ITEC100

Activity 1
Name: De Leon, Rodnie G.
Course and Section: BSIT – 3G

Answer the following questions:

1. An organization is considering developing an encryption policy in its organization. The
penetration tester from the team starts documenting specific products and configurations to
put into the policy. Should the policy contain these details?

Answer: I think the details should not contain. Encryption standard may include specific
products and configurations, a policy would merely mention that the organization will follow
the organizational encryption standards. This helps ensure the policies remain enforceable
while allowing to change products or configurations if needed.

2. An organization is considering placing all its policies, procedures, standards, and

guidance in a single handbook so executive management has to sign off only once. What are
the advantages and disadvantages to this approach?
Answer: The advantage is found in only in the senior leadership approval once for the entire
handbook. The issue is that as soon as a single part of the handbook is outdated, the entire
handbook is outdated. Keeping a comprehensive handbook updated is also challenging
because every version changes the entire context of the book. A better approach is to use a
modular approach with tiered approvals. For example, policies are approved only by senior
leadership, but they may be approved by relevant experts such as IT standards. Guidance
could be developed and approved by almost any line manager throughout the organization. If
a cohesive and modular naming framework is designed and implemented, this delegated
approach of governance can be quite effective.