You are in charge of establishing a security policy committee at your place of employment. Who would you have on your security policy development team and why?
Representative, and Author. The Author should be an experienced team member, and the representative should be a manager that is assigned culpability. The Author would compose the policy, and the Representative would validate the policy through HR and present the policy to the organization for peer review. In peer review, anyone involved in the organization can read and comment upon the policy, voicing dissent, before an official version of the policy is published. These dissenting voices should be stored in association to the policy, for future records, but the dissenting voices need not be made public.
Once you have established the information security policies, you need to implement and enforce them. Explain how you would do this in an effective manner that will result in total compliance by employees.
Information security policies, by their very nature, require constant revision. You can ensure employee compliance, legally, by requiring signatures for each policy revision, and you can ensure employee awareness, allegedly, by forcing workers to participate in a group presentation pertaining to the policy updates. But I believe the most accurate way to ensure employee awareness and compliance, in regards to information security policy, would be a randomized quiz, mildly more inconvenient than a captcha, that requires the employee to answer one or two randomized questions at the end of the policy acknowledgement. By testing the employees knowledge of the policy revisions, you can ensure they will read the entirety of the document, and hopefully, uphold it’s tenets.
The organization that you work for has an email policy that prohibits forwarding chain e-mail. What is the purpose for implementing such a rule within the company’s policy?
Chain emails provide little or no substance in an already cluttered medium for correspondence. Security risks aside, there are too many alternative avenues for what is effectively Social Media to be allowed in a productive environment. In consideration of security risks, too many worms, viruses, or browser hijackers have been facilitated by chain email, that allowing them to be forwarded throughout the company is tantamount to willful negligence. In fact, I think there should be administrative blocks on chain emails in addition to a company wide policy prohibiting their use.