1. Would you say this is primarily an organizational policy, issue policy, a system-specific policy or “none of these”? Why? If you chose “none of these” then how would you describe this policy – is it even really a security policy as described in the text? Is it designed to cover regulatory or marketing requirements rather than a security governance document? Does it describe the organization’s security practices or does it advise the users how to securely use the site?
2. If you were to split off a part of this document as an independent document, which section would you chose and why?
3. Who do you think is the intended audience for this document? How does this intended audience affect that nature and scope of this document?
I encourage you to comment on other students’ posts, though this is not required for credit.
University of Southern California http://policy.usc.edu/info-security/ (Links to an external site.)