Assignment 1: Creating and Communicating a Security Strategy 2 2 In this scenario, I am an IT security professional for Spend Your Money Corporation that sells various items to individuals and companies

. The corporate facilities structure has buildings in multiple
shopping malls in several states. Each facility houses people from various departments to include, but
not limited to, Human Resources, Sales, Marketing, Information Technology, Security, and Retail
Sales. Each has access to the retail location as it is open to the public, but areas within the buildings are
secured to individuals that do not need access to different areas.
The corporate IT infrastructure has several servers, workstations, laptops, mobile devices, point
of sale terminals, and tablets. Each employee has a unique login, email, and access card that includes all
of their access to the systems and facilities they are allowed to access. Within the IT systems, there are
proprietary applications tailored to the individual's type of work. These applications are loaded on the
corporate systems and in some cases on personal devices for those that bring their own device for work.
Within the corporation, each department has designated roles for each employee in that
department, and the IT assets are designed to function according to the profile of the individual logged
into that device. For example, a physical security employee will have physical access to all areas within
the facilities for maintaining the physical security of the company, but will only have access to certain
IT resources as they pertain to physical security (i.e., security cameras, alarm systems, individual time
card access, etc.). Each of the positions access will be tailored by the IT security team and the physical
security team. Below is an example of the Security Memo being generated for all employees defining
security policies and procedures.

Memo
To: ALL EMPLOYEES

Running Header: Assignment 1: Creating and Communicating a Security Strategy 3

3
From: IT Security Department
Date: October 29, 2017
Re: Security Policy

General Policies and Motivation
To define policy and establish procedures related to corporate computer systems and to
provide guidance and standards for configuring computers and systems within the
company. The standards provided are subject to change based on new or existing
requirements. The Corporate Information Systems Officer (CISO) and/or the Chief
Information Officer (CIO) must approve any changes or deviations from this policy.
Guidance and standards are provided for the following areas:
1. Access Control
2. Physical Security
3. Email Policies
4. Breach Reporting Responsibilities
5. Mobil Policy and BYOD (Bring Your Own Device)
Section 1: Access Control Standards
Permanent or temporary access to the corporate network will be restricted to corporate
employees, temporary employees, or contracted employees. Access to IT systems will
require a unique login, password, biometric data, or token depending on the IT systems
required access type. Below will outline the requirements for each:
A. Unique login Practices:
1. Unique logins will include the individual's first initial, middle initial, and
last name (i.e. JPSmith).
2. If an individual login duplicates another existing login, a number will be
added to the end of the last name (i.e., JPSmith1)
3. Unique logins will be deactivated after 30 days of no activity or when no
longer needed.
4. Unique logins will be deleted after 45 days of inactivity.
5. Data from unique logins will be maintained for a period of 3 years or in
accordance with state and federal laws.
B. Password Practices:
1. All passwords must be at least 14 characters long.
2. Passwords must contain at least 1 upper case letter (A-Z), 1 lower case
letter (a-z), 1 number (0-9), and 1 non-alphanumeric character (i.e. $,#,%)
3. Passwords will expire every 60 days.
4. All systems will be set remember at least 10 historical passwords that
cannot be reused.
5. User passwords must not be shared with anyone for any reason.
6. Passwords must be different on each system the user has access to.

Running Header: Assignment 1: Creating and Communicating a Security Strategy 4

4
C. Biometrics Standards and Practices:
1. Corporate policy is to protect and store biometric data in accordance will all
state and federal laws and standards. This includes, but is not limited to,
state of residence Biometric Information Privacy Acts.
2. An individual’s biometric data will not be collected or obtained by the
corporation without prior written consent of the individual. The corporation
will inform the individual for the reason the biometric data informa