Callum Jukes

D1 unit 7 assignment 4
7 Tiers of recovery
Overview of a disaster a disaster in I.T is an interruption of the function of a
company/business. It is when a company loses a large and if not all data in an
event. These events are split into two different classifications. First are natural
disasters and second are manmade disasters. Natural disasters involve events
such as weather disasters and earthquakes. These are very difficult and in some
cases impossible to prevent, risk management can help avoid the worst of a
natural disasters effects. Manmade disasters include hazardous material spills,
terrorism and IT attacks and bugs.
Disaster Recovery/Recovery Planning a company should always try and
plan for any disaster it may face as this would stop the workings of a business
and significantly damage it in the future. It could result in revenue loss, loss of
reputation, damage to the property and products and legal costs. A good plan is
required to achieve disaster recovery. A business needs a RPO and RTO (recovery
point objective and recovery time objective). Zero data loss and recovery time
solutions are usually the most expensive plans. There are ways to reduce the
cost of a plan by using a companys own custom file system.
Importance I.T is always growing and its importance in everyday life for
businesses and even the economy is doing the same. I.T is becoming part of the
smooth running of companies and without it; they would not be able to operate.
Rapid action and recovery of these I.T systems is or should be one of the top
priorities for a company of this day and age as without this key data and systems
of I.T, they would struggle to survive. The recovery plans can sometimes cost a
large amount of money and take key knowledge to set up a decent system to
stop data loss.
Types of backup
Full Backup A full backup method is when every file and all data from a
system that are chosen by the user are backed up and safe. When other backups
are run, all files are saved again. This type of backup has many advantages such
as it allows for very fast and simple backups to be made as all data that is
chosen is saved meaning there is no data loss. However a disadvantage is the
fact that a full back up takes a long time as all files must be copied, if this
happens often, this can take a lot of time off of a business, and also these
backups will take up a lot of memory, meaning more money must be spent on
storage.
Incremental backup This type of backup is when all the changes made when
the system was last backed up, are back up and saved. This results in a very fast
system of backup as only the changes are saved meaning less room is taken up
in storage and it takes less time to save meaning that overall they are cheaper

Callum Jukes
for a computer to operate. However, a full system restore is a lot slower as not
all the information is there.
Local Backup A local backup is when the saved data from a back up is kept in
the same area or building as the original data. This could be say an extra hard
disk drive in the building or an extra hard storage device attached via cable to
the computer system. These local backups can protect a system from forms of
virus attacks and failures of system devices, also from human error such as
unintentional deletion of files.
Full PC Backup or Full Computer Backup A full PC system backup is when
every part of a computers system data is saved and back up in the event of a
disaster. This means that a computers data and functions can be fully restored if
needed to the same state as when the backup took place. He backup does not
just cover files and documents on the previous computer, it brings over the rest
of the computers information such as the operating system, drivers and the
registry.
Tiers of Recovery
Tier 0 - Disaster recovery is not achieved as there is no plan. This means in the
event of loss of data, there is no backup of the companys system and data,
meaning the time to recover a business is unpredictable and the business could
not recover at all. Tier 0 would be present in a very simple business such as a
market stall or very small shops who do not record as much data as an I.T based
business.
Tier 1 - The first tier of disaster recovery is where the backups of the system are
stored in a location that is offsite of the original system. They are physically
transported around to different locations meaning there is a time delay between
the retrieval of the backups to help in disaster recovery, the method used is
sometimes called PTAM which stands for pickup truck access method. Tier 1
could be used by small business or a independent shop on the high street that
does not use a large amount of critical data and the data is not so important for
the running of the business.
Tier 2 - This recovery plan uses a hot site to store recovery data. This means the
data can be accessed on the site in the event of the disaster; however the data
must still be physically taken to the site. A hot site is where data can be back up
and running very quickly offsite which means there still can be days of data loss
but it is a lot more predictable to guess when recovery will be achieved. This plan
could be used by a small school that has some small forms of I.T usage such as
registers and maybe some teacher files.
Tier 3 Tier 3 is a lot like tier 2, however the data is not taken physically but
electronically to the hot site. This will be transmitted through a secure internet
connection or VPN. This means tier 3 recoveries is a lot more up to date than tier
1 and 2, however the hot site is left running permanently meaning costs
increase. Mission critical data is saved at this tier, which is basically the core of a

Callum Jukes
system and is vital for the running of a business. The critical data to a company
is kept in a way called electronic vaulting which allows for more up to date data
to be stored as it uses high speed communication circuits. This plan could be
used in a large school or business which uses I.T on a regular basis. This plan is a
lot higher tech than the previous two meaning it is more open to a wider range of
businesses.
Tier 4 tier 4 uses snapshots taken in time and are electronically transmitted to
hot site. The snapshots may occur very frequently such as every few hours
meaning there is a higher chance the backups are up to date as there are
probably going to be a few for a day. Also the data is encrypted at both ends
where it is saved meaning data tampering is impossible, also hard disks are used
instead of tapes. This plan could be used by a college, university and businesses
that rely on I.T data. This plan assures a lot more data is saved in the event of a
data meaning that businesses and areas that require I.T information to operate
are probably going to use it.
Tier 5 this is known as transactional integrity and involves no level of data loss
in the event of a disaster as the data which is critical to a business is kept
synchronised between the hot site and the business meaning the data is the
same at either end, all the time. Tier 5 could be used by places such as banks
and very large companies that need to keep track of a lot of data to do with sales
and customers. These companies would need to know that all their data is safe
in the event of a disaster and loss of data. Tier 5, 6 and 7 are very similar as they
mean there is no data loss. This means all the largest companies that require
data to operate will most likely use one of these 3 plans.
Tier 6 tier 6 and above is used by companies that cannot afford to lose any
kind of data on their systems. Tier 6 involves disk mirroring, which means the
data is transferred to a hot site in real time, meaning the mirrored disk is exactly
the same as the main system data disks.
Tier 7 this is the highest tier of recovery that a business can have. In the event
of a disaster, the recovery system will detect (this could be a device separate
from the main computers) and this will trigger the restoration process to begin.
The process is generally the same as tier 6 recovery. Basically, tier 7 is an
automated tier 6 recovery plan.

Callum Jukes

D2 Policy Reviews
Policy Review
INCLUDES

Polic
y1

Polic
y2

Polic
y3

Polic
y4

Polic
y5

Polic
y6

Polic
y7

Polic
y8

Polic
y9

Policy
10

Policy
11

Identifies roles and responsibilities in

ensuring security
States what corrective action to be
taken after a breach
States people to notify after a breach
Can be easily implemented and
followed
Endorsed by senior management or a
review committee
Concise, clearly written and detailed
Structured so that pertinent
information can be found easily
Versioned and dated in order
Enforceable with sanctions
National Laws considered
Action against non-compliance stated
Reviewed periodically
Interests of employees as well as
business considered

1
X

1
1

X
X

1
1

1
1

1
X

1
X

1
X

1
1

1
X

X
1

1
1

1
1

1
1

1
1

X
1

X
1

1
1

X
1

1
X

X
1

1
1

1
1
1
1
X
1

X
X
X
X
X
X

X
1
X
1
X
X

1
1
X
X
X
1

X
X
X
1
X
1

X
X
X
X
X
X

X
X
X
1
X
X

X
1
X
1
X
1

1
1
1
X
X
1

X
1
1
1
X
1

1
1
X
1
X
1

Above is a table of all the policies and what they have and have not concerning features of a good policy. This will be used
multiple times in this evaluation of these polices and what should be featured in them.
1 = includes feature

Callum Jukes
X = does not include feature

Callum Jukes
Policy 1 Staff I and C User Agreement
Policy 2 Anti-virus and Spam Policy
Policy 3 Computer Remote Control Policy
Policy 4 User Administration Policy
Policy 5 Incident Response and Misuse of IT Facilities Policy
Policy 6 Information Systems Disaster Recovery Plan
Policy 7 Network Access Policy
Policy 8 Passwords Standards Policy
Policy 9 Physical Security Policy
Policy 10 SJR Information Systems Security Policy
Policy 11 Student IT User Agreement
In this evaluation, I will state what is good and what is bad in each of these
policies. I will state what the policy has which is a good feature and what the
policy does not have which is a bad feature. I will then talk about each of the
features the policy does not have and explain why they need them, these are the
suggested improvements.
Policy 1
Features policy 1 has (good features) - Identifies roles and responsibilities in
ensuring security, States people to notify after a breach, Endorsed by senior
management or a review committee, Concise, clearly written and detailed,
Versioned and dated in order, Enforceable with sanctions, National Laws
considered, Action against non-compliance stated, Interests of employees as well
as business considered.
Features policy 1 does not have (bad features) - States what corrective action to
be taken after a breach, Can be easily implemented and followed, reviewed
periodically.
The Staff I and C user agreement policy is generally a good policy overall but can
do with some work to bring it up to a high standard. Possible improvements could
be the features missing from the policy included in the table. The feature of
stating what corrective action is to be taken after a breach would benefit a policy
quite positively. The policy would tell whoever reads it such as employees at the
managers what action is to be taken in the event of something or someone
disobeying or going against what is said in the policy. If a policy does not have
this, if something does happen and it breaches the policy, then the company
would have to think up ways in which to correct the action, meaning that the
reaction to the breach would be slow and unorganised, possibly leading to
further trouble. If the policy states what action to take, then employees can
simply read of the policy and carry out what action is required to correct the
breach, returning the company/business to its normal functions. A good feature
for a policy to have is if it can be easily implemented by the staff at a business or
company. If this is not the case, implementing a policy can become complex and
would not solve any problems but create them as organisation would be hard if
the it not easily implemented as features of the policy such as different software
and training of staff would cost money and use up work time. If it was easily
implemented, then staff could use the policy easily and carry on with required of

Callum Jukes
the business. If a policy is not reviewed periodically then problems can occur. If
changes in national law occur or a change in the environment in which
employees work changes, then changes must be made to policy, these changes
would be made when the policy is reviewed at the end of the month or year. If a
review does not take place, this can cause problems such as a bad working
environment or unnecessary action against offenders of an old policy. A review
would allow the senior management to see if there are any problems with the
policy and correct those, meaning the working environment would not be
negatively affected.
Policy 2
Features policy 2 has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Can be easily implemented and followed,
Concise, clearly written and detailed, Structured so that pertinent information
can be found easily,
Features policy 2 does not have (bad features) - Endorsed by senior management
or a review committee, Versioned and dated in order, Enforceable with sanctions,
National Laws considered, National Laws considered, Action against noncompliance stated, Reviewed periodically, Interests of employees as well as
business considered.
The Anti-virus and Spam Policy has some good sides as it has a few good
features needed in an effective policy, however it lacks many that would make it
an excellent policy such as the ones stated above. If a policy is endorsed by a
senior management team or a review committee, then the chances of it being
successful significantly increase. If something goes wrong with the policy and it
is not effective anymore, then staff would face a lot of trouble explaining what
has happened and why the policy went wrong. If the policy is checked over and
approved by senior management or a committee that reviews policies, then it
should in theory work and would not cause any trouble at the business, thus
improving the effectiveness of the business at completing work and solving
breaches of policy. A policy can suffer if it not versioned and dated for many
reasons and the biggest being if an out of date policy is used it can cause
disaster in a business. If terms of a policy have been changed and updated, but
records of the old policy are kept, dating and versioning is vital. If different copies
of the policy are being used in different areas of the company, then in the event
of a breach, major problems such as contradicting action could be taken out
causing chaos and creating further problems. If policies are dated, then this
would not occur as the correct and up to date would be being used across the
company and staff members. If a policy is not enforceable with sanctions and
action against non-compliance is not stated then it would be very hard for a
business to enforce its policy. This is a lot like the actions to be taken after a
breach if it involves a person. If someone at the workplace disobeys the policy
and goes against it, then action against them should be stated. If there are no
actions taken against the offender then such as demotion or loss of job, then

Callum Jukes
people at the workplace will see they do not have to abide by rules and this
could result in the breakdown of order in a business. The policy should state
clearly what action is to be taken to make sure the policy is effective in achieving
its aims. An important aspect for good polices is if they consider national laws in
their requirements, especially in I.T areas. If a policy does not consider laws
when setting requirements, this can cause massive legal issues if caught out by
the police such as human rights issues. This could result in the closure of a
company if serious enough. This is why it is needed by a company to check
through a policy to see if national laws are considered and to check laws and
compare them to the policy. This is usually the job of senior management and
ties in with the requirement of endorsement from senior management. If a policy
is not reviewed periodically then problems can occur. If changes in national law
occur or a change in the environment in which employees work changes, then
changes must be made to policy, these changes would be made when the policy
is reviewed at the end of the month or year. If a review does not take place, this
can cause problems such as a bad working environment or unnecessary action
against offenders of an old policy. A review would allow the senior management
to see if there are any problems with the policy and correct those, meaning the
working environment would not be negatively affected. A good policy would
consider the needs and interests of the employees the policy affects. If a policy
does not consider the interests of the employee then they may feel left out and
not want to abide by what the policy is saying. This would cause problems in a
business as there would be little trust between the majority of employees and
the senior management who puts policies such as this one in place. A good
policy would consider the needs and interests of the employees to ensure they
are comfortable with the new rules placed by the policy and make sure they will
abide by what is said from senior management, ensuring work is continued
effectively.
Policy 3
Features policy has (good features) - Identifies roles and responsibilities in
ensuring security, Concise, clearly written and detailed, Structured so that
pertinent information can be found easily, Enforceable with sanctions, Action
against non-compliance stated.
Features policy does not have (bad features) - States what corrective action to be
taken after a breach, States people to notify after a breach, Can be easily
implemented and followed, Endorsed by senior management or a review
committee, Versioned and dated in order, National Laws considered, Reviewed
periodically, Interests of employees as well as business considered.
The Computer Remote Control Policy has many good features such as the fact it
states roles and responsibilities but the features I would recommend for
improvement are as follows: The feature of stating what corrective action is to be
taken after a breach would benefit a policy quite positively. The policy would tell
whoever reads it such as employees at the managers what action is to be taken
in the event of something or someone disobeying or going against what is said in

Callum Jukes
the policy. If a policy does not have this, if something does happen and it
breaches the policy, then the company would have to think up ways in which to
correct the action, meaning that the reaction to the breach would be slow and
unorganised, possibly leading to further trouble. If the policy states what action
to take, then employees can simply read of the policy and carry out what action
is required to correct the breach, returning the company/business to its normal
functions. A feature that would benefit the policy is if it stated who to notify in
the event of a breach. If a breach occurs and the people who need to know are
not notified, then this would cause massive problems as a solution to the breach
would not be achieved as the people who would have the solutions to this breach
would not know of the breach. If the policy stated who to notify, then whoever
causes or notices the breach can tell the correct people in the company and
action would be taken quickly to resolve the problem. A good feature for a policy
to have is if it can be easily implemented by the staff at a business or company.
If this is not the case, implementing a policy can become complex and would not
solve any problems but create them as organisation would be hard if the it not
easily implemented as features of the policy such as different software and
training of staff would cost money and use up work time. If it was easily
implemented, then staff could use the policy easily and carry on with required of
the business. If a policy is endorsed by a senior management team or a review
committee, then the chances of it being successful significantly increase. If
something goes wrong with the policy and it is not effective anymore, then staff
would face a lot of trouble explaining what has happened and why the policy
went wrong. If the policy is checked over and approved by senior management
or a committee that reviews policies, then it should in theory work and would not
cause any trouble at the business, thus improving the effectiveness of the
business at completing work and solving breaches of policy. A policy can suffer if
it not versioned and dated for many reasons and the biggest being if an out of
date policy is used it can cause disaster in a business. If terms of a policy have
been changed and updated, but records of the old policy are kept, dating and
versioning is vital. If different copies of the policy are being used in different
areas of the company, then in the event of a breach, major problems such as
contradicting action could be taken out causing chaos and creating further
problems. If policies are dated, then this would not occur as the correct and up to
date would be being used across the company and staff members. An important
aspect for good polices is if they consider national laws in their requirements,
especially in I.T areas. If a policy does not consider laws when setting
requirements, this can cause massive legal issues if caught out by the police
such as human rights issues. This could result in the closure of a company if
serious enough. This is why it is needed by a company to check through a policy
to see if national laws are considered and to check laws and compare them to
the policy. This is usually the job of senior management and ties in with the
requirement of endorsement from senior management. If a policy is not reviewed
periodically then problems can occur. If changes in national law occur or a
change in the environment in which employees work changes, then changes
must be made to policy, these changes would be made when the policy is
reviewed at the end of the month or year. If a review does not take place, this

Callum Jukes
can cause problems such as a bad working environment or unnecessary action
against offenders of an old policy. A review would allow the senior management
to see if there are any problems with the policy and correct those, meaning the
working environment would not be negatively affected. A good policy would
consider the needs and interests of the employees the policy affects. If a policy
does not consider the interests of the employee then they may feel left out and
not want to abide by what the policy is saying. This would cause problems in a
business as there would be little trust between the majority of employees and
the senior management who puts policies such as this one in place. A good
policy would consider the needs and interests of the employees to ensure they
are comfortable with the new rules placed by the policy and make sure they will
abide by what is said from senior management, ensuring work is continued
effectively.
Policy 4
Features Policy has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Can be easily implemented and followed,
Endorsed by senior management or a review committee, Concise, clearly written
and detailed, Structured so that pertinent information can be found easily,
Versioned and dated in order, Enforceable with sanctions, Interests of employees
as well as business considered.
Features policy does not have (bad features) - National Laws considered, Action
against non-compliance stated, Reviewed periodically.
The User Administration Policy is one of the best policies in the list of polices I
have covered. It features many important features but there is still room for
improvement such as the important features it is missing such as ones I will now
explain. An important aspect for good polices is if they consider national laws in
their requirements, especially in I.T areas. If a policy does not consider laws
when setting requirements, this can cause massive legal issues if caught out by
the police such as human rights issues. This could result in the closure of a
company if serious enough. This is why it is needed by a company to check
through a policy to see if national laws are considered and to check laws and
compare them to the policy. This is usually the job of senior management and
ties in with the requirement of endorsement from senior management. If a policy
is not enforceable with sanctions and action against non-compliance is not stated
then it would be very hard for a business to enforce its policy. This is a lot like the
actions to be taken after a breach if it involves a person. If someone at the
workplace disobeys the policy and goes against it, then action against them
should be stated. If there are no actions taken against the offender then such as
demotion or loss of job, then people at the workplace will see they do not have to
abide by rules and this could result in the breakdown of order in a business. The
policy should state clearly what action is to be taken to make sure the policy is
effective in achieving its aims. A good policy would consider the needs and
interests of the employees the policy affects. If a policy does not consider the

Callum Jukes
interests of the employee then they may feel left out and not want to abide by
what the policy is saying. This would cause problems in a business as there
would be little trust between the majority of employees and the senior
management who puts policies such as this one in place. A good policy would
consider the needs and interests of the employees to ensure they are
comfortable with the new rules placed by the policy and make sure they will
abide by what is said from senior management, ensuring work is continued
effectively.
Policy 5
Features policy has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Can be easily implemented and followed,
Structured so that pertinent information can be found easily, Action against noncompliance stated, Interests of employees as well as business considered.
Features policy does not have (bad features) - Endorsed by senior management
or a review committee, Concise, clearly written and detailed, Versioned and
dated in order, Enforceable with sanctions, National Laws considered, Reviewed
periodically.
The Incident Response and Misuse of IT Facilities Policy has many very good
features to it but still needs some improvement such as the features I will now
list and explain. If a policy is endorsed by a senior management team or a review
committee, then the chances of it being successful significantly increase. If
something goes wrong with the policy and it is not effective anymore, then staff
would face a lot of trouble explaining what has happened and why the policy
went wrong. If the policy is checked over and approved by senior management
or a committee that reviews policies, then it should in theory work and would not
cause any trouble at the business, thus improving the effectiveness of the
business at completing work and solving breaches of policy. If a policy is
endorsed by a senior management team or a review committee, then the
chances of it being successful significantly increase. If something goes wrong
with the policy and it is not effective anymore, then staff would face a lot of
trouble explaining what has happened and why the policy went wrong. If the
policy is checked over and approved by senior management or a committee that
reviews policies, then it should in theory work and would not cause any trouble
at the business, thus improving the effectiveness of the business at completing
work and solving breaches of policy. A policy can suffer if it not versioned and
dated for many reasons and the biggest being if an out of date policy is used it
can cause disaster in a business. If terms of a policy have been changed and
updated, but records of the old policy are kept, dating and versioning is vital. If
different copies of the policy are being used in different areas of the company,
then in the event of a breach, major problems such as contradicting action could
be taken out causing chaos and creating further problems. If policies are dated,
then this would not occur as the correct and up to date would be being used
across the company and staff members. If a policy is not enforceable with

Callum Jukes
sanctions and action against non-compliance is not stated then it would be very
hard for a business to enforce its policy. This is a lot like the actions to be taken
after a breach if it involves a person. If someone at the workplace disobeys the
policy and goes against it, then action against them should be stated. If there are
no actions taken against the offender then such as demotion or loss of job, then
people at the workplace will see they do not have to abide by rules and this
could result in the breakdown of order in a business. The policy should state
clearly what action is to be taken to make sure the policy is effective in achieving
its aims. An important aspect for good polices is if they consider national laws in
their requirements, especially in I.T areas. If a policy does not consider laws
when setting requirements, this can cause massive legal issues if caught out by
the police such as human rights issues. This could result in the closure of a
company if serious enough. This is why it is needed by a company to check
through a policy to see if national laws are considered and to check laws and
compare them to the policy. This is usually the job of senior management and
ties in with the requirement of endorsement from senior management. If a policy
is not reviewed periodically then problems can occur. If changes in national law
occur or a change in the environment in which employees work changes, then
changes must be made to policy, these changes would be made when the policy
is reviewed at the end of the month or year. If a review does not take place, this
can cause problems such as a bad working environment or unnecessary action
against offenders of an old policy. A review would allow the senior management
to see if there are any problems with the policy and correct those, meaning the
working environment would not be negatively affected.
Policy 6
Features the policy has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Structured so that pertinent information
can be found easily.
Features policy does not have (bad features) - Can be easily implemented and
followed, Endorsed by senior management or a review committee, Concise,
clearly written and detailed, Versioned and dated in order, Enforceable with
sanctions, National Laws considered, Action against non-compliance stated,
Reviewed periodically, Interests of employees as well as business considered.
The Information Systems Disaster Recovery Plan is lacking in many areas such as
the ones stated above, the following is what I would recommend for
improvements to this policy. A good feature for a policy to have is if it can be
easily implemented by the staff at a business or company. If this is not the case,
implementing a policy can become complex and would not solve any problems
but create them as organisation would be hard if the it not easily implemented as
features of the policy such as different software and training of staff would cost
money and use up work time. If it was easily implemented, then staff could use
the policy easily and carry on with required of the business. If a policy is
endorsed by a senior management team or a review committee, then the

Callum Jukes
chances of it being successful significantly increase. If something goes wrong
with the policy and it is not effective anymore, then staff would face a lot of
trouble explaining what has happened and why the policy went wrong. If the
policy is checked over and approved by senior management or a committee that
reviews policies, then it should in theory work and would not cause any trouble
at the business, thus improving the effectiveness of the business at completing
work and solving breaches of policy. If a policy is concise, clearly written and
detailed, then the chances of it working correctly increase. If a policy is not
understandable and hard to recognise what is being asked of the policy, it will be
extremely hard for staff at a company to abide by its rules and carry out what it
is saying. This would cause problems as the ones who understand what is being
asked such as senior management would struggle to keep people in line with the
policy as they cannot understand what they must do; this wastes business time
and could cause a stoppage in work. If a policy is understandable, then it will
affective in achieving what the policy wishes to do, If a policy is understandable
or not can be the difference whether it is effective. A policy can suffer if it not
versioned and dated for many reasons and the biggest being if an out of date
policy is used it can cause disaster in a business. If terms of a policy have been
changed and updated, but records of the old policy are kept, dating and
versioning is vital. If different copies of the policy are being used in different
areas of the company, then in the event of a breach, major problems such as
contradicting action could be taken out causing chaos and creating further
problems. If policies are dated, then this would not occur as the correct and up to
date would be being used across the company and staff members. If a policy is
not enforceable with sanctions and action against non-compliance is not stated
then it would be very hard for a business to enforce its policy. This is a lot like the
actions to be taken after a breach if it involves a person. If someone at the
workplace disobeys the policy and goes against it, then action against them
should be stated. If there are no actions taken against the offender then such as
demotion or loss of job, then people at the workplace will see they do not have to
abide by rules and this could result in the breakdown of order in a business. The
policy should state clearly what action is to be taken to make sure the policy is
effective in achieving its aims. An important aspect for good polices is if they
consider national laws in their requirements, especially in I.T areas. If a policy
does not consider laws when setting requirements, this can cause massive legal
issues if caught out by the police such as human rights issues. This could result
in the closure of a company if serious enough. This is why it is needed by a
company to check through a policy to see if national laws are considered and to
check laws and compare them to the policy. This is usually the job of senior
management and ties in with the requirement of endorsement from senior
management. If a policy is not reviewed periodically then problems can occur. If
changes in national law occur or a change in the environment in which
employees work changes, then changes must be made to policy, these changes
would be made when the policy is reviewed at the end of the month or year. If a
review does not take place, this can cause problems such as a bad working
environment or unnecessary action against offenders of an old policy. A review
would allow the senior management to see if there are any problems with the

Callum Jukes
policy and correct those, meaning the working environment would not be
negatively affected. A good policy would consider the needs and interests of the
employees the policy affects. If a policy does not consider the interests of the
employee then they may feel left out and not want to abide by what the policy is
saying. This would cause problems in a business as there would be little trust
between the majority of employees and the senior management who puts
policies such as this one in place. A good policy would consider the needs and
interests of the employees to ensure they are comfortable with the new rules
placed by the policy and make sure they will abide by what is said from senior
management, ensuring work is continued effectively.
Policy 7
Features the policy has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Concise, clearly written and detailed,
Structured so that pertinent information can be found easily, Action against noncompliance stated
Features policy does not have (bad features) - Can be easily implemented and
followed, Endorsed by senior management or a review committee, Versioned and
dated in order, Enforceable with sanctions, National Laws considered, Reviewed
periodically, Interests of employees as well as business considered
Policy 7 the Network Access Policy has many bad areas such as the lack of
features from the table, these features that it does not have are the ones I would
recommend such as the ones I will now explain. A good feature for a policy to
have is if it can be easily implemented by the staff at a business or company. If
this is not the case, implementing a policy can become complex and would not
solve any problems but create them as organisation would be hard if the it not
easily implemented as features of the policy such as different software and
training of staff would cost money and use up work time. If it was easily
implemented, then staff could use the policy easily and carry on with required of
the business. If a policy is endorsed by a senior management team or a review
committee, then the chances of it being successful significantly increase. If
something goes wrong with the policy and it is not effective anymore, then staff
would face a lot of trouble explaining what has happened and why the policy
went wrong. If the policy is checked over and approved by senior management
or a committee that reviews policies, then it should in theory work and would not
cause any trouble at the business, thus improving the effectiveness of the
business at completing work and solving breaches of policy. A policy can suffer if
it not versioned and dated for many reasons and the biggest being if an out of
date policy is used it can cause disaster in a business. If terms of a policy have
been changed and updated, but records of the old policy are kept, dating and
versioning is vital. If different copies of the policy are being used in different
areas of the company, then in the event of a breach, major problems such as
contradicting action could be taken out causing chaos and creating further
problems. If policies are dated, then this would not occur as the correct and up to

Callum Jukes
date would be being used across the company and staff members. If a policy is
not enforceable with sanctions and action against non-compliance is not stated
then it would be very hard for a business to enforce its policy. This is a lot like the
actions to be taken after a breach if it involves a person. If someone at the
workplace disobeys the policy and goes against it, then action against them
should be stated. If there are no actions taken against the offender then such as
demotion or loss of job, then people at the workplace will see they do not have to
abide by rules and this could result in the breakdown of order in a business. The
policy should state clearly what action is to be taken to make sure the policy is
effective in achieving its aims. An important aspect for good polices is if they
consider national laws in their requirements, especially in I.T areas. If a policy
does not consider laws when setting requirements, this can cause massive legal
issues if caught out by the police such as human rights issues. This could result
in the closure of a company if serious enough. This is why it is needed by a
company to check through a policy to see if national laws are considered and to
check laws and compare them to the policy. This is usually the job of senior
management and ties in with the requirement of endorsement from senior
management. If a policy is not reviewed periodically then problems can occur. If
changes in national law occur or a change in the environment in which
employees work changes, then changes must be made to policy, these changes
would be made when the policy is reviewed at the end of the month or year. If a
review does not take place, this can cause problems such as a bad working
environment or unnecessary action against offenders of an old policy. A review
would allow the senior management to see if there are any problems with the
policy and correct those, meaning the working environment would not be
negatively affected. A good policy would consider the needs and interests of the
employees the policy affects. If a policy does not consider the interests of the
employee then they may feel left out and not want to abide by what the policy is
saying. This would cause problems in a business as there would be little trust
between the majority of employees and the senior management who puts
policies such as this one in place. A good policy would consider the needs and
interests of the employees to ensure they are comfortable with the new rules
placed by the policy and make sure they will abide by what is said from senior
management, ensuring work is continued effectively.
Policy 8
Features policy does have (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Structured so that pertinent information
can be found easily, Enforceable with sanctions, Action against non-compliance
stated, Interests of employees as well as business considered.
Features policy does not have (bad features) - Can be easily implemented and
followed, Endorsed by senior management or a review committee, Concise,
clearly written and detailed, Versioned and dated in order, National Laws
considered, Reviewed periodically.

Callum Jukes
Policy 8 the Passwords Standards Policy is a well-balanced policy with majorly
good features but does still lack some important features, these are the ones I
would recommend and why. A good feature for a policy to have is if it can be
easily implemented by the staff at a business or company. If this is not the case,
implementing a policy can become complex and would not solve any problems
but create them as organisation would be hard if the it not easily implemented as
features of the policy such as different software and training of staff would cost
money and use up work time. If it was easily implemented, then staff could use
the policy easily and carry on with required of the business. If a policy is
endorsed by a senior management team or a review committee, then the
chances of it being successful significantly increase. If something goes wrong
with the policy and it is not effective anymore, then staff would face a lot of
trouble explaining what has happened and why the policy went wrong. If the
policy is checked over and approved by senior management or a committee that
reviews policies, then it should in theory work and would not cause any trouble
at the business, thus improving the effectiveness of the business at completing
work and solving breaches of policy. If a policy is concise, clearly written and
detailed, then the chances of it working correctly increase. If a policy is not
understandable and hard to recognise what is being asked of the policy, it will be
extremely hard for staff at a company to abide by its rules and carry out what it
is saying. This would cause problems as the ones who understand what is being
asked such as senior management would struggle to keep people in line with the
policy as they cannot understand what they must do; this wastes business time
and could cause a stoppage in work. If a policy is understandable, then it will
affective in achieving what the policy wishes to do, If a policy is understandable
or not can be the difference whether it is effective. A policy can suffer if it not
versioned and dated for many reasons and the biggest being if an out of date
policy is used it can cause disaster in a business. If terms of a policy have been
changed and updated, but records of the old policy are kept, dating and
versioning is vital. If different copies of the policy are being used in different
areas of the company, then in the event of a breach, major problems such as
contradicting action could be taken out causing chaos and creating further
problems. If policies are dated, then this would not occur as the correct and up to
date would be being used across the company and staff members. An important
aspect for good polices is if they consider national laws in their requirements,
especially in I.T areas. If a policy does not consider laws when setting
requirements, this can cause massive legal issues if caught out by the police
such as human rights issues. This could result in the closure of a company if
serious enough. This is why it is needed by a company to check through a policy
to see if national laws are considered and to check laws and compare them to
the policy. This is usually the job of senior management and ties in with the
requirement of endorsement from senior management. If a policy is not reviewed
periodically then problems can occur. If changes in national law occur or a
change in the environment in which employees work changes, then changes
must be made to policy, these changes would be made when the policy is
reviewed at the end of the month or year. If a review does not take place, this
can cause problems such as a bad working environment or unnecessary action

Callum Jukes
against offenders of an old policy. A review would allow the senior management
to see if there are any problems with the policy and correct those, meaning the
working environment would not be negatively affected.
Policy 9
Features policy has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Can be easily implemented and followed,
Concise, clearly written and detailed, Versioned and dated in order, Enforceable
with sanctions, National Laws considered, Interests of employees as well as
business considered.
Features policy does not have (bad features) - Endorsed by senior management
or a review committee, Structured so that pertinent information can be found
easily, Action against non-compliance stated, Reviewed periodically.
Policy 9 the Physical Security Policy, is a set out very well and has many good
features such as the ones stated above, but it is not a complete policy as it is still
missing key features, such as the ones I will now recommend. If a policy is
endorsed by a senior management team or a review committee, then the
chances of it being successful significantly increase. If something goes wrong
with the policy and it is not effective anymore, then staff would face a lot of
trouble explaining what has happened and why the policy went wrong. If the
policy is checked over and approved by senior management or a committee that
reviews policies, then it should in theory work and would not cause any trouble
at the business, thus improving the effectiveness of the business at completing
work and solving breaches of policy. A policy should be structure so that
pertinent information can be found easily, this is because in the event of a
breach, information on what to do such as who to inform and what actions to
take can be found in a good policy. If a policy is not structured correctly and is all
over the place with its information, this can cause a slow reaction to the breach
as information would be hard to find. A structured policy would have its
information split into relevant sections, meaning a reaction could be quick as
information would be found at a fast pace. If a policy is not enforceable with
sanctions and action against non-compliance is not stated then it would be very
hard for a business to enforce its policy. This is a lot like the actions to be taken
after a breach if it involves a person. If someone at the workplace disobeys the
policy and goes against it, then action against them should be stated. If there are
no actions taken against the offender then such as demotion or loss of job, then
people at the workplace will see they do not have to abide by rules and this
could result in the breakdown of order in a business. The policy should state
clearly what action is to be taken to make sure the policy is effective in achieving
its aims. If a policy is not reviewed periodically then problems can occur. If
changes in national law occur or a change in the environment in which
employees work changes, then changes must be made to policy, these changes
would be made when the policy is reviewed at the end of the month or year. If a
review does not take place, this can cause problems such as a bad working

Callum Jukes
environment or unnecessary action against offenders of an old policy. A review
would allow the senior management to see if there are any problems with the
policy and correct those, meaning the working environment would not be
negatively affected.
Policy 10
Features policy has (good features) - Identifies roles and responsibilities in
ensuring security, States what corrective action to be taken after a breach,
States people to notify after a breach, Endorsed by senior management or a
review committee, Structured so that pertinent information can be found easily,
Enforceable with sanctions, National Laws considered, Action against noncompliance stated, Interests of employees as well as business considered.
Features policy does not have (bad features) - Can be easily implemented and
followed, Concise, clearly written and detailed, Versioned and dated in order,
Reviewed periodically.
Policy 10 the SJR Information Systems Security Policy, again is a very well set out
policy with a variety of good features that make a functioning policy, however,
there is still room for improvements such as the features I will now recommend.
A good feature for a policy to have is if it can be easily implemented by the staff
at a business or company. If this is not the case, implementing a policy can
become complex and would not solve any problems but create them as
organisation would be hard if the it not easily implemented as features of the
policy such as different software and training of staff would cost money and use
up work time. If it was easily implemented, then staff could use the policy easily
and carry on with required of the business. If a policy is concise, clearly written
and detailed, then the chances of it working correctly increase. If a policy is not
understandable and hard to recognise what is being asked of the policy, it will be
extremely hard for staff at a company to abide by its rules and carry out what it
is saying. This would cause problems as the ones who understand what is being
asked such as senior management would struggle to keep people in line with the
policy as they cannot understand what they must do; this wastes business time
and could cause a stoppage in work. If a policy is understandable, then it will
affective in achieving what the policy wishes to do, If a policy is understandable
or not can be the difference whether it is effective. A policy can suffer if it not
versioned and dated for many reasons and the biggest being if an out of date
policy is used it can cause disaster in a business. If terms of a policy have been
changed and updated, but records of the old policy are kept, dating and
versioning is vital. If different copies of the policy are being used in different
areas of the company, then in the event of a breach, major problems such as
contradicting action could be taken out causing chaos and creating further
problems. If policies are dated, then this would not occur as the correct and up to
date would be being used across the company and staff members. If a policy is
not reviewed periodically then problems can occur. If changes in national law
occur or a change in the environment in which employees work changes, then
changes must be made to policy, these changes would be made when the policy

Callum Jukes
is reviewed at the end of the month or year. If a review does not take place, this
can cause problems such as a bad working environment or unnecessary action
against offenders of an old policy. A review would allow the senior management
to see if there are any problems with the policy and correct those, meaning the
working environment would not be negatively affected.
Policy 11
Features policy does have (good features) - Identifies roles and responsibilities in
ensuring security, Can be easily implemented and followed, Concise, clearly
written and detailed, Structured so that pertinent information can be found
easily, Versioned and dated in order, Enforceable with sanctions, Action against
non-compliance stated, Interests of employees as well as business considered.
Features policy does not have (bad features) - States what corrective action to be
taken after a breach , States people to notify after a breach, Endorsed by senior
management or a review committee, National Laws considered, Reviewed
periodically.
The Student IT User Agreement has a balanced on the good and bad features, it
does have a collection of decent features but still needs a few more features
such as these I will recommend to become an effective policy. The feature of
stating what corrective action is to be taken after a breach would benefit a policy
quite positively. The policy would tell whoever reads it such as employees at the
managers what action is to be taken in the event of something or someone
disobeying or going against what is said in the policy. If a policy does not have
this, if something does happen and it breaches the policy, then the company
would have to think up ways in which to correct the action, meaning that the
reaction to the breach would be slow and unorganised, possibly leading to
further trouble. If the policy states what action to take, then employees can
simply read of the policy and carry out what action is required to correct the
breach, returning the company/business to its normal functions. A feature that
would benefit the policy is if it stated who to notify in the event of a breach. If a
breach occurs and the people who need to know are not notified, then this would
cause massive problems as a solution to the breach would not be achieved as
the people who would have the solutions to this breach would not know of the
breach. If the policy stated who to notify, then whoever causes or notices the
breach can tell the correct people in the company and action would be taken
quickly to resolve the problem. If a policy is endorsed by a senior management
team or a review committee, then the chances of it being successful significantly
increase. If something goes wrong with the policy and it is not effective anymore,
then staff would face a lot of trouble explaining what has happened and why the
policy went wrong. If the policy is checked over and approved by senior
management or a committee that reviews policies, then it should in theory work
and would not cause any trouble at the business, thus improving the
effectiveness of the business at completing work and solving breaches of policy.
An important aspect for good polices is if they consider national laws in their
requirements, especially in I.T areas. If a policy does not consider laws when

Callum Jukes
setting requirements, this can cause massive legal issues if caught out by the
police such as human rights issues. This could result in the closure of a company
if serious enough. This is why it is needed by a company to check through a
policy to see if national laws are considered and to check laws and compare
them to the policy. This is usually the job of senior management and ties in with
the requirement of endorsement from senior management. If a policy is not
reviewed periodically then problems can occur. If changes in national law occur
or a change in the environment in which employees work changes, then changes
must be made to policy, these changes would be made when the policy is
reviewed at the end of the month or year. If a review does not take place, this
can cause problems such as a bad working environment or unnecessary action
against offenders of an old policy. A review would allow the senior management
to see if there are any problems with the policy and correct those, meaning the
working environment would not be negatively affected.

Callum Jukes