General concept of the Fictitious case #3

1) W/ro Zemensh, the CISO of Ethio Telecom, noticed unprofessional conduct by

employees related to data and security. Their current policies lack clear guidelines.
She convinces her manager, Ato Damtew, to revisit company policies.
2) Ato Damtew proposes combining the information security policies (EISP) with existing
policies for consistency. He tasks W/ro Zemensh with reviewing HR policies and
suggesting changes to ensure all policies work together effectively.
3) The case explores how they should proceed if the committee resists their three-tiered
policy structure and the role of the CISO in evaluating HR policies.

1) If the Enterprise Policy Review Committee is not open to the approach that ato Damtew
and W/ro Zemensh want to use for structuring InfoSec policies into three tiers, how
should ato Damtew and W/ro Zemensh proceed?

Damtew and Zemensh can convince the committee about their three-tier information security
policy by following like:

a) Explain the benefits and address concerns: Clearly show why the structure is good
and answer the committee's doubts.

b) Show evidence of success: Use examples from other organizations to prove the
effectiveness of the approach.

c) Get higher-level support: Seek backing from senior management who understand the
bigger picture.

d) Run a pilot program: Demonstrate the benefits of the structure in a small-scale test
before full implementation.

2) Should the CISO (W/ro Zemensh) be assessing HR policies? Why or why not?

Yes, the CISO (W/ro Zemensh) should have some involvement in assessing HR policies because
they can impact information security.

While the Chief Information Security Officer's (CISO) primary responsibility is information
security, they should have a limited but collaborative role in evaluating Human Resources
(HR) policies. HR policies can significantly impact data protection, employee security
awareness, and the overall security culture within an organization.
The CISO's involvement in assessing HR policies should focus on key areas such as:

1) Ensuring proper security measures are in place to protect sensitive employee data like
personal information and payroll details.
2) Collaborating with HR to develop training programs and policies that foster a security-
aware culture and compliance among employees.
3) Providing guidance to align incident response processes with security best practices,
especially for incidents involving employees.
4) Contributing to the integration of security controls within HR policies related to
onboarding, termination, access privileges, and acceptable use of company resources.

However, it is crucial to maintain a balance and avoid overstepping boundaries. The CISO's
role should be collaborative, working closely with HR to align security and employment
policies without undermining HR's core expertise in managing employment matters.