High School

In this module, you explored policies and practices used by organizations to protect information. There are a variety of policies intended to improve the security posture of an organization. These policies include but are not limited to:

- Acceptable use policies
- Privacy policies
- Authorized access policies
- Change and configuration management policies
- Human resource policies
- Codes of ethics
- Organizational security policies
- Password policies
- User education and awareness policies
- User management policies

Many of these policies are part of an organization’s overarching information security policy, although they can stand alone, depending on the size of the organization. The size of the organization can also affect how roles and responsibilities are determined. For example, a smaller organization might have an IT department of one, while a larger organization will have dedicated roles with distinct skill sets and responsibilities.

**Activity Instructions:**

For this activity, you will review a general information security policy of a government organization. Although information security policies can be lengthy, the policy you will review is considered brief at 13 pages long. Be mindful of the time it will take to read and review specific sections to address all activity questions.

**For this week’s activity:**

1. Read the information security policy and the resources provided in the Supporting Materials section.
2. Consider how laws and regulations influence organizational policies and the various IT roles included in an information security policy.
3. Respond to the provided activity questions.

**Prompt:**

Most privately owned and publicly traded firms give their employees access only to security policies and private information. Security policies typically remain for internal use only due to the sensitive nature of their contents. However, many educational entities, nonprofits, and government-affiliated institutions make these documents available to the public via their websites. Read the Information Security Policy of the United States Environmental Protection Agency (EPA) and respond to the provided activity questions. To access the policy in full, click on the "Information Security Policy (PDF)" link provided.

**Supporting Materials:**

These resources will provide greater insight into what elements make up a good security policy and help you prepare for your response to the activity questions:

- Ten Security Policy Writing Mistakes You Cannot Afford to Make
- How to Create a Good Security Policy
- Key Elements of an Information Security Policy
- What Is FISMA Compliance?

**What to Submit:**

Respond to the activity questions below related to the Module Three Activity. Your submission should be 1 to 2 pages, double-spaced, and submitted as a Word document (.docx).

Resources must be appropriately cited using APA style. You are allowed, though not required, to use resources outside of those provided within Module Three and the Supporting Materials section.

Your responses should be in complete paragraphs and should contain the following:

- Answer all of the activity questions thoroughly and completely. Write out the questions in your submission.
- Make direct connections between the information security policy and the concepts covered in Module Three, as well as in the Supporting Materials.
- Support your answers with appropriate examples drawn from the information security policy.
- Use correct grammar, sentence structure, and spelling, and demonstrate an understanding of audience and purpose.

**Activity Questions:**

1. Do you think the law or regulation has influenced the development of this policy? How?

Answer :

Yes, laws and regulations have likely influenced the development of the Information Security Policy of the United States Environmental Protection Agency (EPA).

As a government-affiliated institution, the EPA is subject to various legal requirements related to information security, particularly those outlined in laws such as the Federal Information Security Modernization Act (FISMA).

FISMA mandates that federal agencies develop and implement information security programs to protect their sensitive information and information systems. Additionally, other regulations and guidelines, such as those from the National Institute of Standards and Technology (NIST), likely inform the EPA's policy development process.