Information Security Policy
Associate Level Material
Appendix B
Information Security Policy
Student Name: Enter Your Name Here
University of Phoenix
IT/244 Intro to IT Security
Instructor’s Name: Enter Your Instructor's Name Here
Date: Enter the date here
IT/244 Intro to IT SecurityPage 1
Information Security Policy
Table of Contents
1.Executive Summary
2.Introduction
3.Disaster Recovery Plan
3.1.Key elements of the Disaster Recovery Plan
3.2.Disaster Recovery Test Plan
4.Physical Security Policy
4.1.Security of the facilities
4.1.1.Physical entry controls
4.1.2.Security offices, rooms and facilities
4.1.3.Isolated delivery and loading areas
4.2.Security of the information systems
4.2.1.Workplace protection
4.2.2.Unused ports and cabling
4.2.3.Network/server equipment
4.2.4.Equipment maintenance
4.2.5.Security of laptops/roaming equipment
5.Access Control Policy
6.Network Security Policy
7.References
IT/244 Intro to IT SecurityPage 1
Information Security Policy
1.Executive Summary
Due in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario.
Destructive acts using computer networks have cost billions of dollars and increasingly threaten the resources of network-connected critical infrastructures. Threats to network infrastructures are potentially extensive not only as their value increases in terms of the infrastructures themselves, the value of hosted services, and the value of what is located on them, but also because of their widespread and low-cost access. These infrastructures of cyberspace are vulnerable due to three kinds of failure: complexity, accident, and hostile intent. However, we lack a comprehensive understanding of these vulnerabilities—largely because of the extraordinary complexities of many of the problems, and perhaps from too little effort to acquire this understanding. But there is ample evidence that vulnerabilities are there: examples of all three kinds of failure abound, and vulnerabilities are found almost every time people seriously look for them.
Within this vast, complex cyberspace system, it is so simple to connect that users of today’s systems require few skills and little understanding of the underpinnings. Thus, we require not only technical protections but also an awareness and alertness on the part of all users to the dangers inherent in the use of any system connected to a network. Attacks so far have been limited. However, many believe that it is only a matter of time before prolonged, multifaceted, coordinated attacks are going to find those network vulnerabilities and exploit them to produce serious consequences. Prudence dictates better protection against accidents and attacks before things get much worse. All realizations of “visions of the information society” are going to be severely limited if the people in that society do not trust or feel secure with the underlying infrastructures.
Alertness to the dangers requires protections that can stay abreast of changing attack modes. An essential part of a defense strategy is continual network monitoring and innovation in monitoring techniques to minimize the potential for damage from the actions of cybercriminals. However, there are multiple stages of defense and a cycle of understanding, which is a complex system in itself. The overlapping stages of prevention and/or thwarting an attack, incident management, reconstituting after an attack, and improving defender performance by analysis and redesign are essential to understanding the elements of each network intrusion attempt. Invariably, gaining this understanding involves some ability to trace the route of attack to the source so that the attacker can be identified. International cooperation can help to bring about success in this effort, in situations where it would be impossible otherwise.
Faced with the possibility of disruption of critical infrastructures in ways that could have serious consequences, governments should be expected to implement prudent defense plans. Each country should first identify those infrastructures and their interdependencies that are critical to its survival and to its social and economic well being. Planning for specific defenses of these identified infrastructures may usefully include both passive5 and active defense forms.
2.Introduction
Due in Week One: Give an overview of the company and the security goals to be achieved.
2.1.Company overview
As relates to your selected scenario, give a brief 100- to 200-word overview of the company.
I have chosen Sunica Music and Movies. It is a multimedia chain that has four locations. The issue that Sunica has encountered is that the four stores operate as separate entities and are in need of an improvement in communication. The four stores are not able to coordinate orders and inventory. Due to the lack of internet base, Sunica’s sales, profit, and customer base have suffered. To achieve an improvement in business productivity, Sunica will need to install web servers in the corporate office located in their data center. These will enable the stores to other sectors of the business such as inventory and accounting, and update data in real time so that sales associates may relay current information to customers.
2.2.Security policy overview
Of the different types of security policies—program-level, program-framework, issue-specific, and system-specific—briefly cover which type is appropriate to your selected business scenario and why.
Sunica should utilize a program-framework and system specific policy to ensure the system structure has what the company needs in its entirety. A system specific policy would assist to ensure that all employees and management comply with the policies.
2.3.Security policy goals
As applies to your selected scenario, explain how the confidentiality, integrity, and availability principles of information security will be addressed by the information security policy.
2.3.1.Confidentiality
Briefly explain how the policy will protect information.
User authentication would assist in the confidentiality aspect of security. The company should implement passwords and deploy tools such as virtual networking.
2.3.2.Integrity
Give a brief overview of how the policy will provide rules for authentication and verification. Include a description of formal methods and system transactions.
Since the company will be utilizing the authentication and passwords, the network will not be accessible to the public. The company could also create a data log to keep a record for what employee is using their password to sign in, view, or modify information.
2.3.3.Availability
Briefly describe how the policy will address system back-up and recovery, access control, and quality of service.
Sunica should put in place a type of disaster plan in the event their company suffers from an emergency. If they employ a disaster plan, the company can back up and log, vital company information such as financials.
3.Disaster Recovery Plan
Due in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery Plan to be used in case of a disaster and the plan for testing the DRP.
3.1.Risk Assessment
3.1.1.Critical business processes
List the mission-critical business systems and services that must be protected by the DRP.
No business wants to face the horror of a disaster, be it from Mother Nature, external threats, or other catastrophes, but will a well crafted disaster recovery plan, the firm may sustain minimal damage. In preparing for disaster, the planning committee should prepare risk analysis and should be analyzed to determine the potential consequence and impact of several disaster scenarios. The critical needs of each department within Sunica Music and Movies will include functional operations, key personnel, information, processing systems, service, documentation, vital records, and policies and procedures. Processing and operations should be analyzed to determine the maximum amount of time that the department and organization can operate without each critical system.
3.1.2.Internal, external, and environmental risks
Briefly discuss the internal, external, and environmental risks, which might be likely to affect the business and result in loss of the facility, loss of life, or loss of assets. Threats could include weather, fire or chemical, earth movement, structural failure, energy, biological, or human.
There are many potential threats that may be likely to affect the functioning of Sunica Music and Movies. These risks may be internal, external and environmental. For example, there are natural events that can be devastating for any company. These may include things such as earthquakes, fires, floods, mudslides, and the like. Even more unlikely events such as power outages secondary to solar flares are a potential concern.Furthermore, there are unfortunately multiple situations that may be man-made rather than Mother Nature. These include things such as strikes, work stoppages, sabotage, burglary, or any type of hostile activity.
3.2.Disaster Recovery Strategy
Of the strategies of shared-site agreements, alternate sites, hot sites, cold sites, and warm sites, identify which of these recovery strategies is most appropriate for your selected scenario and why.
Considering that Sunica Music and Movies (SMM) is now using a WAN system to coordinate its business processes, an appropriate disaster recovery plan will include having an alternate sites to step in, in the event of an emergency. This will include an outside vendor who will provide backup services in the event that the programs at SMM fail for one reason or another. In the interest of financial feasibility, SMM should contract for a warm site to step in if the home networks are compromised.
3.3.Disaster Recovery Test Plan
For each testing method listed, briefly describe each method and your rationale for why it will or will not be included in your DRP test plan.
3.3.1.Walk-throughs
An initial test of the plan should be performed by conducting a structured walk-through test. The test will provide additional information regarding any further steps that may need to be included, changes in procedures that are not effective, and other appropriate adjustments (Wold, 1992). The plan should be updated to correct any problems identified during the test. Initially, testing of the plan should be done in sections and after normal business hours to minimize disruptions to the overall operations of the organization. This is an excellent option to include in SMM's disaster recovery plan (DRP).
3.3.2.Simulations
This is a situation where a mockup is created to closely simulate an attack or other danger (Merkow, 2006). This will mimic the response to emergency as closely as possible. This would also be an excellent option to include in SMM's DRP.
3.3.3.Checklists
In this situation, the members of SMM reenlist of their responsibilities during an emergency. This is also a great resource for SMM in the beginning stages of testing their DRP.
3.3.4.Parallel testing
In this situation, both the current systems at SMM as well as the systems at the warm site will operate at the same time. This is a way for comprehensive test of the backup system's ability to handle the data coming through the standard site at SMM. This should be integrated into SMM's DRP to confirm the competence of the system.
3.3.5.Full interruption
In this test, the systems at SMM are shut down completely. This scary but necessary evaluation is used to clarify the usefulness and appropriateness of the backup system. If the backup system does not work, SMM can take the necessary precautions in a situation hopefully less painful than a true disaster. Again, this is a helpful test to include in SMM's DRP.
4.Physical Security Policy
Due in Week Five: Outline the Physical Security Policy. Merkow and Breithaupt (2006) state, “an often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that, in order to protect logical systems, the hardware running them must be physically secure” (p.165).
Describe the policies for securing the facilities and the policies of securing the information systems.Outline the controls needed for each category as relates to your selected scenario.
These controls may include the following:
- Physical controls (such as perimeter security controls, badges, keys and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas)
- Technical controls (such as smart cards, audit trails or access logs, intrusion detection, alarm systems, and biometrics)
- Environmental or life-safety controls (such as power, fire detection and suppression, heating, ventilation, and air conditioning)
4.1.Security of the building facilities
4.1.1.Physical entry controls
An often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that in order to protect logical systems, the hardware running them must be physically se- cure. If you can’t physically protect your hardware, you can’t protect the programs and data running on your hardware!
For this question, physical security deals with who has access to buildings, computer rooms, and the devices within them. Controlling physical security involves protecting sites from natural and man-made physical threats through proper location and by developing and implementing plans that secure devices from unauthorized physical contact. The level of physical security is typically proportional to the value of the property that is being protected. For a firm such as Sunica Music and Movies (SMM), challenges related to physical security lay in the need to make it simple for people who actually belong in to the building to get in and get around but make it difficult for those who do not belong to enter and navigate. Thus, physical security, like many other areas of security, is a careful balancing act that re- quires trusted people, effective processes that reduce the likelihood of harm from inadvertent and deliberate acts, and appropriate technology to maintain vigilance. The optimal devices for SMM include the use of perimeter security controls as well as badges for all personnel that need to be displayed at all times. The workplace at SMM may be separated in to functional areas so that only the desired workers have access to a given area at one time.
4.1.2.Security offices, rooms and facilities
The physical security of the facilities needs to be handled by a small private security force. The security force will have the use of security offices, for the administration of the site's physical security through a site security supervisor. The security force will also have rooms to house the supplies needed for the application of the security of the facilities such as video monitoring and recording equipment, and other miscellaneous monitoring equipment.
4.1.3.Isolated delivery and loading areas
Keeping areas of common access or frequent unsecured access separate from secured areas is a requirement for the continued security of the facilities. By keeping the loading and delivery areas separate and isolated from the secured areas of the facility, the integrity of the facilities security can be assured.
4.2.Security of the information systems
4.2.1.Workplace protection
In work locations with high traffic, like SMM, audit trails allow examiners to trace or follow the history of a transaction through the institution. Bank auditors or examiners, for example, are able to deter- mine when information was added, changed, or deleted within a system with the purpose of understanding how an irregularity occurred and hope- fully how to correct it. The immediate goal is to detect the problem in order to prevent similar problems in the future.
4.2.2.Unused ports and cabling
All unused ports must be secured at all times, and if the port is used for transient purposes, such as when a sales or executive employee visits a facility, then provisions must be made by and notice given to the information security department. Ports that are unused that are needed for future expansion plans must be temporarily disconnected until needed.
4.2.3.Network/server equipment
All network and server equipment must be kept in a secure, limited access room or closet to ensure the physical security of the equipment from vandalism or theft. Server equipment needs to be kept in locked, climate-controlled rooms and be locked in a way that limits access only to employees with the need to have access to the equipment. Network equipment, such as hubs and routers, should be secured in closets to prevent tampering and access except by authorized employees.
4.2.4.Equipment maintenance
Computers are particularly sensitive to the smallest fluctuations in temperature and humidity. We frequently take the HVAC environmental controls for granted, but the IT manager or the person or persons responsible for these systems should know exactly what to do and whom to contact in the event of failure. Routine maintenance of critical infrastructure systems should prevent any significant failure of HVAC systems in the event of an emergency.
4.2.5.Security of laptops/roaming equipment