps in these policies. If there are loop
holes for employees to squeeze through they will. The organizations need to correct any issues
that come into play. If RWW has guidelines in place that are not up to date then that reflects on
the organization. Employees will get the impression that it is ok to break company policy
because the guidelines are faulted. These policies should be handled by a selected group that will
guide and regulate how to implement these policies in the most proficient method.




                                                                                                  7
Random Widget Works




Enterprise
Information
Security Policy
RWW Information Security Policy Recommendations                                     Kenneth Lahm


Enterprise Information Security Policy
        An EISP (Enterprise Information Security Policy) is an overview of all the infrastructure
or frameworks of security measures that need to take place to insure that the company’s
information assets and company equipment are safe from threats. An EISP provides in detail the
policies that an organization need to protect it from threats and risk. These policies are set in
place so that there are no vulnerabilities or risk that an organization didn’t see. These policies are
put in effect to minimize the risk to all company assets.
        Internet crime has amplified tremendously over the past fifteen years, changing from
petty crimes to far more serious crimes like stealing for financial growth. Criminals have become
much smarter or sneakier in gaining access to systems and are more sophisticated in avoiding
detection altogether. Information security is critical to ensure that confidentiality and integrity of
information is protected from potential threats. The increased use of the internet has amplified
the need for security between second and third parties users or organizations. RWW is in need of
an EISP because currently they are without one. As RWW grows they will need to focus more
on controlling who gets to see what data, how that data is destroyed after it is used and who is
allowed to use the internet and what are the precautions they need to take. The EISP will provide
instructions on who is allowed to use the communications system and how to avoid harm to the
company while using these functions. Also an EISP will instruct the employees on how they
should conduct themselves on a day to day basis. A good EISP will reduce the risk that the
company will face while in business.
         The EISP will explain how to handle visitors and what areas are acceptable for them to be
in. The EISP will clarify who is responsible for making sure that visitors only go into certain
areas of the building. It explains the rules of the company and how to access certain information,
it will describe who is going to access information and what they are going to do with it when
they are finished using it. An EISP will also provide insight on how to handle customers and how
not to publish a customer’s sensitive material. With the coffee pot incident at RWW it is
understood that they are in need of a good EISP. If they would have had a good EISP in place
then maybe the information would not have gotten lost and the incident could have been avoided
entirely. Once RWW has a good EISP in place they need to reinforce what the policies say,
because it is not good enough to have a good EISP if no one is following it. There needs to be a
section in the EISP on how to reinforce these policies once they are in effect. The EISP should
state that once these policies are established then testing of these policies should take place once
a month. The test should be taken through the email system. Top level management should
construct a test with policies in mind and distribute them throughout the organization. Also
RWW needs to update these policies once a month. Things change and business grows quickly
so updating and revising the EISP is essential for the organization’s growth.




                                                                                                     9
RWW Information Security Policy Recommendations                                   Kenneth Lahm


                   ENTERPRISE INFORMATION SECURITY POLICY
                         FOR RANDOM WIDGET WORKS

Purpose: The purpose of the EISP for RWW is to allow policies to run their security protocols
for the company. These policies are going to protect them from threats and risk that an
organization runs into. These policies will control how data is stored and how information is
accessed and other components that need to be in place so RWW can run their day to day
business correctly. Also an EISP will allow the employee to see what is required of them. If you
have a good EISP in place then the organization can conduct their business smoothly. No data is
sent to un-wanted eyes and information is never lost.

Information Security Elements: There needs to be security elements in an EISP. Some of these
elements include instructing and training of RWW employees on all new security policies and
updating security policies accordingly. Making sure that RWW is foreseeing new threats and
amending them accordingly. Some high-quality security elements that create excellent policies
are as followed:

      Access: the ability, right, or permission to approach, enter, speak with, or use; admittance
      Authentication: to establish as genuine. Ex: username, password and policies.
      Availability: readily obtainable; accessible and available resources
      Accountability: the state of being accountable, liable, or answerable. Employees of
       RWW will be held accountable for their actions.
      Confidentiality and Privacy: RWW has created policies to ensure the protection and
       security of documents from unauthorized users.

The Need for Information Security: RWW is in need of an EISP and ISSPs because the world
is changing and technology is being used more and more each day. Information is getting lost or
stolen and computers and equipment are becoming damaged due to viruses and attacks. Data is
becoming more valuable and sensitive which needs to be protected more than it needed to be
fifteen years ago. Until now, RWW has focused more on developing their product line than they
have on their IT department, especially their security. Preserving the privacy, reliability, and
integrity of RWW data, is an important responsibility that needs to be shared by all employees of
the company. There are many ways that a company can be damaged due to security measures
that were not in place. The amount of effort it will take to create and implement a complete
security plan outweighs the most tragic possibility – the company must close. Human error,
vandalism, theft, software issues are all examples of how a company could be damaged. And if a
company suffers from one or more of these issues then this opens the door to law suits,
government agency investigations, or the rejection of their stock. Customers could file suit
against a company that allowed their identity to get stolen. Investigations into fraud, or the
public losing confidence in the company could allow for serious financial loses. A company
such as RWW that is productive with team building, customer care oriented and prideful of their



                                                                                                10
RWW Information Security Policy Recommendations                                   Kenneth Lahm


product should instill in their employees company responsibility for the very company that
employs them.

The start of this process needs to be with properly storing confidential information. Passwords
must be changed often and a way to track who records sensitive material. RWW needs to not
only secure important information but they need to back up all information so if the event of a
disaster, they will not lose anything. This is should be done in an automatic fashion so that all
machines sends their information to an offsite storage facility every thirty minute or so. This
automatic function will provide the certainty that all company information is sent and not put off
by an employee.

Once policies are set in place it is the obligation of each employee to follow them so damage to
the company will not take place. If policies or rules are broken by an employee then RWW has
to have policies in place to determine the take course of action. The senior level management of
RWW needs to create employee strategies and guidelines that are up to date. The organization
will need to amend its current manual in order to initiate what is required of employees, and how
they should act in a particle situation. These policies should be created to reflect a professional
environment. After guidelines are established and implemented, RWW needs to revisit these
rules frequently to adjust for any gaps in these policies. If there are loop hole for employees to
squeeze through they will. The organizations need to correct any issues that come into play. If
RWW has guidelines in place that are not up to date then that reflects on the organization.
Employees will get the impression that it is ok to break company policy because the guidelines
are faulted. These policies should be handled by a selected group that will guide and regulate
how to implement these policies in the most proficient method.

Information Security Responsibilities and Roles: There are many important roles that need to
take place in an EISP. These roles are as followed:
   Technology Manager: This role is to decide who will have access to different machines.
    Most employees will have their own desktop station. The technology manager is responsible
    for knowing what machine is where and who is running it. The technology manager will also
    be responsible for knowing what programs are on that machine. Some employees will have
    laptops that the technology manager should be aware of. When a machine gets old then the
    technology manager will take care of it. If a machine gets lost or stolen the employee should
    contact the technology manager. The technology manager is in charge of making sure that
    all employees have the hardware to get their individual job done. This person will be
    responsible for any new technology that becomes available so the company can make a
    decision on whether or not to buy it, and implement it throughout the organization.

   Software Manager: The Software Manager is responsible for making sure that all software
    needed is located on the employees’ machines. The software manager is also responsible for
    making sure that all program updates are installed and running properly. Also making sure

                                                                                                 11
RWW Information Security Policy Recommendations                                    Kenneth Lahm


    that anti-virus programs are installed and up to date. If there is an issue regarding a security
    problem then the software manager is the one to contact. The software manager is also
    responsible for upgrading to newer versions of software programs. The software manager is
    also responsible for archiving all program installation disks so if necessary they can be found
    quickly. If an issue occurs where an employee’s computer is not working properly then the
    software manager should be contacted right away. The software manager will be in charge of
    recommending new or improved software.

   Policies Manager: The Policies Manager is in charge of making sure that all employees know
    the company’s policies and procedures. If there is an issue pertaining to established policy
    then the Policies Manager is the person to contact. The manager is also responsible for
    making sure policies are up to date. This person will conduct different activities for the
    employees to make sure that employees know each policy. It is also the responsibility of the
    Policies Manager to make sure that the employees are following those policies correctly. If
    an employee is ignorant of established policy procedure – for instance the practice of
    changing system passwords often on an employee’s computer - then it’s the responsibility of
    the Policies Manager to educate and/or correct the employee.

   Risk Assessment Manager: The Risk Assessment Manager is going to conduct risk
    assessment throughout the company. It is the responsibility of the Risk Assessment Manager
    to limit, avoid and foresee areas of risk. The Risk Assessment Manager will come up with
    policies for different departments to follow to avoid risk. These policies will be given to the
    Policies Manager for him/her to deploy. If there is a problem with how the risk assessment
    policies are working then the Risk Assessment Manager and Policies Manager should get
    together to figure out the best solution for the company. The Risk Assessment Manager will
    periodically conduct risk assessment exercises and convert them to low risk for the company.
    Also the Risk Assessment Manager will be responsible for constructing reports showing how
    the risks have lowered. The Risk Assessment Manager will also construct a report on levels
    of risk throughout the company.

   Data Recovery Manager: The Data Recovery Manager is responsible for managing how data
    is stored and how often. Also the Data Recovery Manager will be in charge of recovering
    data in the event of a disaster or if an employee has a lost or stolen machine. The Data
    Recovery Manager is also responsible for who is able to access certain data. The Data
    Recovery Manager will work closely with the Network Administrator Manager to provide
    access to certain employees to different branches of data. Also the Data Recovery Manager
    is in charge of providing the CEO information on how to store data to an offsite storage
    facility. The Data Recovery Manager will also work closely with the manager of the offsite
    storage facility to make sure that they are doing what they are supposed to be doing.

   Network Administrator Manager: The Network Administrator will be in charge of providing
    access to the network. They will monitor and support the network. If an employee has an

                                                                                                  12
RWW Information Security Policy Recommendations                                   Kenneth Lahm


    issue regarding login problems or password issues then they should contact the Network
    Administrator. The Network Administrator will design how the password systems should
    function, how the employees will update their passwords, and how frequently those
    passwords are to be changed. The Network Administrator will be responsible for monitoring
    the network to see if there are any offsite logins. If so then the Network Administrator should
    contact the Security Manager and work together to figure out how and why someone can
    access the network for offsite use. The Network Administrator is responsible for making
    sure that all employees have access to the information they need. The Network
    Administrator will make sure that an employee has the right to send emails. The Network
    Administrator will figure out how the email system is going to operate and who can send
    what to whom as well as how data will be destroyed once it is no longer needed. The
    Network Administrator will provide employees printer connections and support. The
    Network Administrator will be in charge of all updates to the system as needed and also
    provide support to all employees’ network needs. The Network Administrator will conduct
    frequent tests and feedback so that the CEO and can see how the system is running. The
    Network Administrator will be in charge of recommending new techniques to serve the
    company’s needs better.

   Security Administrator Manager: The Security Administrator is in charge of the security
    measures that ensure a security breaches does not happen. If there is a security concern with
    an employee then the Security Administrator Manager is the one to contact. The Security
    Administrator is in charge of making sure that the right security programs are installed on the
    employees’ machine and that they are up to date and running correctly. The Security
    Administrator is also in charge of the security of the network. If there is an issue then the
    Network Administrator and the Security Administrator should get together and figure out the
    problem in the best way for the company. All issues and corrections should be recorded and
    forwarded to the CEO. If an employee breaks company policies then the Security
    Administrator should contact the Human Resource department and conduct a full inquiry on
    the matter. If there is a security issue regarding an employee’s work station then the Security
    Administrator should be contacted. In the event of a physical security breech then the
    building security team should be called, and then 911. A great article I found at
    searchsecurity.com describes how security is protecting almost everyone. It states that
    “Regardless of specific compliance requirements, your primary job is to protect the corporate
    data and, in turn, protect employees, patients, vendors, customers and your shareholders.”

   End User: The End User is the employee at the bottom of the organizational chart. They are
    the ones talking to customers through email, phone and online chats. They are the ones
    viewing documents, writing emails to clients and customers and working with company
    equipment. The End User needs to be aware of all company policies and be able to explain
    them to other employees. The End Users are also responsible for letting their upper managers
    know if there is a special concern regarding security issues or documentation issues. They

                                                                                                 13
RWW Information Security Policy Recommendations                               Kenneth Lahm


   also are responsible for keeping an eye out for other employees trying to do harm to company
   assets.

Reference to Other Information Technology Standards and Guidelines:

      The reference to the Disability Act can be found at:
       http://www.section508.gov/index.cfm?FuseAction=Content&ID=3

      The reference to the financial Act can be found at: Gramm-Leach -Bliley ACT– GLBA
       http://www.usg.edu/infosec/policy_management/guidelines/relevant/

      The reference to investor Act can be found at:
       http://www.usg.edu/infosec/policy_management/guidelines/relevant/

      The USA Patriot Act can be found at:
       http://www.usg.edu/infosec/policy_management/guidelines/relevant/

      The National Strategy to Secure Cyberspace Report:
       http://www.usg.edu/infosec/policy_management/guidelines/relevant/
      GEORGIA CODE – FREE PUBLIC ACCESS:
       http://w3.lexis-nexis.com/hottopics/gacode/




                                                                                            14
Random Widget Works




Issue Specific
Security Policies
Issue Specific Security Policies

Issues:
Data Storage- Data storage is one of the biggest issues an organization faces. Data can be valued
as very important to not so important, but protecting that data is essential for the organization to
function properly. Employees will not be able to access the Data Storage on the company’s
network unless they have a valid company password. Passwords are assigned by the Security
Manager. All data needs to be saved every night so that the automatic data storage can be sent to
the off-site storage company. No company documents will be printed and taken out of the
building unless authorization by the Security Manager. All documents that are printed out on
paper need to be shredded by the end of the business day. There are to be no documents left out
on desks after business hours.
Email Use- Email access will be given to all employees that have a network password.
Employees must follow all policies regarding email use. There are to be no emails sent from
RWW that will contain customer information in it. There will be no replies to an email sent to
you; it must be a new email to your reply contact. (Meaning that you can’t hit the reply button,
you must start a new email.) If you are using an email system that is not on the company’s
network then you are not allowed to download any attachments (See personal email usages). You
are not allowed to send any company documents out over your personal email. Employees are
not allowed to send emails to other employees in the company through personal email systems.
All emails to other employees of RWW will go through the networks email system. All emails
used by the company’s network are property of RWW. Password to the network email system
will be changed every thirty days and should not be written down.

          Personal Email Usages
RWW provides a network email system for business use, but allows employees to use their
personal email system if desired. While RWW permits personal email systems, employees still
have guidelines to adhere to:
    The sending/replying to junk mail, phishing scams and offensive material is strictly
     forbidden.
    Personal use of email should only be used during breaks and lunch time and is not to
     interfere with work or others around you.
    Sending mass emails is strictly prohibited.


Anti-virus Programs- It is the responsibility of the Software Manager to have anti-virus programs
on all desktops and laptops that RWW possess. It is the user of that RWW equipment who is
responsibility to run/scan those programs every week to prevent security issues. If there is an
issue, contact the Security Manager for instruction. Anti-virus programs are to be updated when
updates are available. It is very important that all employees of RWW follow these policies


                                                                                                  16
regarding the Anti-virus programs. Keeping your system free and safe of viruses is essential for
the company to function properly.

Internet Use- Internet use will be monitored by the Network Manager. There is to be no outside
computers allowed to access the company’s internet. Network access will require authorization
after business hours. Only company equipment can be allowed access to the internet. Following
these guidelines are required by all RWW employees. Guidelines are as follows:

    There is to be no sending, storing or retrieving of offensive, obscene or illegal material.

    Unable to engage in illegal activities.

    No sending or receiving of copyrighted material.

    Internet activities that are not on RWW equipment are prohibited.

    Harassing of other individuals through internet use is prohibited.

    Obtaining unauthorized access to any computer system is not allowed.

    No downloading programs or files not authorized by RWW.

    Viruses and sabotage are strictly prohibited. RWW employees will not send any system
     virus through the Internet or employ any activity planning to disrupt or damage hardware
     or software.

Visitor Policy – Visitors into the building will have to sign in and show ID. All visitors will
receive an ID/Nametag card that must be worn in plain sight at all times. Visitors must wait in
building lobby until a representative of RWW escorts them to the desired location. All visitors to
RWW are only allowed into specified areas and always escorted by an RWW employee. No
visitor is allowed to walk through RWW’s second floor. Visitors are not allowed in RWW after
business hours unless top level management approves. All visitors are only allowed on the first
floor meeting room unless special access by upper level management is granted. There will be no
video recording devices (see recording devices) allowed into RWW.

       Recording Devices

            Tape Recorders

            Video Recording Devices

            No Video Cameras on Cell Phones

            MP3 Players that Record Audio or Video




                                                                                                   17
            Anything regarding a sound recording device most commonly used to record
             speech for later playback.

Photocopy Equipment/Printers – Printers and scanning equipment owned by RWW is to be used
for company use only. There is to be no printing or scanning of any illegal documents. Printers
and scanners are to be used for company purposes only. Employees will be assigned a printer to
use by the Network Manager. Employees must use printers and scanners assigned to them.




                                                                                             18
FAIR AND RESPONSIBLE USE OF RWW INTERNET AND WWW RESOURCES


1. Statement of Purpose: The purpose of this ISSP is to address the issues of using the internet
at RWW. These issues include what sites to go to and what sites not to go to. Another issues is,
are employees allowed to upload files to the internet and if so, then who? The purpose is to make
policies that reinforce behavior allowed at RWW. RWW needs to allow their employees to
access the internet but where is the line drawn. This ISSP is to document the guidelines in how
to properly use the internet at RWW.

a. Scope and Applicability: The scope of this ISSP is to regulate internet use at RWW. To have
all policies documented on paper which will state who is allowed to access the internet and how.
Who is allowed to have downloading and uploading privileges? The main purpose of this ISSP is
to document acceptable behavior while using the internet during business hours and on company
equipment.

       b. Definition of Technology Addressed: Configurations to existing software is all that
       RWW is going to need. With the skill set of some of their IT employees they will just
       need to learn how to configure certain areas to maintain a secure internet policy. The
       technologies that will be used to access the internet are as followed.


            Desktop-Company computers that are assigned to most employees during hiring.

            Laptops- are a personal computer designed for mobile use

            Cell phones- A mobile phone allows its users to make and receive telephone calls.
             With newer models coming out that allow access to the internet.

            Ipads- The iPad is a tablet computer that is marketed for consumption of media
             such as books and periodicals, movies, music, and games; and for general web
             and e-mail access.

            Itouch- The same as the IPad but allows users a touch screen interface.

            Servers- are any computerized process that shares a resource to one or more client
             processes.

            Printers- that have access to the internet- which produces a hard copy of
             documents stored in electronic form, usually on physical print media such as
             paper or transparencies.

       c. Responsibilities: The Responsibilities are as followed:


                                                                                                19
            Each employee will do their best in upholding these policies

            Each employee will provide feedback to these policies

            Each employee will watch other employees for misuse behavior.



2. Authorized Uses: Employees of RWW are given authorization to use the internet for business
purposes. Although RWW allows their employees to use the internet for personal use, the
employee should limit their personal use to breaks and lunch time. Employees will not be
allowed to visit websites containing offensive material, gambling sites, online dating sites,
pornographic sites and chat rooms. There will be firewalls and proxy set up to prevent a user
from accessing these sites on accident. There can be authorized uses of these policies on a case
by case basis. If an employee needs to access information on a website that is listed as denied,
then the user needs to contact the Network Manager to get approval.

       a. User Access: There will be password and identification measures in place to access
       the internet. Passwords will be prompted to change every thirty days. Users with
       passwords are granted access to the internet. Employee must follow all policies regarding
       internet use. Misuse of internet privileges will result in a full evaluation done by the
       human resource department.

       b. Fair and Responsible Use: The fair and responsible use of the internet includes
       working on day to day business duties for the company RWW. Downloading and
       uploading of files that are not authorized by RWW is a violation of RWW code of
       conduct for internet use. Sending or receiving of any material that is protected under the
       copyright protection act is strictly prohibited. Uploading of any confidential material to
       the internet without the permission of RWW is a violation of RWW internet policies.

       c. Protection of Privacy: It is the responsibility of all employees of RWW to hold
       privacy concerns to the up most importance. All employee will not discuss personal
       information online unless in a secure chat room. Employees of RWW will never upload
       any customer information to the internet unless directed by management and written
       approval.

3. Prohibited Uses- Internet use will be monitored by the network manager. There is to be no
outside computers allowed to access the company’s internet. Network access with require
authorization after business hours. Only company equipment can be allowed access to the
internet. Following these guidelines are required by all RWW employees. Guidelines are as
followed:

    Engaging in illegal activities.

    Sending, storing or retrieving of offensive, obscene or illegal material.


                                                                                                20
 Sending or receiving of copyrighted material.

 Use of internet activities that are not on RWW equipment.

 Harassing of other individuals through internet use.

 Obtaining unauthorized access to any computer system

 Downloading programs or files not authorized by RWW.

 Viruses and sabotage. RWW employees will not send any system virus through the
  Internet or employ any activity planning to disrupt or damage hardware or software.


   a. Disruptive Use or Misuse- If an employee is caught disrupting any customer or
   company material without the permission of RWW it is consider a misuse of the internet,
   and will result in evaluation from the Human Resource Department. If an employee is
   using a personal chat room for non business duties during business hours it is considered
   a misuse of the company’s internet system. If an employee is using the internet to play
   online games it is considered a misuse of the company’s internet system. If an employee
   is using the internet for personal use (other than business duties for RWW) during
   business hours then that is considered a misuse of the company’s internet system.

   b. Criminal Use- If an employee is using the internet system for illegal activities then
   employment termination and criminal charges will be pressed by the company RWW.
   See Criminal Use (followed).
          Criminal Uses

            Illegal downloading

            Harassing

            Threats

            Uploading of any Illegal Material

            Viewing/Uploading/Downloading of Child Pornography
            Gambling


   c. Offensive or Harassing Materials- Harassment is considered the intent to disrupt,
   disturb or threaten another person. If an employee of RWW is considered offensive to
   another employee of RWW or a customer of RWW then a full evaluation by the Human
   Resource Department will take place. Following the outcome that employee can face
   termination from the company and criminal charges. Harassing of anyone at RWW is
   strictly prohibited. If an employee is caught harassing anyone while using the internet


                                                                                              21
       this will result in an evaluation by the Human Resource Department followed by
       termination and/or criminal charges.

       d. Copyrighted, Licensed, or Other Intellectual Property- Uploading or downloading
       of any Copyrighted material is strictly prohibited at RWW. If an employee of RWW is
       considered in violation of this policy then a full evaluation is performed by the Human
       Resource Department followed by possible termination and up to criminal charges being
       filed.

       e. Other Restrictions- RWW’s internet use is for the sole purpose of business duties and
       acceptable minimal personal usages.


4. Systems Management

       a. Management of Stored Materials- The Network Manager is responsible for
       maintaining the stored materials at RWW. Also the Network Manager is in charge of
       monitoring the internet activities. Making sure that certain website are not accessible to
       employees.

       b. Employer Monitoring- The Network Manager will be responsible for monitoring the
       employees’ internet usage. Also it is the responsible for employees to keep an eye on
       other employees for misuse of the company’s internet system. If an employee sees
       another employee doing something they are not supposed to be doing then it is that
       employee’s responsibility to make sure that management knows.

       c. Virus Protection- Virus protection programs will be installed on all computers and
       laptops that RWW possess. It is the responsibility of the user of that computer system to
       run and use that program to avoid viruses. Updating your virus protection is essential for
       keeping viruses off of company equipment.

       d. Physical Security- The building security team will handle all physical security
       threats. If an employee has a concern regarding physical safety then he or she should
       contact the buildings security team. It is the responsibility for all RWW employees to
       keep an eye on suspicious activity and report it to the buildings security department.

       e. Encryption- Once files are uploaded to the network they will be encrypted. Upon
       having access to that network will decrypt those files for viewing. There are to be no
       files left on company equipment during non business hours, all files must be uploaded to
       network so the backup system can run properly.

5. Violations of Policy

       a. Procedures for Reporting Violations-Reporting violations to management is
       essential for the company to maintain progress. Once an employee notices something
       they are concerned about then that employee should contact their manager through email
                                                                                                    22
       stating that they have a violation concern that they need to discuss with them. Then that
       manager will schedule an appointment with them as soon as possible to discuss that
       violation. If that concern can be handled internally then an evaluation will take place to
       determine the best plan of action. If the violation or violations are criminal then outside
       sources will need to be contacted. Police will be called to supply additional insight into
       the matter.

       b. Penalties for Violations- Penalties for violations of the internet system at RWW are
       as followed. If an employee at RWW is caught violating the internet system policies then
       the first offence is a reported document stating the violation. Second is automatic
       termination. If the violation is criminal in matter then automatic termination and criminal
       prosecution takes place.

6. Policy Review and Modification
       a. Scheduled Review of Policy- All policies are scheduled for review and modification.
       These policies are to be reviewed and modified at each quarter. If an issue or concern
       regarding the wording or if a guideline is misunderstood then correction to that policy
       will occur. If there is a need for more policies then adjustments will be made.

       b. Procedures for Modification- Every quarter, top managers will discuss how the
       company is functioning. If there is an issue regarding policy then an evaluation is done
       to fix that issue. Once modifications are made then emails are sent out to the staff of
       RWW stating what changes are made and the new guidelines to follow. Testing of these
       policies will also take place every quarter. Emails are sent out with testing questions on
       the policy handbook. An employee has three chances to pass the test on the policies of
       the company. If they should fail all three test then a document is filed and an employee is
       given a fourth try. If still the employee fails to past the test then that employee is sent
       home to study the material again. The next day that employee can come back to work to
       try for the fifth time. If still that employee has failed the test then again is sent home to
       study the material. Documentation is placed in employee’s file again stating that the
       employee failed the policy test. The next day that employee is able to come back to
       RWW where he or she is allowed to take the test again for the sixth time. If that
       employee fails the test again then that employee is automatically terminated.


7. Limitations of Liability-RWW will not be held responsible for any personal injury occuring
from misuse of company policies. RWW is not held responsible for any damage to files,
hardware or software that has been used as personal belongings during business hours. RWW is
not responsible for lost or stolen data. RWW will not be liable for misuse of company assets. If
an employee is caught stealing information online that individual is held responsible not RWW.

FAIR AND RESPONSIBLE USE OF RWW COMPUTER RESOURCES

1. Statement of Purpose- The purpose of this ISSP is to address issues regarding RWW
computer resources. RWW has to document all issues regarding computer resources. RWW


                                                                                                  23
computer resources are tangible property valued at over 100,000 dollars. Computers, laptops,
printers, cell phones and other company resources are assets to the company and need to be
protected.

       a. Scope and Applicability- The scope of this ISSP is to document acceptable behavior
       towards RWW computer resources. Also the scope of this ISSP is to document un–
       acceptable behavior and repercussions of these violations.

       b. Definition of Technology Addressed- Computers are personal devices which allows
       a user to access the company network, stores and manipulate data. Laptops are
       computers that have the same capabilities of a computer but they are mobile.

       c. Responsibilities-The technology manager will be in charge of controlling the risk to
       RWW computer resources. Also maintaining the computer resources is the responsibility
       of the network manager. The user of that computer or laptop is responsible for making
       sure that their work computer is safe. If the user is responsible for damaging their work
       computer resource then they will be held responsible.


2. Authorized Uses- According to Wiki the definition for authorized uses “is the function of
specifying access rights to resources, which is related to information security and computer
security in general and to access control in particular.”

       a. User Access Each employee that is given a work computer resource during hiring is
       authorized to use that computer resource. No employee should be using another
       employee’s work computer resource. Employees should protect those computer
       resources with passwords and make sure they are secure at the end of each use.

       b. Fair and Responsible Use- The responsible use of RWW computer resources are
       as followed:
            Each employee will password protect their company computer resource and keep
             their password safe.
            Upgrading hardware will be performed by the hardware and software managers.
            Employees are responsible for upholding fair use of computer resources.
            Illegal downloading with company computer resources is strictly prohibited.

            Harassing any person with company computer resources is strictly prohibited.

            Threats to any person while using company computer resources is strictly
             prohibited.

            Uploading of any illegal material with company computer resources is strictly
             prohibited.

                                                                                               24
           Viewing/Uploading/Downloading of Child porn with company computer
            resources is strictly prohibited.

           Gambling at any time while at RWW is strictly prohibited.


       c. Protection of Privacy- There should be no personal data saved on RWW computer
       resources. RWW tries to protect all employees from privacy concerns but makes no
       promise that privacy issues will not occur. Employees need to take personal actions to
       protect their privacy while using RWW computer resources. RWW assures that personal
       employee information given during hiring purposes will be protected at all times. While
       engaging in violations to the computer resources policy there is no assurance that
       personal information will be protected.


3. Prohibited Uses- Prohibited use of RWW computer resources are as follows: No employee
should be using another employee’s computer resource. No employee of RWW should engage in
copyright violations. No employee should leave computer resources open and unattended.
Computer resources at RWW should be protected by the user of that computer resource. No
employee should engage in illegal activities while using RWW computer resources. Violations to
this policy will result in termination and/or criminal charges.

       a. Disruptive Use or Misuse- Using other employees computer resource is a violation or
       misuse of RWW computer resource policy. Configuration to RWW computer resource is
       also a misuse of RWW computer resource policy. Leaving your computer unattended
       and open for someone to gain access is a violation to RWW computer resource policy.

       b. Criminal Use- Criminal use to RWW computer resource policy will result in criminal
       charges. Employees of RWW will follow all laws regarding computer use at RWW.
       Criminal uses are as followed:
           Illegal downloading

           Harassing

           Threats

           Uploading of any illegal material

           Viewing/Uploading/Downloading of Child pronunciation
           And are limited to other criminal use by the state of Georgia.

       c. Offensive or Harassing Materials- RWW strictly prohibits harassing of any kind.
       Violation to this policy will result in termination and possibly criminal charges.
            Sexual Harassment


                                                                                             25
           Threats to harm other persons

           Threats for employment upgrade

           Threats for financial gain

           Any kind of statements made that harms employment relationships could be
            considered a harassing violation.


      d. Copyrighted, Licensed, or Other Intellectual Property- RWW strictly enforces the
      copyright protection policy. There should never be copyrighted material on RWW
      computer resources. Violation to this policy will result in termination and possible
      criminal charges. At no time should an employee upload any copyrighted, licensed or
      other intellectual property to RWW computer resources.

      e. Other Restrictions- There should be no programs that are not intended for business
      related duties on an employee’s computer. No employee is allowed to download
      programs without the permission of the Network Manager.


4. Systems Management-The Technology Manager is responsible for the physical equipment at
RWW. Management of these computer resources will be making sure that RWW computer
resources are running properly. If an issue arises regarding computer resources then the
Technology Manager will take charge.

      a. Management of Stored Materials- The Software Manager is responsible for the
      management of stored materials on RWW computer resources. The only thing that
      should be stored on company computers are programs that allow an employee to do their
      job duties. Saved materials should be uploaded to the network so they can be backed up
      at the end of each business day.

      b. Employer Monitoring- Monitoring of employees while using computer resources
      should take place by all employees of RWW. If an employee sees another employee
      misusing company computer resources then that employee should contact the security
      manager to discuss details. AT RWW there is no manager responsible for monitoring
      employee’s use of computer resources. The hiring of a good employee is the standard for
      computer resources. If an issue occurs where there has been a clear violation of misuse of
      company computer resource then an investigation will go underway by the Security
      Manager. Then he or she will report their findings to the Human Resources Department
      for evaluation.

      c. Virus Protection- The Security Manager at RWW is responsible for making sure that
      all computer resources at RWW are protected with virus protection. The employee
      responsible for their personal company computer is obligated to run virus protection
      software to ensure their system is running properly.

                                                                                              26
       d. Physical Security- If a physical security threat occurs then the building’s security
       team should be called. If an employee witnesses someone trying to steal company
       computers then the security team for the building should be notified. If an employee sees
       or hears someone causing physical damage to company computer resources then the
       security team for the building should be notified. If an employee of RWW is causing
       physical damage to company computer resources then termination and possible criminal
       or civil charges will occur for that employee.

       e. Encryption- There are no encryption done on RWW computer resources. Encryption
       takes place on the network.


5. Violations of Policy- Violations to company policy regarding computer resources at RWW
will result in a full evaluation performed by the Human Resource Department.

       a. Procedures for Reporting Violations- If an employee at RWW needs to report a
       violation of the computer resource policy then that employee needs to send an email to
       the Security Manager requesting a meeting. During that meeting that employee will
       discuss what happened behind closed doors. It is the responsibility of the Security
       Manager to make an appointment quickly so no other violations occur.

       b. Penalties for Violations- Penalties for violations of the computer resource policy are
       as followed.
            First Violation-Written warning and placed in file, or termination

            Second Violation- Written warning and placed in file, or termination

            Third Violation- Termination

6. Policy Review and Modification- Every quarter top managers will discuss how the company
is functioning. If there is an issue regarding policy then an evaluation is done to fix that issue.
Once modifications are made then emails are sent out to the staff of RWW stating what changes
are made and the new guidelines to follow. Testing of these policies will also take place every
quarter. Emails are sent out with testing questions on the policy handbook. An employee has
three chances to past the test on the policies of the company. If that should fail all three then a
document is filled and an employee is given a fourth try. If still the employee fails to pass the test
then that employee is sent home to study the material again. The next day that employee can
come back to work to try for the fifth time. If still that employee has failed the test again he/she
is sent home to study the material. Documentation is placed in the employee’s file again stating
that the employee failed the policy test. The next day that employee is able to come back to
RWW where he or she is allowed to take the test again for the sixth time. If that employee fails
the test again then that employee is automatically terminated.


                                                                                                   27
7. Limitations of Liability- RWW will not be held responsible for any personal injury occuring
from misuse of company policies. RWW is not held responsible for any damage to files,
hardware or software that has been used as personal belongings during business hours. RWW is
not responsible for lost or stolen data. RWW will not be liable for misuse of company assets. Use
of a company computer resource is for the sole purpose of performing job duties. Using
computer resources incorrectly will result in an evaluation performed by human resource
department and could result in termination.


FAIR AND RESPONSIBLE USE OF RWW EMAIL RESOURCES

1. Statement of Purpose- The purpose of this ISSP is to document appropriate email usages at
RWW while on company time.

       a. Scope and Applicability- The scope and applicability of RWW email policies are to
       regulate how to use the email system at RWW while on company time. Employees at
       RWW will be given the privilege of email rights while on company time. Email uses are
       as follows: There are to be no uploading of any company document with permission
       from management. Downloading of documents is granted on the basis that the download
       is used for company purpose. If a customer sends their information to an employee then
       the reply will be a new email, meaning that an RWW employee will not hit reply to a
       customer email. They are to start a new email to that customer. There are to be no mass
       emailing done at RWW. During the configuration of RWW network email system,
       employees will be given certain rights to whom they can email through the company,
       meaning that no employee will have access to email the CEO without special approval of
       management. No employee will be able to send an email to the entire staff of RWW.
       The email system will be backed up to an offsite storage facility during non business
       hours. If an employee does not have access to the email system then they are not
       allowed to use it. No sharing of passwords to RWW network email system. Although
       RWW allows its employee to use personal email systems, they are still required to follow
       the network email system policy. Personal email usages should be done on a limited
       basis and never interfere with business at RWW. Downloading of items not related to
       business at RWW is prohibited.

       b. Definition of Technology Addressed- The technology that will be addressed is the
       network email system. Local desktops that employees use will allow them to access the
       network. Laptops and other equipment will be able to access the network email system
       with valid passwords. Configuration to RWW equipment to gain invalid access is
       strictly prohibited. Monitoring of network is the responsibility of the network manager.

       c. Responsibilities- It is the responsibilities of all RWW employees to follow company
       policies regarding network email use.




                                                                                                28
2. Authorized Uses – According to Wiki the definition for authorized uses is “the function of
specifying access rights to resources, which is related to information security and computer
security in general and to access control in particular.”

       a. User Access- Users of the network email system will be given a password. Passwords
       are to be changed every thirty days. Configuration to the network email system will
       prompt the user to change their password once the thirty days are up. Users that are
       leaving RWW or terminated will have all network privileges removed.

       b. Fair and Responsible Use- Responsible use of the network email system are as
       follows: Logon to the network with valid password and check new emails. Once you
       have checked an email and need to respond, copy email address and start a new email.
       Never put customer information in an email. Once completed with email duties then shut
       down network email system. Never allow network email system to be open and running
       on your computer while not at your desk. Lock computer if you plan on leaving from
       your desk.

       c. Protection of Privacy- Protection of Privacy is held to the utmost importance at
       RWW. Displaying or Sending of documents containing information relating to a
       customer or company information is strictly prohibited at RWW. Someone caught
       sending important customer or company information over the internet through the email
       system will result in termination or criminal prosecution.


3. Prohibited Uses
       a. Disruptive Use or Misuse- Downloading of exe.files, non-business related documents
       and or viruses. Uploading of customer(s) or company documents without the approval of
       management is strictly prohibited.

       b. Criminal Use-
            Sending out viruses

            Phishing scams

            Harassing

            Threats

            Downloading or Uploading of illegal material

            Downloading or Uploading of copyrighted material.

            Mass Emailing




                                                                                                29
      c. Offensive or Harassing Materials- If an employee of RWW is caught harassing a
      customer or another employee of RWW the result will include termination and possible
      criminal charges being filed.

      d. Copyrighted, Licensed, or Other Intellectual Property- All documents of RWW
      are the sole property of RWW. Any sending of RWW property out over the email
      system is strictly prohibited. There is to be no sending or receiving of copyrighted
      material.


4. Systems Management

      a. Management of Stored Materials-Once the business day is completed then all
      network data stored is backed up to offsite storage. All data must be saved and uploaded
      to the network at the end of each business day. The network manager is responsible for
      management of stored data. While the network manager is responsible for securing that
      data he/she is also responsible for making sure that employees are following policy
      regarding network email use. This is the point where the network manager gets to view
      employee email use to monitor what they are doing.

      b. Employer Monitoring- All monitoring of the email system is done by the network
      manager. He or she will gain access to monitoring tools while the network is being
      backed up. The network manager will report any finding to the human resource
      department for an evaluation of policy misuse. It is also the responsibility of all RWW
      employees to monitor the email system. If an employee of RWW receives an email from
      another RWW employee containing harassing materials, copyrighted materials, illegal
      materials or protected company materials then it is the responsibility of that employee to
      let the network manager know. Once informed on the matter the network manager will
      verify the misuse and arrange a meeting with the human resource department.

      c. Virus Protection- If the event of a virus attack to employees of RWW they will need
      to contact the security manager for instructions. Downloading or uploading of viruses is
      strictly prohibited and result in termination and up to criminal or civil charges. Virus
      protection software is installed on every computer and laptop that RWW owns. It is the
      responsibility of every RWW employee to run and update their virus protection software
      to avoid viruses.

      d. Physical Security- Physical Security regarding email usages at RWW, are as
      followed. No employee at RWW will leave his or her email system open and unattended.
      When finished using network email system it should be closed. Employee should never
      leave their network password unattended or open in plain sight. Passwords are to be
      remembered and changed every thirty days.

      e. Encryption- Once the data is uploaded to the network then all files are encrypted.
      Once email are sent over the internet they are sent using a FTP that is encrypted so know
      unwanted eyes are able to see. Confidential is to be put on the subject line of the email if

                                                                                                30
       the information inside the email is confidential in natural. Instructions on how to delete
       the email will also be inside of the email so the customer knows how to destroy
       confidential customer records.


5. Violations of Policy

       a. Procedures for Reporting Violations- In the event of a procedure violation the
          employee must contact by email the network manager to discuss the situation. Once
          the network manager has discussed the situation he or she can go back to the
          company logs and verify the actuations. Once the actuation has been verified then he
          or she will contact the Human Recourse Department explaining the violation and
          providing documents proving the misuse has taken place. Once the Human Resource
          Department has made a decision on how best handle the matter, actions will follow.
          ACTIONS

               First Action-Written warning placed in employee file, and or termination

               Second Action- Written warning placed in employee file, and or termination

               Third Action- Termination

       b. Penalties for Violations-The first offence is a written warning explaining what
          happen and placed in the employee file and or termination. The Second offence is
          written warning and or termination and up to criminal or civil charges if necessary.

       6. Policy Review and Modification- Every quarter top managers will discuss how the
       company is functioning. If there is an issue regarding policy then an evaluation is done
       then to fix that issue. Once modifications are made then emails are sent out to the staff of
       RWW stating what changes are made and the new guidelines to follow. Testing of these
       policies will also take place every quarter. Emails are sent out with testing questions on
       the policy handbook. An employee has three chances to past the test on the policies of the
       company. If that should fail all three then a document is filled and an employee is given a
       fourth try. If still the employee fails to past the test then that employee is sent home to
       study the material again. The next day that employee can come back to work to try for the
       fifth time. If still that employee has failed the test then again is sent home to study the
       material. Documentation is place in employee file again stating that the employee fail the
       policy test. The next day that employee is able to come back to RWW where he or she is
       allowed to take the test again for the sixth time. If that employee fails the test again then
       that employee is automatically terminated.

       7. Limitations of Liability- RWW will not be held responsible for any personal injury
       accruing from misuse of company policies. RWW is not held responsible for any damage
       to files, hardware or software that has been used as personal belongings during business


                                                                                                    31
hours. RWW is not responsible for lost or stolen data. RWW will not be liable for misuse
of company assets. If an employee is caught stealing information online that individual is
held responsible not RWW




                                                                                        32
References



    Hayden Ernie, 05.18.2010, How to manage compliance as Chief Information Security
     Officer (CISO), SearchSecurity,com, Retrieve from the World Wide Web on 7/7/2010, at
     http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1511046,00.html?track=NL-
     430&ad=774337&asrc=EM_NLT_11955698&uid=10037202

    508 Law, 04/30//2008, Summary of Section 508 Standards, Section508.gov. Retrieve
     from the World Wide Web on 7/9/2010, at
     http://www.section508.gov/index.cfm?FuseAction=Content&ID=3

    Office of Information Security, NO DATE, Relevant IT & IS
     Laws/Regulations/Acts/Rules, Retrieve from the World Wide Web on 7/10/2010, at
     http://www.usg.edu/infosec/policy_management/guidelines/relevant/

    Wiki-the free encyclopedia, NO DATE, Definitions, from the World Wide Web on
     7/10/2010, at http://en.wikipedia.org/wiki/Wiki




                                                                                        33

								
To top