Please response as your classmate and your opinion.
Developing a comprehensive cyber security policy can be a daunting task. Like any form of security, policy developers must weigh the importance of security against the needs of the end user to accomplish their job. It is commonly accepted that amongst the three-pillar approach to cyber security (confidentiality, integrity, and availability) an increase in one pillar often results in a detriment to another. Thus, cyber security policy writers must engage in a delicate juggling act in order to ensure none of the pillars are forgotten.
To achieve this goal, as well as further company or agency objectives, cyber security policy developers must consider a host of issues when developing a strategy. First and foremost is an understanding of the type of data the policy is meant to secure, second is understanding what the threat is, and finally the policy must consider how much the company or agency is willing to invest in cyber security.
Cyber security should not be a ‘one-size-fits-all’ solution. Cyber security experts must understand the type of data their company or agency works with, how important that data is to secure, and what industry requirements there are to secure them. For example, personally identifiable information (PII) is considered extremely valuable to criminals and should be tightly controlled. Companies or agencies that deal with personal medical information have legal standards of data protection proscribed by Health Insurance Portability and Accountability Act (HIPAA). And there are legal requirements for the protection of economic information such as bank account and credit card data. Other industries may have their own legal requirements or standards for cyber security. Thus, cyber security experts must understand what type of data they are being tasked to protect, and what level of security is necessary or required to protect it, before they can begin to develop a cyber security policy. The cyber security posture of a nonprofit dog rescue organization should be very different than that for a credit card company.
Once policy developers understand what type of data they are tasked to protect, they must then understand what the potential threats to that data are. If the data is obscure and would have little value to a criminal, the threat is likely much lower than if the data is a lucrative target. Moreover, different types of data will likely garner interest from different types of malicious actors who will use different techniques to attempt to acquire the data and might have vastly different levels of skill and access to malicious tools. Understanding the threat to the data is important for policy writers, as the type and sophistication of the threat should drive cyber security policy. Policy for defending against ‘lone hackers’ with limited sophistication is going to be very different than that developed to defend against organized criminal elements or a nation-state actor.
Finally, once all other factors have been considered, policy experts must understand how much money the company or agency is willing to devote to cyber security. When given unlimited funds, cyber security professionals would be able to develop an exceptionally robust cyber security architecture difficult to penetrate, but the reality falls very short of that. Policy must be developed based on reality, and thus cyber security policy developers must understand what is economically feasible when developing their strategy. This is why it is so crucial for the other two issues to be understood; they will help scope the cyber security requirement to something that is more manageable and able to fit within the economic constraints placed on the cyber security team.