PYZ IT Strategy

WRITTEN ASSIGNMENT 12.
2
CIS 519-T301
P
Technology
Y Z
IT STRATEGY & SECURITY POLICY OVERVIEW

PYZ STRATEGY & POLICY
PRESENTED BY: BEN VAN NESTE

COMPANY NAME
TABLE OF CONTENTS
Executive Summary ...........................................................................................................3
Strategy Planning Necessity ..............................................................................................4
Strategy Selection ...............................................................................................................5
Governance Framework ....................................................................................................6
Strategy Plan:
Vision...................................................................................................................................6
Roles and Responsibilities .................................................................................................6
Process and Procedures .....................................................................................................7
Strategic Plan .....................................................................................................................8
Strategy Formation ............................................................................................................9
Security Convergence Plan ...............................................................................................9
Change Management .........................................................................................................9
Implementation ................................................................................................................10
Scorecard ..........................................................................................................................10
Feedback, Tracking, and Control...................................................................................11

IT Strategy & Policy PYZ Technology
Objectives Identification .............................................................................................................12
Policy Lifecycle .............................................................................................................................14
Policy Framework ........................................................................................................................17
Policy Management:
Acceptable Use .................................................................................................................18
Access Control ..................................................................................................................24
Mobile Device Usage ........................................................................................................26
Change Management .......................................................................................................28
Information Security .......................................................................................................30
Remote Access ..................................................................................................................33
Email/Communication .....................................................................................................35
Data Management ............................................................................................................37
Documentation .................................................................................................................39
Disaster Recovery.............................................................................................................41
IT Policy Implementation............................................................................................................43
Risk & Issue Identification Outlook...........................................................................................46
Potential Issues with Compliance Systems ................................................................................47

Date Updated 1
06/05/22
Policy Compliance Report Card .................................................................................................47
Policy Enforcement ......................................................................................................................53
Appendix .......................................................................................................................................52
References .....................................................................................................................................53
Date Updated 2
06/05/22
Executive Summary:
The impact that we will make for people around the world through our safe and
innovative technology is a privilege, one we must never take for granted. Our success depends
upon a commitment to conduct business with honesty, integrity and compliance with the law
everywhere we operate. Our IT strategies and policies are a reflection of that commitment and a
way for all of us to do the right thing in our jobs and build a reputation as a safe, trustworthy
and ethical company. No document can address every situation that we may possibly face in
everyday work. We rely upon each one of us to use these strategies and policies as well as your
best judgment to guide your behavior and to ask questions if you are ever unsure of the proper
course of action.
Our strategies and policies apply to all PYZ team members and stakeholders as well as
anyone else who identifies with our company as acting on its behalf. We all have a
responsibility to:
- Act with integrity and honesty in our work.
- Comply with all applicable laws, standards, policies, and regulations in performing duties.
- Be familiar with our strategies and policies, follow them at all times, and seek help when
you have a question.
- Share concerns about any conduct that violates our strategies or policies
We are committed to compliance with our strategies and policies. Anyone who violates
them is subject to disciplinary action, up to and including termination. Remember, one of the
best resources for solving an ethical dilemma is your conscience. If an action you’re
contemplating feels dishonest, unethical, or illegal, it probably is. If you are a supervisor, you
have a greater level of responsibility. We look to you to model ethical behavior and promote a
Date Updated 3
06/05/22
workplace where anyone can come forward with concerns and questions. Our company is
committed to open, free and effective channels of communication as well as always being
proactive in change management, so promote an “open door” policy, be a good listener, and
work to earn the trust of your co-workers. Make sure you are familiar not only with the
strategies and policies but also with the specific laws and industry standards that apply to you
and your team. Our strategies and policies are integral aspects of our inspiring mission to
protect all people with safe and innovative technology.
Strategy Planning Necessity:

PYZ has incredible opportunities in store with the upcoming introduction of revolutionary
tech, but if we do not build a solid foundation first, then it could lead to wasted innovation and
the loss of making an amazing contribution to the world. Thankfully, we are already off to a
great start in recognizing the importance of this as we aim to build a strong IT strategic plan.
PYZ needs this because we are a newly formed company and there are no previous strategic
plans for us to revert back to. This effort will ensure that PYZ does not function solely as a
reactive company but as a proactive one as well.
The time and resources it takes to react to a certain situation can be exceedingly more than
the steps it would take to approach it preemptively. Imagine how a simple virus can leave an
individual sick and weak for 3 days when it could have been prevented with a 20-second hand
wash or the simple task of taking a multivitamin. Now imagine what a simple virus could do to
a 500-employee organization. Frighteningly, the number of IT virus threats is incredibly high as
“globally, there were 304.7 million ransomware attacks in the first half of 2021” (Edwardson,
2021). Simple and minor measures that are outlined in this plan will protect us from threats and
attacks which in turn will save us tremendous amounts of time and resources.
Date Updated 4
06/05/22
Strategy Selection:
Figure 1.0
The strategy that is best designed to fit right into PYZ is the PESTEL framework. We
believe this strategy best aligns with our mission to protect all people with safe and innovative
technology. To do this we need to consider every aspect of what matters most to people and use
those foundations to mold our devices to the safest and most innovative expectations. It’s easy
to see PYZ as solely a technology company but we have the amazing opportunities to influence
beyond that into politics, economies, societies, technologies, environments, and legal systems.
Each one of these areas is important to our success as a company which is why they have been
carefully considered throughout this entire strategy and policy overview. You will see a variety
of ways in which these areas are applied across our strategy and policy techniques. For us to
change the world in the influential way that we desire we need to first consider everything
about the world we are in at this very moment.
Date Updated 5
06/05/22
Governance Framework:
Each member of our organization will be represented and included in the strategic
planning to ensure a collective and all-encompassing process flow. Figure 1.1 is a layout of how
each department will be involved.
Figure 1.1
Strategy Plan:
Vision:
The vision for this strategic plan is to protect all people with safe and innovative
technology. This spans across all internal and external segments of our business from the users
of our products to each team member that works to protect our communities. We want to
consistently stand together as trustworthy, inclusive, innovative, unified, and protective. This
vision is for everyone.
Roles and Responsibilities:

Date Updated 6
06/05/22
As outlined in our governance framework, this figure outlines each departments roles
and responsibilities. There are more specific designations that will apply within the departments
and their leaders though this figure encompasses the most important overarching topics.
Figure 1.1
Process and Procedures:
A clear direction will help us get exactly to where we want to be. Figure 1.2 illustrates
the order of this process. To ensure the best results, a consultant and specialized strategic coach
will be involved to maintain this process and assist each department in their duties. We will also
hold intermittent reviews by our five founders to further improve our objectives.
Figure 1.2
Date Updated 7
06/05/22
Plan Plan Reviews & Plan

Vission Review Maximization
Development Refinement Implementation
Strategic Plan:
The strategic planning that will be followed is the PESTEL framework. This involves
analyzing each landscape beginning with political, economic, social, technological,
environmental, and legal. This framework fits our strategic vision and objectives perfectly with
the nature of our business and technological advancements. It is crucial for PYZ to consider the
entire environment we plan to launch into.
Figure 1.3
Date Updated 8
06/05/22
Strategy Formation:
One of PYZ’s greatest strengths is our initiative to solve tomorrow’s challenges. With
the proper goals and objectives, we can get there. Our main objective is to mitigate as many of
the possible threats or weaknesses that could be exposed in our work. This will be measured by
first identifying the number of threats and weaknesses and then using our PESTEL framework
to plan for each area that is needed. Our main goal is to maintain a consistent and impactful
relationship with each department beyond the initial planning phases. This goal will be achieved
through our quarterly reviews and perpetuation of our scorecards.
Security Convergence Plan:
Leaders in the IT department, including myself (CIO), will work directly with the
president and each department in the primary areas of risk management and security. IT security
has major impacts on every aspect of our business which will be communicated and detailed
further as we move through the planning process. A summary of security convergence
effectiveness will be presented in each of our company quarterly reviews. Specific metrics in
our scorecards will help to continually review these impacts with each department and review
the areas of success as well as areas of improvement for IT securities in each aspect of our
company.
Change Management:
Each department and team will be distributed their respectice programs. Not all aspects
of our strategies and policies will need to be communicated to every PYZ employee. Each
leader will be responsible for distributing as well as updating their team of their specific and
applicable mothods. It will be the duty of each leader to inform their designated IT teams for
Date Updated 9
06/05/22
any changes they feel are needed in their programs. All PYZ employees should have a their own
copy of the entire IT strategy and policy overview. Every team is expected to have a 10-minute
slot available in our PYZ daily team meetings. This designation of course does not always have
to be used but is in place for when changes/updates do need to be communicated.
Implementation:
After all of our thorough pre-planning efforts, it is of great importance for each
individual involved in this strategy to do their part and to stick with it. Our process is well-
defined, we have support coming internally and externally, there is the inclusion of all
departments and the PESTEL framework drives our vision and objectives forward. All of these
factors result in a well-functioning implementation plan. This plan will entail the daily tasks and
activities needed to take place so that we cover each priority in our strategy.
Scorecard:
The scorecard will be an extremely useful tool in our arsenal to perfect our strategic
planning over time. This will be our primary measurement of how our strategy is affecting each
aspect of our business categorized specifically into growth, business operations, customer, and
financial. While some departments will utilize all of these categories metrics, others may just
focus on a few but regardless, each department will be able to clearly analyze and track what
areas of the strategy are impacting their own specific operations.
Below is an example of what this scorecard will entail. Each department and team will
have different layouts that apply best their specific needs. What is most important is a clear
outline of objectives with a list of the roles that these objectives apply to. The KPI’s and targets
Date Updated 10
06/05/22
will be our primary measurement to understand and visualize how we are progressing. Speak
with your leader for a deeper understanding of the specific scorecard that applies to you.
Figure 1.4
Feedback, Tracking, and Control:
This strategic plan will do so much to carry PYZ to the vision we want to achieve though
it is only with proper feedback. Tracking, and controls that we can continually improve. Rather
than a rehab that can fix issues in a certain amount of time, our strategy needs to be more of a
lifestyle as it will keep improving upon itself as we navigate through new circumstances and
learn from the past. Our scorecard will be a major factor in this process as well as uses of
Date Updated 11
06/05/22
predictive modeling where we can analyze the components of what we have done to model what
may occur in the future. Our utilization of data and information will be what drives us further.
Objectives Identification:
Attack Type Security Tactic Description Response Principle
Malware Superior Security -Secure Access Use monitoring Observation

Controls log to identify
Infection Engineering Principle
unknown
- Protected IT
Viruses activity and
Security
pursue the attack
Infrastrucre
- Anti-Virus
Programming
User Superior Identity - Multi-Factor Utilize advanced Least

Authenticiation threat detection
Impersonation Managament Priveledge
softwares to fix
- Accountability Principle
Phishing or update
Practices
affected
- Data &
accounts
Information
Privacy Rights
System Flaws Full-Coverage - Secure Data Network Preparedness

and Information Tracing to
Defense Principle
DoS
Management quickly find
source of attack
- Secure servers
and remove
and networks
intrusion
Date Updated 12
06/05/22
- Office/
Manufacturing
Security
Process Flaws Superior Operations - Secure Access Require security Least

Controls clearances and
Privelege
authentications
- System
Principle
to prohibit use
Monitoring
of high
- Updates &
clearance
Audits
adinstrative
- IT Security
priveleges
Training
The number of malware attacks that can occur is extremely high so the observation
principle will help to deter a majority of attackers if they can clearly see they are being watch
and tracked of any malicious intent. This also applies heavily to employees as they can often be
the source of attacks so it’s important that they are aware that their every move is traceable.
The preparedness principle should be applied to system flaws as DoS attacks are
inevitable yet if there are effective tactics in place to combat these attacks then their damage can
be much more minimalized.
Date Updated 13
06/05/22
The least priveledge principle applies well to defense against process flaws because
limitations must be applied to each employee since the company deals with highly sensitive data
and technology. This principle also fits in well with the company’s priority of monitoring and
controlling employee access over the full freedom for creativity.
Least privileged principle also fits best with user impersonation because it limits the
severity of attack that can occur when it’s done against the more common “viewer” only
employee. This also minimizes costs and efforts in the efforts needed to train and protect
employees by focusing on specific groups rather than providing the same levels of training and
security protocols for every employee.
IT Policy Lifecycle
Figure 1.5
This IT Policy Lifecycle is a great fit with PYZ for mainly three reasons which include
it’s constant feedback throughout the entire cycle, it’s assessment of risk and policy before
Date Updated 14
06/05/22
attempting any other steps, and it’s simplistic core composed of four components to asses, plan,
deliver, and operate.
Very often it is not until the proceeding step of the Policy Lifecycle that there are
greater understandings of what is needed to full encompass every need for each step. In other
words, “Feedback is also necessary to ensure that the requirements of previous steps are being
satisfied” (Rees & Bandyopadhyay, 2000).
The assessment phase of the lifecycle is crucial because it creates the basis for each
step thereafter. It coincides with the policy framework as the initial principal component that
must be set to guide the policies and then the procedure, guidelines, and definitions. Along with
the planning stage, it also begins the informal discussions to effectively transition into the
formal implementations similar to Kotter’s Eight Step Change Model.
The last major advantage to this lifecycle is it’s four primary components along with
their focused subcategories. Since this is a cycle it will need to be done repeatedly and if this
were a 26-step process it would drive down efficiency and not be able to keep up with the
changes needed in policy. Especially in the tech industry, any organization’s lifecycle needs to
have the ability to product output quickly because of the constant rapid changes we see in tech,
industry standards, and in general compliances.
This lifecycle begins with policy assessment which of course is the primary purpose of
the entire lifecycle. It is also the best focus right after the cycle has been completed to go right
back into assessing how the current policies have performed and what improvements, deletions,
or new creations need to be considered. Next is the risk assessment which goes hand in hand
with policy assessment as it sets the basis for every factor that needs to be taken into account for
Date Updated 15
06/05/22
each step of documentation. This assessment also aligns with our governance framework as risk
management and security are a top priority for every department.
After our assessment, we move into the planning stage where we begin with the policy
development now that we have solid building blocks to direct those policies. The requirements
definition is where we outline the procedures, guidelines, and definitions so that each policy has
a full scope of how it is approached.
Once we finish our assessment and planning we are ready to deliver our documentation.
Controls definition must be done before implementation because this will guide the method of
how each policy is regulated and monitored. Not every policy will need to apply to every area of
the company nor even to everyone in a specific department. The proper definition of control will
help to apply the necessary tasks to every individual and not waste time and resources. This will
make implementation a much simpler step in rolling our whatever policy changes or updates to
exactly where it needs to be implemented.
We finish our cycle with the operation stage. Ideally, our lifecycle could maintain itself
without this stage but realistically, our entire process needs to be continually monitored,
reviewed, managed, and communicated so that we can continue to improve. Depending on each
policy it may be more appropriate to use passive monitoring or in other cases use active
monitoring. Since we have already established that we find it important to monitor and control
employee access this will be an important piece of our lifecycle to ensure that our policies are
being carefully considered and implemented.
Date Updated 16
06/05/22
IT Policy Framework
Figure 1.6
CIO
Standards All Departments
Principles All Departments
Policies All Departments
Procedures Operations, Production, PMO,

HR, Finance
Guidelines Operations, Production, PMO
Definitions Operations, Production
A great IT policy lifecycle can only be truly efficient when combined with a properly
structured policy framework. The focus of this framework was to build it with an alignment to
our governance framework. This is shown on the right-hand side of the pyramid with each area
of the company considered throughout the framework. When comparing this framework to our
governance framework there will be easy correlations to how each team will be involved in the
overall IT strategy of PYZ. Standards are considered by external forces such as the industry or
government and we don’t have much of any influence on setting this document. Since principles
and policies are what will drive the entire framework it is crucial that all departments have their
part to play in the development and implementation. However, this visual does not detail that
not every department will need to determine every policy we consider. Instead, each department
will have some influence on certain policies that pertain to them but it’s possible for example,
Date Updated 17
06/05/22
that only the CIO or only the CIO and head of HR will need to focus on specific policies. The
CIO will be involved in every consideration since this framework applies specifically to IT
policy.
The left-hand side covers our documentation starting with standards since PYZ has none
to very minute influence on the direction of that area yet we must follow them regardless of the
desires our organization has. Our second level is principles since this is what gives direction to
policies, procedures, guidelines, and directions. The third is policies so that each proceeding
area of documentation can fit the mold of our policies and build them out to encompass all
domains. Procedures are next since we need direct communication of what steps are required to
follow our policies. Our fourth level is guidelines since these are not the very most important
aspects to strictly follow as opposed to standards but they should still be noted. Lastly,
definitions are at the bottom because this is the last area where we should consider every
possible detail that is needed for proper interpretation.
Policy Management:
Acceptable Use:
1) Overview
While all of us at PYZ want to continue to reach new heights with our creativity and innovation
we also want to be completely mindful and trustworthy when it comes to the work that we do
for each other, our shareholders, and especially with our clients. The data that we will gain
access to will have tremendous opportunities but since it will have such a high value, we need
to ensure the best safety standards around it.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment,
software, operating systems, storage media, network accounts providing electronic mail, WWW
browsing, and FTP, are the property of PYZ. These systems are to be used for business
purposes in serving the interests of the company, and of our clients and customers in the course
of normal operations.
Date Updated 18
06/05/22
Effective security is a team effort involving the participation and support of every PYZ
employee and affiliate who deals with information and/or information systems. It is the
responsibility of every employee to know these guidelines, and to conduct their activities
accordingly.
2) Purpose
The purpose of this policy is to outline the acceptable use of IT equipment at PYZ. These rules
are in place to protect the employees and PYZ. Inappropriate use exposes PYZ to risks
including a variety of cyber-attacks, compromise of network systems and services, and legal
issues.
3) Scope
This policy applies to the use of information, IT devices, and network resources to conduct any
PYZ business or interact with internal networks and business systems, whether owned or leased
by PYZ, the employee, or a third party. All employees, contractors, consultants, temporary, and
other workers at PYZ and its subsidiaries are responsible for exercising good judgment
regarding appropriate use of information, IT devices, and network resources in accordance with
all of PYZ’s policies, standards, local laws, and regulation. Exceptions to this policy are
documented in section 5.2
This policy applies to anyone doing any business with PYZ which includes employees,
contractors, consultants, temporaries, and all personnel affiliated with third parties. This policy
applies to all equipment that is owned or leased by PYZ.
4) Policy
4.1 General Use and Ownership
4.1.1 PYZ proprietary information stored on electronic and computing devices whether owned
or leased by PYZ, the employee or a third party, remains the sole property of PYZ. You
must ensure through legal or technical means that proprietary information is protected in
accordance with the Data Protection Standard.
4.1.2 You have a responsibility to promptly report the theft, loss or unauthorized disclosure of
PYZ proprietary information.
4.1.3 You may access, use or share PYZ proprietary information only to the extent it is
authorized and necessary to fulfill your assigned job duties.
4.1.4 Employees are responsible for exercising their best judgment regarding the
reasonableness of personal use. Individual departments are responsible for creating
guidelines concerning personal use of network systems. In the absence of such policies,
employees should be guided by departmental policies on personal use, and if there is any
uncertainty, employees should consult their supervisor or manager.
Date Updated 19
06/05/22
4.1.5 For security and network maintenance purposes, authorized individuals within PYZ will
monitor equipment, systems and network traffic at any time.
4.1.6 PYZ reserves the right to audit networks and systems at any time to ensure compliance
with this policy.
4.2 Security and Proprietary Information

4.2.1 All mobile and computing devices that connect to the internal network on premises or
remotely must comply with the Minimum Access Policy.
4.2.2 System level and user level passwords must comply with the Password Policy. Providing
access to another individual, either deliberately or through failure to secure its access, is
prohibited.
4.2.3 All computing devices must be secured with a password-protected screensaver with the
automatic activation feature set to 10 minutes or less. You must lock the screen or log off
when the device is unattended.
4.2.4 All passwords will require to be changed every 4 months or they will be invalid
4.2.5 Passwords also need to enable 2FA with a safe and reliable 2nd device
4.2.6 Postings by employees from a PYZ email address to newsgroups should contain a
disclaimer stating that the opinions expressed are strictly their own and not necessarily
those of PYZ, unless posting is in the course of business duties.
4.2.7 Employees must use extreme caution and follow all protocol when opening e-mail
attachments received from unknown senders, which may contain malware.
4.3 Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these
restrictions during the course of their legitimate job responsibilities (e.g., systems
administration staff may have a need to disable the network access of a host if that host is
disrupting production services).
Under no circumstances is an employee of PYZ authorized to engage in any activity that is
illegal under local, state, federal or international law while utilizing PYZ-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities
which fall into the category of unacceptable use.
4.3.1 System and Network Activities
The following activities are strictly prohibited, with no exceptions:

1. Violations of the rights of any person or company protected by copyright, trade secret,
patent or other intellectual property, or similar laws or regulations, including, but not
limited to, the installation or distribution of "pirated" or other software products that are
not appropriately licensed for use by PYZ.
Date Updated 20
06/05/22
2. Unauthorized copying of copyrighted material including, but not limited to, digitization
and distribution of photographs from magazines, books or other copyrighted sources,
copyrighted music, and the installation of any copyrighted software for which PYZ or the
end user does not have an active license is strictly prohibited.
3. Accessing data, a server or an account for any purpose other than conducting PYZ
business, even if you have authorized access, is prohibited.
4. Exporting software, technical information, encryption software or technology, in
violation of international or regional export control laws, is illegal. The appropriate
management should be consulted prior to export of any material that is in question.
5. Introduction of malicious programs into the network or server (e.g., viruses, worms,
Trojan horses, e-mail bombs, etc.).
6. Revealing your account password to others or allowing use of your account by others.
This includes family and other household members when work is being done at home.
7. Using a PYZ computing asset to actively engage in procuring or transmitting material
that is in violation of sexual harassment or hostile workplace laws in the user's local
jurisdiction.
8. Making fraudulent offers of products, items, or services originating from any PYZ
account.
9. Making statements about warranty, expressly or implied, unless it is a part of normal job
duties.
10. Effecting security breaches or disruptions of network communication. Security breaches
include, but are not limited to, accessing data of which the employee is not an intended
recipient or logging into a server or account that the employee is not expressly authorized
to access, unless these duties are within the scope of regular duties. For purposes of this
section, "disruption" includes, but is not limited to, network sniffing, pinged floods,
packet spoofing, denial of service, and forged routing information for malicious purposes.
11. Port scanning or security scanning is expressly prohibited unless prior notification to
Infosec is made.
12. Executing any form of network monitoring which will intercept data not intended for the
employee's host, unless this activity is a part of the employee's normal job/duty.
13. Circumventing user authentication or security of any host, network or account.
14. Introducing honeypots, honeynets, or similar technology on the PYZ network.
15. Interfering with or denying service to any user other than the employee's host (for
example, denial of service attack).
Date Updated 21
06/05/22
16. Using any program/script/command, or sending messages of any kind, with the intent to
interfere with, or disable, a user's terminal session, via any means, locally or via the
Internet/Intranet/Extranet.
17. Providing information about, or lists of, PYZ employees to parties outside PYZ.
4.3.2 Email and Communication Activities

When using company resources to access and use the Internet, users must realize they represent
the company. Whenever employees state an affiliation to the company, they must also clearly
indicate that "the opinions expressed are my own and not necessarily those of the company".
Questions may be addressed to the IT Department
1. Sending unsolicited email messages, including the sending of "junk mail" or other
advertising material to individuals who did not specifically request such material (email
spam).
2. Any form of harassment via email, telephone or paging, whether through language,
frequency, or size of messages.
3. Unauthorized use, or forging, of email header information.
4. Solicitation of email for any other email address, other than that of the poster's account,
with the intent to harass or to collect replies.
5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
6. Use of unsolicited email originating from within PYZ's networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service
hosted by PYZ or connected via PYZ's network.
7. Posting the same or similar non-business-related messages to large numbers of Usenet
newsgroups (newsgroup spam).
4.3.3 Blogging, Podcasting, and Social Media

1. Blogging by employees, whether using PYZ’s property and systems or personal computer
systems, is also subject to the terms and restrictions set forth in this Policy. Limited and
occasional use of PYZ’s systems to engage in blogging or podcasting is acceptable,
provided that it is done in a professional and responsible manner, does not otherwise
violate PYZ’s policy, is not detrimental to PYZ’s best interests, and does not interfere
with an employee's regular work duties. Blogging, podcasting, and social media use from
PYZ’s systems will be completely monitored. Social media is only acceptable when it is
used for business purposes only.
2. PYZ’s Confidential Information policy also applies to blogging, podcasting, and social
media. As such, Employees are prohibited from revealing any PYZ confidential or
proprietary information, trade secrets or any other material covered by PYZ’s
Confidential Information policy when engaged in either activity.
Date Updated 22
06/05/22
3. Employees shall not engage in the activites that may harm or tarnish the image,
reputation and/or goodwill of PYZ and/or any of its employees. Employees are also
prohibited from making any discriminatory, disparaging, defamatory or harassing
comments when blogging or otherwise engaging in any conduct prohibited by PYZ’s
Non-Discrimination and Anti-Harassment policy.
4. Employees may also not attribute personal statements, opinions or beliefs to PYZ when
engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in
blogs, the employee may not, expressly or implicitly, represent themselves as an
employee or representative of PYZ. Employees assume any and all risk associated with
blogging.
5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or
export controlled materials, PYZ’s trademarks, logos and any other PYZ intellectual
property may also not be used in connection with any blogging activity
5) Policy Compliance
5.1 Compliance Measurement

PYZ will verify compliance to this policy through various monitoring methods, including but
not limited to, business tool reports, internal and external audits, and feedback to the policy
owner.
5.2 Exceptions
Any exception to the policy must gain approval by the CIO or any affiliated team member in
advance.
5.3 Non-Compliance
Any violation of this policy may prompt disciplinary action, up to and including termination of
employment for those involved.
6) Definitions and Terms

All definitions and terms including any other unlisted terms can be found at
https://csrc.nist.gov/glossary?index=P
Blogging - Refers to a weblog, a web page that contains journal-like entries and links that are
updated daily for public viewing.
Honeypot - A system (e.g., a web server) or system resource (e.g., a file on a server) that is
designed to be attractive to potential crackers and intruders, like honey is attractive to bears.
Honeynet – A fake network used to attract attackers and keep them away from the true network
Date Updated 23
06/05/22
Podcasting – making digital recordings of radio programs that people can download from
the internet
Proprietary Information - Material and information relating to or associated with a company's
products, business, or activities, including but not limited to financial information; data or
statements; trade secrets; product research and development; existing and future product designs
and performance specifications; marketing plans or techniques; schematics; client lists;
computer programs; processes; and know- how that has been clearly identified and properly
marked by the company as proprietary information, trade secrets, or company confidential
information. The information must have been developed by the company and not be available to
the Government or to the public without restriction from another source.
Spam - Electronic junk mail or the abuse of electronic messaging systems to indiscriminately
send unsolicited bulk messages.
Access Control:
1) Overview
Access controls define who is allowed access to PYZ facilities that house information systems,
to the information systems within those facilities, and/or the display mechanisms associated
with those information systems. Without access controls, the potential exits exists that
information systems could be illegitimately, physically accessed and the security of the
information they house could be compromised.
2) Purpose
This policy applies to all facilities of PYZ, within which information systems or information
system components are housed. Specifically, it includes:
• Data centers or other facilities for which the primary purpose is the housing of IT
infrastructure
• Data rooms or other facilities, within shared purpose facilities, for which one of the
primary purposes is the housing of IT infrastructure
• Switch and wiring closets or other facilities, for which the primary purpose is not the
housing of IT infrastructure
3) Scope
This policy applies to the use of information, IT devices, and network resources to conduct any
PYZ business or interact with internal networks and business systems, whether owned or leased
by PYZ, the employee, or a third party. All employees, contractors, consultants, temporary, and
other workers at PYZ and its subsidiaries are responsible for exercising good judgment
Date Updated 24
06/05/22
regarding appropriate use of information, IT devices, and network resources in accordance with
all of PYZ’s policies, standards, local laws, and regulation. Exceptions to this policy are
documented in section 5.2
This policy applies to anyone doing any business with PYZ which includes employees,
contractors, consultants, temporaries, and all personnel affiliated with third parties. This policy
applies to all equipment that is owned or leased by PYZ.
4) Policy
4.1 Authorized Personnel

Access to facilities, information systems, and information system display mechanisms
will be limited to authorized personnel only. Authorization will be demonstrated with
authorization credentials (badges, identity cards, etc.) that have been issued by PYZ.
4.2 Access Points
Access to facilities will be controlled at defined access points with the use of card
readers and locked doors. Before physical access to facilities, information systems, or
information system display mechanisms is allowed, authorized personnel are required to
authenticate themselves at these access points. The delivery and removal of information
systems will also be controlled at these access points. No equipment will be allowed to
enter or leave the facility, without prior authorization, and all deliveries and removals
will be logged.
4.3 Personnel Lists
A list of authorized personnel will be established and maintained so that newly
authorized personnel are immediately appended to the list and those personnel who have
lost authorization are immediately removed from the list. This list shall be reviewed and,
where necessary, updated on at least an annual basis.
4.4 Visitors
If visitors need access to the facilities that house information systems or to the
information systems themselves, those visitors must have prior authorization, must be
positively identified, and must have their authorization verified before physical access is
granted. Once access has been granted, visitors must be escorted, and their activities
monitored at all times.
5 Policy Compliance

owner.
5.2 Exceptions
Date Updated 25
06/05/22
advance.
5.3 Non-Compliance
6 Definitions and Terms

Information Systems - Is any combination of information technology and individuals’ activities
using that technology, to support operations management.
Display Mechanisms - A monitor on which to view output from an information system.
Mobile Device Usage:

1) Overview
Mobile devices such as smart phone and tablets offer great flexibility and improved productivity
for employees. However, they can also create added risk and potential targets for data loss. As
such, there use must be in alignment with appropriate standards and encryption technology
should be used when possible.
2) Purpose
This document describes the requirements for encrypting data on PYZ mobile devices.
3) Scope
This policy applies to any mobile device issued by PYZ or used for PYZ business which
contains stored data owned by PYZ.
4) Policy
All mobile devices containing stored data owned by PYZ must use an approved method of
encryption to protect data at rest. Mobile devices are defined to include and not limited to
laptops and cell phones.
Date Updated 26
06/05/22
Users are expressly forbidden from storing PYZ data on devices that are not issued by PYZ, such
as storing PYZ email on a personal cell phone or laptop.
4.1 Laptops
Laptops must employ full disk encryption with an approved software encryption package. No
PYZ data may exist on a laptop in plaintext.
4.2 PDAs and Cell phones

Any PYZ data stored on a cell phone or laptop must be saved to an encrypted file system using
PYZ-approved software. PYZ shall also employ remote wipe technology to remotely disable
and delete any data stored on a PYZ laptop or cell phone which is reported lost or stolen.
4.3 Keys
All encryption keys and pass-phrases must meet complexity requirements described in PYZ’s
Password Protection Policy.
4.4 Loss and Theft

The loss or theft of any mobile device containing PYZ data must be reported immediately.

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance

Plaintext – Intelligible data that has meaning and can be read or acted upon without the
application of decryption. Also known as cleartext.
Date Updated 27
06/05/22
Full Disk Encryption – protects information by converting it into unreadable code that cannot be
deciphered easily by unauthorized people.
Remote Wipe – remotely erases the data on the mobile device if the device is lost or stolen
Change Management:
1) Overview
Change Management refers to a formal process for making changes to IT systems. The goal of
change management is to increase awareness and understanding of proposed changes across an
organization and ensure that all changes are made in a thoughtful way that minimize negative
impact to services and customers. PYZ’s change management cycle will include generally the
following steps:
Figure 1.7
2) Purpose
This document helps any PYZ team or employee to initiate and follow a well structured and
well-designed change management process.
3) Scope
This divisional policy applies to all changes to architectures, tools and IT Services provided by
PYZ. Modifications made to non-production systems (such as testing environments with no
impact on production IT Services) are outside the scope of this policy.
4) Policy
4.1 Minimum Standards
Date Updated 28
06/05/22
4.1.1 All Changes must follow a process of planning, evaluation, review, approval, and
documentation.
4.1.2 Unit Directors serve as default Change Authorities (CA) for changes within their units
and have the authority to determine change type and risk level. If in doubt, a higher level of risk
should be assumed and additional review and approval should be sought.
4.1.3 All Standard Changes must have documented procedures in place that have been
approved by the Unit Director or delegate.
4.1.4 All Normal Low Changes must be approved by the Unit Director or delegate.
4.1.5 All Normal Medium Changes must be approved by the Change Advisory Board (CAB).
4.1.6 All Normal High Changes must be approved by the IS Executive Team.
4.1.7 All Emergency Changes must be authorized by a manager and submitted for review by
the CAB in retrospect to ensure that effective oversight was maintained and proper
communication occurred. NOTE: If services are down, the issue should be handled as an
Incident according to the Incident Response Policy.
4.1.8 Documentation of Normal Medium, Normal High, and Emergency Changes must be
made in a Process log that is stored in a common location so that coordination of changes
across the organization can be managed appropriately. Low risk Normal and Standard Changes
must be logged in a manner that can be audited for process improvement and root cause
diagnosis as part of Problem Management.
4.1.9 All changes are elevated one Change Type priority level during Critical Operations
Windows.
4.2 Types of Changes
There are three types of changes:
4.2.1 Standard Change – A repeatable change that has been pre-authorized by the Change
Authority by means of a documented procedure that controls risk and has predictable outcomes.
4.2.2 Normal Change – A change that is not an Emergency change or a Standard change.
Normal changes follow the defined steps of the change management process. Low, Medium, or
High priority is determined by Unit Directors or delegate.
a. Normal Low Changes must be reviewed and approved by the Unit Director or delegate as
Change Authority.
b. Normal Medium Changes must be reviewed and approved by the Change Advisory Board
as Change Authority.
c. Normal High changes must be approved by the IT Executive Team as Change Authority.
4.2.3 Emergency Change – A change that must be introduced as soon as possible due to likely
negative service impacts. There may be fewer people involved in the change management
process review, and the change assessment may involve fewer steps due to the urgent nature of
the issue; however, any Emergency Change must still be authorized by a manager and reviewed
by the Change Advisory Board retroactively.
Date Updated 29
06/05/22

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance

Change Advisory Board – A group of people that support the assessment, prioritization,
authorization, and scheduling of changes
Change Log – Auditable log of who, what, why, and when for all changes.
Process Log – A central repository of changes that documents the process followed for a
particular change
Information Security:
1) Overview
Unsecured and vulnerable information continue to be a major entry point for malicious threat
actors. Consistent information protection policies, ownership and configuration management are
all about thwarting these threats in the best way possible.
2) Purpose
The purpose of this policy is to establish standards for the base configuration of information
securities that are owned and/or operated by PYZ. Effective implementation of this policy will
minimize unauthorized access to PYZ proprietary information and technology.
Date Updated 30
06/05/22
3) Scope
All employees, contractors, consultants, temporary and other workers at PYZ and its
subsidiaries must adhere to this policy. This policy applies to information securities that are
owned, operated, or leased by PYZ.
4) Policy
4.1 General Requirements
4.1.1 All internal servers deployed at PYZ must be owned by an operational group that is
responsible for system administration. Approved server configuration guides must be
established and maintained by each operational group, based on business needs and
approved by PYZ. Operational groups should monitor configuration compliance and
implement an exception policy tailored to their environment. Each operational group
must establish a process for changing the configuration guides, which includes review
and approval by PYZ. The following items must be met:
• Servers must be registered within the corporate enterprise management system. At a
minimum, the following information is required to positively identify the point of
contact:
o Server contact(s) and location, and a backup contact
o Hardware and Operating System/Version
o Main functions and applications, if applicable
• Information in the corporate enterprise management system must be kept up-to-date.
• Configuration changes for production servers must follow the appropriate change
management procedures
4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor
and audit equipment, systems, processes, and network traffic per the Audit Policy.
4.2 Configuration Requirements

4.2.1 Operating System configuration should be in accordance with approved PYZ guidelines.
4.2.2 Services and applications that will not be used must be disabled where practical.
4.2.3 Access to services should be logged and/or protected through access-control methods
such as a web application firewall, if possible.
4.2.4 The most recent security patches must be installed on the system as soon as practical, the
only exception being when immediate application would interfere with business
requirements.
4.2.5 Trust relationships between systems are a security risk, and their use should be avoided.
Do not use a trust relationship when some other method of communication is sufficient.
4.2.6 Always use standard security principles of least required access to perform a function.
Do not use root when a non-privileged account will do.
Date Updated 31
06/05/22
4.2.7 If a methodology for secure channel connection is available (i.e., technically feasible),
privileged access must be performed over secure channels, (e.g., encrypted network
connections using SSH or IPSec).
4.2.8 Servers should be physically located in an access-controlled environment.
4.2.9 Servers are specifically prohibited from operating from uncontrolled cubicle areas.
4.3 Monitoring
4.3.1 All security-related events on critical or sensitive systems must be logged and audit trails
saved as follows:
• All security related logs will be kept online for a minimum of 1 week.
• Daily incremental tape backups will be retained for at least 1 month.
• Weekly full tape backups of logs will be retained for at least 1 month.
• Monthly full backups will be retained for a minimum of 2 years.
4.3.2 Security-related events will be reported and reviewed in logs and if necessary, report
incidents to IT management. Corrective measures will be prescribed as needed. Security-
related events include, but are not limited to:
• Port-scan attacks
• Evidence of unauthorized access to privileged accounts
• Anomalous occurrences that are not related to specific applications on the host.

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance

Date Updated 32
06/05/22
None Applicable
Remote Access:
1) Overview
Remote access to our corporate network is essential to maintain our team’s productivity, but in
many cases this remote access originates from networks that may already be compromised or are
at a significantly lower security posture than our corporate network. While these remote
networks can be at times be beyond our controlled policies, we must mitigate these external risks
the best of our ability.
2) Purpose
The purpose of this policy is to define rules and requirements for connecting to PYZ's network
from any host. These rules and requirements are designed to minimize the potential exposure to
PYZ from damages which may result from unauthorized use of PYZ resources. Damages include
the loss of sensitive or company confidential data, intellectual property, damage to public image,
damage to critical PYZ internal systems, and fines or other financial liabilities incurred as a
result of those losses.
3) Scope
This policy applies to all PYZ employees, contractors, vendors and agents with a PYZ-owned or
personally-owned computer or workstation used to connect to the PYZ network. This policy
applies to remote access connections used to do work on behalf of PYZ, including reading or
sending email and viewing intranet web resources. This policy covers any and all technical
implementations of remote access used to connect to PYZ networks.
4) Policy
It is the responsibility of PYZ employees, contractors, vendors and agents with remote access
privileges to PYZ's corporate network to ensure that their remote access connection is given the
same consideration as the user's on-site connection to PYZ.
General access to the Internet for recreational use through the PYZ network is strictly limited to
PYZ employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”).
When accessing the PYZ network from a personal computer, Authorized Users are responsible
for preventing access to any PYZ computer resources or data by non-Authorized Users.
Performance of illegal activities through the PYZ network by any user (Authorized or otherwise)
is prohibited. The Authorized User bears responsibility for and consequences of misuse of the
Authorized User’s access. For further information and definitions, see the Acceptable Use
Policy.
Authorized Users will not use PYZ networks to access the Internet for outside business interests.
Date Updated 33
06/05/22
For additional information regarding PYZ's remote access connection options, including how to
obtain a remote access login, free anti-virus software, troubleshooting, etc., go to the Remote
Access Services website.
4.1 Requirements
4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virtual Private
Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable
Encryption Policy and the Password Policy.
4.1.2 Authorized Users shall protect their login and password, even from family members.
4.1.3 While using a PYZ-owned computer to remotely connect to PYZ's corporate network,
Authorized Users shall ensure the remote host is not connected to any other network at
the same time, with the exception of personal networks that are under their complete
control or under the complete control of an Authorized User or Third Party.
4.1.4 Use of external resources to conduct PYZ business must be approved in advance by
InfoSec and the appropriate business unit manager.
4.1.5 All hosts that are connected to PYZ internal networks via remote access technologies
must use the most up-to-date anti-virus software (place url to corporate software site
here), this includes personal computers. Third party connections must comply with
requirements as stated in the Third Party Agreement.
4.1.6 Personal equipment used to connect to PYZ's networks must meet the requirements of
PYZ-owned equipment for remote access as stated in the Hardware and Software
Configuration Standards for Remote Access to PYZ Networks.

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance
Date Updated 34
06/05/22
None Applicable
Email/Communication:
1) Overview
Electronic email is pervasively used in almost all industry verticals and is often the primary
communication and awareness method within an organization. At the same time, misuse of
email can post many legal, privacy and security risks, thus it’s important for users to understand
the appropriate use of electronic communications. Though email is the primary, other
communication methods must also be used appropriately to mitigate risks in all areas.
2) Purpose
The purpose of this email/communication policy is to ensure the proper use of PYZ email and
communication systems and make users aware of what PYZ deems as acceptable and
unacceptable use of its email system and communications. This policy outlines the minimum
requirements within the PYZ Network.
3) Scope
This policy covers appropriate use of any communications sent from PYZ and applies to all
employees, vendors, and agents operating on behalf of PYZ.
4) Policy
4.1 All use of communications must be consistent with PYZ policies and procedures of
ethical conduct, safety, compliance with applicable laws and proper business practices.
4.2 PYZ email account should be used primarily for PYZ business-related purposes;
personal communication is permitted on a limited basis, but non-PYZ related commercial uses
are prohibited.
4.3 All PYZ data contained within any communications must be secured according to the
Data Protection Standard.
4.4 Email should be retained only if it qualifies as a PYZ business record. Email is a PYZ
business record if there exists a legitimate and ongoing business reason to preserve the
information contained in the email.
4.5 Email that is identified as a PYZ business record shall be retained according to PYZ
Record Retention Schedule.
Date Updated 35
06/05/22
4.6 The PYZ communication systems shall not to be used for the creation or distribution of
any disruptive or offensive messages, including offensive comments about race, gender, hair
color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political
beliefs, or national origin. Employees who receive any emails with this content from any PYZ
employee should report the matter to their supervisor immediately.
4.7 Users are prohibited from automatically forwarding PYZ communications to a third
party (noted in 4.8 below). Individual messages which are forwarded by the user must not
contain PYZ confidential or above information.
4.8 Users are prohibited from using third-party email systems and storage servers such as
Google, Yahoo, and MSN Hotmail etc. to conduct PYZ business, to create or memorialize any
binding transactions, or to store or retain email on behalf of PYZ. Such communications and
transactions should be conducted through proper channels using PYZ-approved documentation.
4.9 Using a reasonable amount of PYZ resources for personal communications is acceptable,
but non-work related communications shall be saved in a separate folder from work related
email. Sending chain letters or joke emails from a PYZ email account is prohibited.
4.10 PYZ employees shall have no expectation of privacy in anything they store, send or
receive with the company’s communication systems.
4.11 PYZ may monitor messages without prior notice. PYZ is not obliged to monitor
communication messages.
owner.
5.2 Exceptions
advance.
5.3 Non-Compliance

Not Applicable
Date Updated 36
06/05/22
Data Management:
1) Overview
PYZ must protect restricted, confidential or sensitive data from loss to avoid reputation damage
and to avoid adversely impacting our clients and customers. The protection of data in scope is a
critical business requirement, yet flexibility to access data and work effectively is also critical. It
is not anticipated that this technology control can effectively deal with the malicious theft
scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to
avoid accidental loss scenarios. This policy outlines the requirements for data leakage
prevention, a focus for the policy and a rationale.
2) Purpose
To protect all of our data and prevent any harm to PYZ, our shareholders, our clients, our
customers, and the communities that we serve.
3) Scope
4) Policy
4.1 You need to complete PYX’s security awareness training and agree to uphold the
acceptable use policy.
4.2 If you identify an unknown, un-escorted or otherwise unauthorized individual in PYZ
you need to immediately notify the appropriate employee.
4.3 Visitors to PYZ must be escorted by an authorized employee at all times. If you are
responsible for escorting visitors you must restrict them appropriate areas.
4.4 You are required not to reference the subject or content of sensitive or confidential data
publicly, or via systems or communication channels not controlled by PYZ. For example, the
use of external e-mail systems not hosted by PYZ to distribute data is not allowed.
4.5 Please keep a clean desk. To maintain information security, you need to ensure that all
printed in scope data is not left unattended at your workstation.
4.6 You need to use a secure password on all PYZ systems as per the password policy. These
credentials must be unique and must not be used on other external systems or services.
Date Updated 37
06/05/22
4.7 Terminated employees will be required to return all records, in any format, containing
personal information. This requirement should be part of the employee onboarding process with
employees signing documentation to confirm they will do this.
4.8 You must immediately notify IT in the event that a device containing in scope data is
lost (e.g. mobiles, laptops etc).
4.9 In the event that you find a system or process which you suspect is not compliant with
this policy or the objective of information security you have a duty to inform IT so that they
can take appropriate action.
4.10 If you have been assigned the ability to work remotely you must take extra precaution to
ensure that data is appropriately handled. Seek guidance from IT if you are unsure as to your
responsibilities.
4.11 Please ensure that assets holding data in scope are not left unduly exposed, for example
visible in the back seat of your car.
4.12 Data that must be moved within PYZ is to be transferred only via business provided
secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). PYZ will provide
you with systems or devices that fit this purpose. You must not use other mechanisms to handle
in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet
your business purpose you must raise this with a supervisor.
4.13 Any information being transferred on a portable device (e.g. USB stick, laptop) must be
encrypted in line with industry best practices and applicable law and regulations. If there is
doubt regarding the requirements, seek guidance from IT.

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance
Date Updated 38
06/05/22
None Applicable
Documentation:
1) Overview
The proper documentation in PYZ provides us constant feedback, a thorough assessment of risk
and policy before attempting any other steps, and a basis for our four components to assess,
plan, deliver, and operate.
2) Purpose
To provide the best framework for our documentation practices so that our entire policy
lifecycle functions to at it’s best.
3) Scope
4) Policy
All documentation policies can be found in the PYZ IT policy lifecycle and framework
references.
Figure 1.5
Date Updated 39
06/05/22
Figure 1.6

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance

Date Updated 40
06/05/22
None Applicable
Disaster Recovery:
1) Overview
Since disasters happen so rarely, management often ignores the disaster recovery planning
process. It is important to realize that having a contingency plan in the event of a disaster
gives PYZ a competitive advantage. This policy requires management to financially support
and diligently attend to disaster contingency planning efforts. Disasters are not limited to
adverse weather conditions. Any event that could likely cause an extended delay of service
should be considered.
2) Purpose
This policy defines the requirement for a baseline disaster recovery plan to be developed and
implemented by PYZ that will describe the process to recover IT Systems, applications and sata
from any type of disaster that causes a major outage.
3) Scope
This policy is directed to the IT staff who is accountable to ensure the plan is developed, tested
and kept up-to-date. This policy is solely to state the requirement to have a disaster recovery
plan, it does not provide requirement around what goes into the plan or sub-plans.
4) Policy
4.1 Contingency Plans
The following contingency plans must be created:
• Computer Emergency Response Plan: Who is to be contacted, when, and how? What
immediate actions must be taken in the event of certain occurrences?
• Succession Plan: Describe the flow of responsibility when normal staff is unavailable
to perform their duties.
• Data Study: Detail the data stored on the systems, its criticality, and its confidentiality.
• Criticality of Service List: List all the services provided and their order of
importance.
• It also explains the order of recovery in both short-term and long-term timeframes.
• Data Backup and Restoration Plan: Detail which data is backed up, the media to
which it is saved, where that media is stored, and how often the backup is done. It
should also describe how that data could be recovered.
Date Updated 41
06/05/22
• Equipment Replacement Plan: Describe what equipment is required to begin to

provide services, list the order in which it is necessary, and note where to purchase
the equipment.
• Mass Media Management: Who is in charge of giving information to the mass
media?
• Also provide some guidelines on what data is appropriate to be provided.
After creating the plans, it is important to practice them to the extent possible. Management
should set aside time to test implementation of the disaster recovery plan. Table top exercises
should be conducted annually. During these tests, issues that may cause the plan to fail can be
discovered and corrected in an environment that has few consequences.
The plan, at a minimum, should be reviewed an updated on an annual basis.

owner.
5.2 Exceptions
advance.
5.3 Non-Compliance

None Applicable
Date Updated 42
06/05/22
IT Policy Implementation
Great policies can only function the way they need to when properly implemented.
Therefore, this area of our strategic planning is vitally important. Before any of this can even
begin, there needs to be a full understanding of the audience and setting which in this case is our
employees and the organizational structure of PYZ. It is also important to remember that this
will not be a one-time push forward but rather a common recurrence so that we adhere to our
policy lifecycle and the constant feedback we will gain through our practices.
To best understand our PYZ employees our team will be collaborating with the Human
Resources Director and a selection of individuals from that department. We will start by
looking into what the primary elements of motivation are for each department so that we may
cater our policy implementations in the avenue that will best suit them. We already know that
each of our departments has varying levels of focus on success, pride, and self-interest so these
are the three main areas we will use to adjust our plans accordingly. We have been informed
that the HR department already has a well-established personality profiling of all our
employees which will be a fantastic resource to utilize alongside our motivation tactics to truly
capture everyone’s attention and illustrate how our policies benefit each unique individual.
These efforts will only carry some of the essences of what our policy implementation
needs to achieve and that is where our outstanding team of leaders and executives have the
opportunity to establish these changes. We’re well aware that even with the information and
tools we build with the HR department, it’s ultimately our leaders throughout PYZ who best
understand their designated teams. Our primary focus is to communicate and illustrate the
importance of our policies to the PYZ leaders and executives. It starts with management setting
the tone which then builds all the support needed for their team members to follow suit.
Date Updated 43
06/05/22
In our policy lifecycle and framework documents we introduced how we would utilize
Kotters Eight-Step Change Model in the implementation phase. The following diagram
illustrates exactly how the model will achieve this.
Figure 1.8
Date Updated 44
06/05/22
•CREATE URGENCY:
•Use personality and motivation profiles to convey the importance of IT policies
Step 1
•CREATE POWERFUL COALITION

•Use control partners within each departement to ensure policy effectiveness
Step 2
•CREATE VISION FOR CHANGE

•Use understanding of audience and allignment with PYZ's goals and mission
Step 3
•COMMUNICATE THE VISION

•Enable leaders to distribute communication plan to their respective teams
Step 4
•REMOVE OBSTACLES
•Ensure awareness and easy access to IT policy support teams
Step 5
•CREATE SHORT-TERM WIN

•Distribute IT policy lifecycle monitoring metrics to encourage measurability
Step 6
•BUILD ON THE CHANGE

•Utilize constant feedback loop to consistently strengthen lifecycle
Step 7
•ANCHOR CHANGES IN CORPORATE CULTURE

•Continually build on policy lifecycle to allign with PYZ's goals and mission
Step 8
Date Updated 45
06/05/22
Risk & Issue Identification Outlook

While our IT policy life cycle will continue to build on itself by identifying new risks
and issues it is imperative that we put in our full efforts to understand all that we can prior to
implementation. These risks and issues mainly fall in line with what we covered at the
beginning of this document. It’s certainly possible that even with our efforts there will be a lack
of awareness, acceptance, and enthusiasm without policy changes. We can not be oblivious to
this nor frustrated when it occurs. Instead, we need to refocus our attention on the specific
audiences that are experiencing challenges and adjust our implementation and communication
accordingly.
There is also the likely scenario that employees don’t see policy fulfillment as relevant
or important to their specific job duties. This makes it important to communicate policy
fulfillment as part of everyone’s job descriptions from the highest executive to the new intern.
It will also be beneficial to encourage acknowledgment of when employees excel in policy
fulfillment but also when there is a lack thereof.
Our last risk and issue could come with a poor initial relationship of policy to the
employee or department performance. This inherently could discourage employees from their
results. It will take time to refine and calibrate the monitoring methods we launch. As we gather
more data and our policy life cycle goes through more phases we will be able to construct
better performance measurements which in turn will make it easier for leaders to regulate
accountability.
Date Updated 46
06/05/22
Potential Issues with Compliance Systems

There are several potential issues that can arise in the tracking, monitoring, reporting,
automating, and organizing of compliance systems. Some of these issues could include
employee dissatisfaction or frustration. There are a handful of individuals who might not work
well in an environment with very strict methods in this matter with the way that PYZ has
expressed complete control. It’s certainly possible that aspects of the system may produce
warnings when not necessary or vice versa which is why the policy lifecycle will be important
to continual fine-tune these details. Specifically with the automation, it’s important to have
physical/virtual support readily available so that a situation such as an employee being locked
out of a system for too long when the work needs to be done can be addressed by IT. Over time,
employees will always find work-arounds our policy measures that may or mar not necessarily
be safe and if it is not diagnosed with any monitoring or reporting then it is important to use
other methods to prevent these practices. These are just to name a very few of the potential
issues that could arise with policy enforcement as the list truly could be endless. The report card
for policy compliance found below will be one of our best efforts in preventing these occasions.
Policy Compliance Report Card

There are several options when it comes to report cards for policy compliance. The main
factors that I think are most important for PYZ is that the report cards are automatic, live, and
well-designed specifically in terms of visualization. A combination of two options that fit these
criteria are the SCAP and WBEM solutions. Both of these technologies provide the suite of
tools that will fit the needs of PYZ.
Date Updated 47
06/05/22
Since PYZ is solely a tech company, automation should not be very difficult to
implement. There isn’t much activity the company would do that could or would need to be
tracked manually. Live updates are important because PYZ can not waste any time with their
policy compliances. A delay of mere minutes would be enough to detrimentally impact PYZ
because of how controversial their technology is. Lastly, visualization is key, primarily because
PYZ is in the initial stages of their policies. As we discussed in the previous week, leaders and
executives need to be on board with compliance and something that would greatly assist this
cause is to create dashboards that easily and clearly tell those individuals what is happening and
what areas need their attention.
The next two pages show only a very brief section of the 118 page document outlining
everything needed for a proper SCAP system speicifcally on Windows 10 systems. This
document would be one of many and is simply a way of implementing a SCAP or WBEM
system on a variety of softwares or programs typically through software development and
installing certain code to automate with what is already being operated. There are also several
reports available to be produced so that is where the fine-tuning will be necessary to see which
reports fit best for each department or team. Also included below is just a very small sample of
a SCAP report and how it is interpreted depends on what is of the most priority, what looks
unusual, and if the output aligns with policy requirements.
Date Updated 48
06/05/22
Date Updated 49
06/05/22
Date Updated 50
06/05/22
Figure 1.9
Policy Enforcement
To earn the reputation as a safe, trustworthy, and reliable company we will need to have
appropriate measures in place to enforce our policies. While these measures will help to keep us
on the right track, the most important piece is you. Ensure that you have a full understanding of
each policy that applies to you and consider the importance it plays in your job duties and how it
will help PYZ as a whole. It’s also imperative that when team members or even leaders are seen
violating policies that it is communicated directly or to the IT department. Violating policies
could result in detrimental impacts for thousands, if not millions of people around the world.
As seen in our policy lifecycle, any mistakes or challenges will come back to us as the
cycle never ends and we will continue to learn and grow from it. Our feedback loop will be a
crucial part of enforcement as it will help us to quickly address points of trouble. The policy
monitoring and report card system will ensure that any deviations in following our policy will
be noticed and addressed. Most failures in compliance will result in immediate enforcement
measures otherwise, there will be weekly audits to address any issue. For further details into
what repercussions may look like you should refer to the IT policy management section and
consider the non-compliance methods for each policy. We are committed to compliance with our
Date Updated 51
06/05/22
strategies and policies. Anyone who violates them is subject to disciplinary action, up to and
including termination.
Appendix
▪ For a full look into the protocol standards and methods of our it policy compliance
automation techniques you will find that in the link below from CSRC
o https://csrc.nist.gov/projects/Security-Content-Automation-Protocol
▪ For further understanding of our primary influence and research used for this IT strategy and
policy overview, you can refer to the sources Security Policies and Implementation Issues
by Robert Johnson and Chuck Easttom as well as Security Strategy by Bill Stackpole and
Eric Oksendahl
▪ Further definitions of terms found in these documents can be found at
▪ For the basis of motives into our compliance monitoring system consider the journal article
Compliance monitoring in business processes: Functionalities, application, and tool-
support.
▪ For the basis of instruction into our policy implementation methods consider the journal
article Information systems security policy implementation in practice: from best practices
to situated practices.
▪ Contact ITdepartment@PYZtech for any further inquiries
Date Updated 52
06/05/22
References:
Brooks, R. (2020, June 12). How to Prevent Malware Attacks: 10 Security Tips. Netwrix.
Retrieved April 17, 2022, from https://blog.netwrix.com/2020/06/12/malware-prevention/
CSRC. (2022). Security Content Automation Protocol | CSRC. Retrieved May 26, 2022, from
https://csrc.nist.gov/projects/Security-Content-Automation-Protocol
Edwardson, C. (2021, July 28). : Record 304.7 Million Ransomware Attacks Eclipse 2020
Global Total in Just 6 Months. SonicWall. Retrieved March 15, 2022, from
https://www.sonicwall.com/news/sonicwall-record-304-7-million-ransomware-attacks-
eclipse-2020-global-total-in-just-6-months/
Hayslip, G. (2018, March 16). 9 policies and procedures you need to know about if you’re
starting a new security program. CSO Online. Retrieved May 15, 2022, from
https://www.csoonline.com/article/3263738/9-policies-and-procedures-you-need-to-
know-about-if-youre-starting-a-new-security-program.html
Johnson, R., & Easttom, C. (2020). Security Policies and Implementation Issues (Information
Systems Security & As surance) (3rd ed.). Jones & Bartlett Learning.
Ly, L. T., Maggi, F. M., Montali, M., Rinderle-Ma, S., & van der Aalst, W. M. (2015).
Compliance monitoring in business processes: Functionalities, application, and tool-
support. Information Systems, 54, 209–234. https://doi.org/10.1016/j.is.2015.02.007
Niemimaa, E., & Niemimaa, M. (2017). Information systems security policy implementation in
practice: from best practices to situated practices. European Journal of Information
Systems, 26(1), 1-20. https://doi.org/10.1057/s41303-016-0025-y
Date Updated 53
06/05/22
PurpleSec. (2022, March 18). Free IT & Cyber Security Policy Templates For 2022. Retrieved
May 15, 2022, from https://purplesec.us/resources/cyber-security-policy-
templates/#Physical
Rapid7. (n.d.). Types of Cyber Attacks | Hacking Attacks & Techniques. Retrieved April 17,
2022, from https://www.rapid7.com/fundamentals/types-of-attacks/
Rees, J., & Bandyopadhyay, S. (2000). A Life Cycle Approach to Information Security Policy
for Electronic Commerce.
Stackpole, B., & Oksendahl, E. (2010). Security Strategy. Taylor & Francis.
Date Updated 54
06/05/22

PYZ IT Strategy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PYZ IT Strategy

Uploaded by

Copyright:

Available Formats

WRITTEN ASSIGNMENT 12.

IT STRATEGY & SECURITY POLICY OVERVIEW

PRESENTED BY: BEN VAN NESTE

Executive Summary ...........................................................................................................3

Strategy Planning Necessity ..............................................................................................4

Strategy Selection ...............................................................................................................5

Governance Framework ....................................................................................................6

Roles and Responsibilities .................................................................................................6

Process and Procedures .....................................................................................................7

Strategic Plan .....................................................................................................................8

Strategy Formation ............................................................................................................9

Security Convergence Plan ...............................................................................................9

Change Management .........................................................................................................9

Feedback, Tracking, and Control...................................................................................11

Objectives Identification .............................................................................................................12

Policy Lifecycle .............................................................................................................................14

Policy Framework ........................................................................................................................17

Acceptable Use .................................................................................................................18

Access Control ..................................................................................................................24

Mobile Device Usage ........................................................................................................26

Change Management .......................................................................................................28

Information Security .......................................................................................................30

Remote Access ..................................................................................................................33

Data Management ............................................................................................................37

Risk & Issue Identification Outlook...........................................................................................46

Potential Issues with Compliance Systems ................................................................................47

Policy Compliance Report Card .................................................................................................47

Policy Enforcement ......................................................................................................................53

- Act with integrity and honesty in our work.

you have a question.

protect all people with safe and innovative technology.

Strategy Planning Necessity:

reactive company but as a proactive one as well.

a 500-employee organization. Frighteningly, the number of IT virus threats is incredibly high as

about the world we are in at this very moment.

each department will be involved.

vision is for everyone.

Roles and Responsibilities:

Process and Procedures:

Plan Plan Reviews & Plan

analyzing each landscape beginning with political, economic, social, technological,

entire environment we plan to launch into.

through our quarterly reviews and perpetuation of our scorecards.

Security Convergence Plan:

further as we move through the planning process. A summary of security convergence

to be used but is in place for when changes/updates do need to be communicated.

areas of the strategy are impacting their own specific operations.

Feedback, Tracking, and Control:

Malware Superior Security -Secure Access Use monitoring Observation

User Superior Identity - Multi-Factor Utilize advanced Least

System Flaws Full-Coverage - Secure Data Network Preparedness

Process Flaws Superior Operations - Secure Access Require security Least

be much more minimalized.

controlling employee access over the full freedom for creativity.

security protocols for every employee.

deliver, and operate.

satisfied” (Rees & Bandyopadhyay, 2000).

formal implementations similar to Kotter’s Eight Step Change Model.

industry standards, and in general compliances.

management and security are a top priority for every department.

a full scope of how it is approached.

exactly where it needs to be implemented.

being carefully considered and implemented.

Principles All Departments