Rule of Behavior Governing CISO Computer & Internet Use
The CISO reaches out to you again and complains about the interns who appear to be violating many security policies. They do not lock their workstations, download illegal music, connect their personal devices to the organization’s computers, spend too much time on social media, and even download pornography to the organization’s computers. The CISO asks you to address these violations by developing a security document (Rules of Behavior) stating at least 15 rules about what activities employees are not allowed to conduct on the network.
See the Department of Justice Rules of Behavior template PDF as a sample. Additionally, write three supplementary paragraphs to discuss what types of training should occur in order to keep these violations from occurring in the future. How can you proactively strive for compliance with these behaviors?
For additional details, please refer to the Module Three Assignment Rubric PDF document.
Rule of Behavior Governing CISO Computer & Internet Use
Acceptable internet use policy underlines CISO employee responsibilities when utilizing company network in their daily working activities. The use of internet by the employees of CISO is allowed and highly encouraged as long as their use goes hand in hand with the organization objective, mission and vision. Nonetheless, CISO provides the employees use internet as long as their use ensures that they comply with the current legislative regulations. It will also work to ensure the use the internet in an acceptable manner and critically ensure that their use of the internet does not create unwanted risk to the company by misusing the internet (Solar-Costa, 2021). The following sections outline what is considered bad behavior or unacceptable or use of the internet by employees:
1. Use of company computer and network to access internet sites that contain obscene, ponographic, hateful or illegal materials.
2. Use of company computer and internet network to carry out any form of piracy (software, film or music) or fraud.
3. Use of the company computer and internet to send of harmful or offensive messages and material to other internet users.
4. Illegal or unauthorized access to restricted sites
5. Hacking into restricted sites
6. Use of the internet to download commercial softwares, or any other form of copyrighted materials that belongs to a third party without their expressive permission
7. Use of company computer or network to reveal confidential information about CISO in their social media accounts.
8. Use of the internet to reveal any private information this include personal identification, health, financial information, and information that relates to CISO customers and employees
9. Introducing any form of malicious information or software into the company network
10. Use of company computer to conduct personal business while at work
11. Undertaking any other deliberate activities that puts on a strain to the company network such as gaming, or downloading personal files
12. Publishing of defamatory information or false material about CISO or about a third party, or colleagues or CISO customers on social media pages, blogs, vlogs, and any other form of online publishing format at home or while at work or with company computer
13. Employees are not allowed to use company computer and network tol access social media, or any personal non work related internet sites while at work
14. Use of non official communication channels to communicate official company matters, or use of official communication channels to communicate personal information (eg email, land line, smartphone etc )
15. Use of company computers and network to purchase or sale personal materials
For CISO to prevent any form of information loss, security breach or other risk from manifesting, it will be required to carry out risk, vulnerability as well as network assessment to evaluate the safety of its network. Employee training is also an important aspect to perform to prevent loss of information, leaking of private data and attacks (Markkula Center For Applied Ethics, 2020). The first significant training for employees covers on how they should conduct themselves in the internet in relation to the company is the on-boarding training. Under on boarding employees will be introduced to password security and training, as well as best practices involved in internet use. This type of training ideally deals with department specific requirements of their job, and takes a more holistic approach into making employees understand the technical aspects of their jobs and what they are required to do (Elmokadem, 2019). This is encouraged in order to allow employees to have a deeper understanding of their duties and responsibilities, as well as understand , what they should and should not do as it relates to their day-to-day tasks. Training will also allow employees recognize phishing and social engineering attacks.
Soft and hard skills development training. This will be enforced to encourage productivity, open communication, conflict resolution, teamwork adaptability and most importantly Ethics on and offline (Elmokadem, 2019). Here employees will be enlightened on internet access and rules, use of the internet as it pertains to their work, web browsing, where they will be exposed to restricted sites, and shown the potential risks, download and all that pertains to the materials that can be downloaded. This is a longer training program compared to orientation and it can take up to a year to reinforce, and should be department specific.
A mandatory IT (cyber security) training should be instituted and should cover encryption, password security, and cyber security guidelines. Cyber security will take a central role in mandatory training to encourage more awareness into the various forms of dangers that the internet use could bring to CISO. This will see the employees trained on the technical skills and use of the internet. It will highlight how monitoring works, provide encrypted access to company website relative to the level of work and department the employee works for, monitor and sanction illegal behavior, and assess risks associated to the company network using simulated but realistic attacks.
Elmokadem, P. (2019). 7 Types of Online Employee Training Programs. Uscreen. Retrieved 8 April 2022, from https://www.uscreen.tv/blog/6-types-online-employee-training-programs/.
MARKKULA CENTER FOR APPLIED ETHICS. (2020). What is Internet Ethics? – Markkula Center for Applied Ethics. Scu.edu. Retrieved 8 April 2022, from https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/what-is-internet-ethics/#:~:text=Internet%20ethics%20is%20a%20really,people%20we%20want%20to%20be.
Soler-Costa, R., Lafarga-Ostáriz, P., Mauri-Medrano, M., & Moreno-Guerrero, A. (2021). Netiquette: Ethic, Education, and Behavior on Internet—A Systematic Literature Review. International Journal Of Environmental Research And Public Health, 18(3), 1212. https://doi.org/10.3390/ijerph18031212