You are a cybersecurity consultant

[Rose554]

Assume the role of a cybersecurity consultant. You are tasked with visiting a client to gather information for developing a cybersecurity policy for them. What are the top four interview questions you would ask to collect this information?

The top four interview questions I would ask to gather the information required to develop a security policy are as follows:

1. Can you provide a written copy of your organization's mission, vision, and accompanying business strategy or strategies?

This question is important because it will provide a clear understanding of the organization's objectives and goals: higher-level long-term goals and potentially some insight into more specific goals. Understanding the organization's mission conveys what it continuously aims to accomplish. Knowing an organization's vision provides an overview of its core values and corporate culture, which helps identify the balance between ease of use and acceptable/necessary security controls. An organization?s business strategy will clarify more specific goals and/or activities the company employs in realizing its mission.

2. What types of informational and organizational resources does the company aim to protect, such as proprietary information, systems, people, property, etc.?
Identifying the answer(s) to this question will provide a comprehensible list of company assets to incorporate into the security policy. It may also help stimulate the interviewee?s thought processes surrounding information security, effectively guiding the development and support mechanisms necessary for the success of such a security policy.

3. Does the organization currently have some form of a security policy or other well-structured organizational policies, such as standards or behaviors, that can be used as a template for maintaining consistency among all company policies?

This question aims to identify any existing organizational policies that may establish or maintain a standard format for company policies and procedures. Doing so will help communicate clear and consistent corporate expectations and practices.

4. What level of support can be expected throughout the organization in developing a comprehensive organizational security policy?

This question may be somewhat ambiguous, but further elaboration will easily clarify the commitment level from senior leadership, management, and company employees, indicating that everyone has been informed of such endeavors and is dedicated to the successful development of a security policy appropriately aligned with the organization?s business objectives.

References
Michael, W. E., & Herbert, M. J. (2019). Readings and Cases in the Management of Information Security. Reading 2, Linking Business Objectives and Security Directives. Course Technology, Cengage Learning.