MMT2 Task 32At its most basic definition, a security policy is a policy that defines the methods and/orprocesses a person, system or organization takes to ensure its own security.Security policiesattempt to regulate decisions and actions of internal employees and external users whom haveaccess to a company’s resources.An effective security policy should be easily understood,readily available and detailed enough as to leave no reasonable question unanswered.TheEmployer Security Policy addresses the constraints placed on the behaviors of its employees,guests and business partners which include the use of passwords, swipe cards and restrictingaccess to areas of the facility based on a predefined “need to know” basis.These controls serveas an active deterrent for individuals that may think of engaging in unethical behavior.The DataSecurity Policy addresses the privacy of employees and clients and aims to secure their data fromsecurity breaches.It addresses the use of company email, access to databases as well as papercopy information such as company memos.This policy includes a signed employeeacknowledgement, which is a plus and something that the other two policies discussed here lack.The Accounting Security Policy addresses the practice of data collection by the company.Thepolicy states that one reason for this practice is to conduct trend analysis, which are shared withappropriate management staff to confirm acceptable use.This policy does a good job ofexplaining why data collection is required but does not address the consequences of unethical useof the data collected.AEnergy’s security policies address many areas that cover ethical use ofthe company’s resources but none of the policies address unethical behavior specifically.TheData Security Policy and Accounting Security Policy would be strengthened by adding a non-disclosure agreement for guests and external business partners such as vendors and clients.TheAccounting Security Policy and Data Security Policy would be strengthened by addressing theissue of unauthorized use of Personally Identifiable Information (PII) by staff members.
