The final assignment for this course is a Final Paper. The purpose of the Final

Question

The final assignment for this course is a Final Paper. The purpose of the Final Paper is for you to culminate the learning achieved in the course. The Final Paper represents 32% of the overall course grade. Focus of the Final Paper Assume you are an Information Technology Director for a small, growing firm and are tasked with developing an electronic resource security policy to deploy within your organization. The policy needs to protect the organization’s valuable electronic assets, but be flexible enough to accommodate employees as they go about executing their jobs and getting business done. It also needs to address communication and data security aspects such as remote data access, smartphone access, and internal electronic communications such as IM (instant messaging) and email. **(Note that a policy is different from a plan. Be sure you address primarily the policy aspects of this task.). In a minimum five page APA formatted paper (excluding title and reference pages) using the lecture, supplemental resources, and your own research, discuss the following elements. a.Discuss the differences between ‘implementation’ and ‘policy’, and describe the importance of their separation. b.Using information from the course, including the lectures and weekly reading, develop an outline of your security policy which addresses the areas identified in the prompt. Be as specific as possible. c.Compare the policy differences between users who work remotely or use wireless hotspots to users who work on site in a traditional office environment. d.Discuss how you would implement your security policy within the organization, including how employees would be apprised of the new policies. Be sure to explain which elements are critical for a successful implementation of your policy e.Include a minimum of five sources, one of which may be the textbook. Of these sources, three must be from the Ashford Library or from IT industry standard periodicals.

Explanation / Answer

1. Overview The purpose of this paper is to outline the strategies and managing processes behind implementing a successful Security Policy. Additionally, I will give recommendations for the creation of a Security Awareness Program, where the main objective will be to provide staff members with a better, if not much improved understanding of the issues stated in a security policy. We will also be focusing on significantly reducing the integration period of the security policy, by way of proper explanation of all of the items pointed out in a formal security policy document. 02. Scope This paper is by no means intended to be a complete reference on the process of building a security policy or the development of a security awareness course. Instead, it was created with the idea of providing the reader with a reliable source of advice, various recommendations and useful tips gathered from my personal experiences while building and developing security policies, as well as conducting security awareness courses. This document will also provide you with a sample security newsletter, best practises concerning various information security threats, as well as discuss in detail some of the most common security problems which companies are facing every day (concentrating specifically on security problems endangering somehow the continuity and the proper functionality of the institution). 03. Introduction Information security has come to play an extremely vital role in today's fast moving, but invariably technically fragile business environment. Consequently, secured communications are needed in order for both companies and customers to benefit from the advancements that the Internet is empowering us with. The importance of this fact needs to be clearly highlighted so that adequate measures will be implemented, not only enhancing the company's daily business procedures and transactions, but also to ensure that the much needed security measures are implemented with an acceptable level of security competency. It is sad to see that the possibility of having your company's data exposed to a malicious attacker is constantly increasing nowadays due to the high number of "security illiterate" staff also having access to sensitive, and sometimes even secret business information. Just imagine the security implications of someone in charge of sensitive company data, browsing the Internet insecurely through the company's network, receiving suspicious e-mails containing various destructive attachments, and let's not forget the significant threats posed by the constant use of any Instant Messaging (IM) or chat applications. 04. Why Have A Security Policy As building a good security policy provides the foundations for the successful implementation of security related projects in the future, this is without a doubt the first measure that must be taken to reduce the risk of unacceptable use of any of the company's information resources. The first step towards enhancing a company's security is the introduction of a precise yet enforceable security policy, informing staff on the various aspects of their responsibilities, general use of company resources and explaining how sensitive information must be handled. The policy will also describe in detail the meaning of acceptable use, as well as listing prohibited activities. The development (and the proper implementation) of a security policy is highly beneficial as it will not only turn all of your staff into participants in the company's effort to secure its communications but also help reduce the risk of a potential security breach through "human-factor" mistakes. These are usually issues such as revealing information to unknown (or unauthorised sources), the insecure or improper use of the Internet and many other dangerous activities. Additionally the building process of a security policy will also help define a company's critical assets, the ways they must be protected and will also serve as a centralised document, as far as protecting Information Security Assets is concerned. 05. What Is A Security Policy The security policy is basically a plan, outlining what the company's critical assets are, and how they must (and can) be protected. Its main purpose is to provide staff with a brief overview of the "acceptable use" of any of the Information Assets, as well as to explain what is deemed as allowable and what is not, thus engaging them in securing the company's critical systems. The document acts as a "must read" source of information for everyone using in any way systems and resources defined as potential targets. A good and well developed security policy should address some of these following elements: - How sensitive information must be handled - How to properly maintain your ID(s) and password(s), as well as any other accounting data - How to respond to a potential security incident, intrusion attempt, etc. - How to use workstations and Internet connectivity in a secure manner - How to properly use the corporate e-mail system Basically, the main reasons behind the creation of a security policy is to set a company's information security foundations, to explain to staff how they are responsible for the protection of the information resources, and highlight the importance of having secured communications while doing business online. 06. Getting Started The purpose of this section is to provide you with possible strategies and some recommendations for the process of creating a security policy, and to give you a basic plan of approach while building the policy framework. The start procedure for building a security policy requires a complete exploration of the company network, as well as every other critical asset, so that the appropriate measures can be effectively implemented. Everything starts with identifying the company's critical informational resources, a subject that is discussed in depth in the next section of the paper.

07. Risk Analysis (Identifying The Assets) As in any other sensitive procedure, Risk Analysis and Risk Management play an essential role in the proper functionality of the process. Risk Analysis is the process of identifying the critical information assets of the company and their use and functionality -- an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it. In order to be able to conduct a successful Risk Analysis, you need to get well acquainted with the ways a company operates; if applicable, the ways of working and certain business procedures, which information resources are more important than others (prioritising), and identifying the devices / procedures that could lead to a possible security problem.

List everything that is essential for the proper functionality of the business processes; like key applications and systems, application servers, web servers, database servers, various business plans, projects in development, etc. A basic approach would be: - Identify what you're trying to protect - Look at whom you're trying to protect it from - Define what the potential risks are to any of your Information Assets - Consider monitoring the process continually in order to be up to date with the latest security weaknesses A possible list of categories to look at would be: - Hardware: All servers, workstations, personal computers, laptops, removable media (CD's, floppies, tapes, etc.), communication lines, etc. - Software: Identify the risks of a potential security problem due to outdated software, infrequent patches and updates to new versions, etc. Also take into account the potential issues with staff installing various file sharing apps (Kazaa, Sharereactor, E-Donkey, etc.), IM (chat) software, entertainment or freeware software coming from unknown and untrustworthy sources. - Personnel: Those who have access to confidential information, sensitive data, those who "own", administer or in any way modify existing databases. 08. Risk Management(Identifying The Threats) Based on the research conducted on the company's information assets, you should now be able to properly manage all the threats posed by each of your resources. The purpose of this section is to guide you through the creation of a list outlining various potential threats, something that should also be included in the formal security policy. Each of the following elements will be discussed in depth later in the Security Awareness Program section, thus providing the staff members with a better understanding of each of the topics covered below. - Physical/Desktop Security System Access: best practises for password creation, passwords aging, minimum password length, characters to be included while choosing passwords, password maintenance, tips for safeguarding (any) accounting data; the dangers to each of these issues must be explained in the security awareness program; Virus Protection: best practises for malicious code protection, how often the system should be scanned, how often, if not automatically, should Live Update of the software database be done, tips for protection against (any) malicious code(viruses/trojans/worms); Software Installation: is freeware software forbidden, if allowed, under what conditions, how is software piracy tolerated, are entertainment/games allowed or completely prohibited as well the installation of any other program coming from unknown and untrustworthy sources; Removable Media(CD's, floppy): "Acceptable Use" measures (perhaps by way of a AUP - Acceptable Use Policy) need to be established, the dangers of potential malicious code entering the company network or any other critical system need to be explained as well; Encryption: explain when, how and who must encrypt any of the company's data;

System Backups: the advantage of having backups needs to be explained; who is responsible, and how often should the data be backed up; Maintenance: the risks of a potential physical security breach need to be briefly explained; Incident Handling: define what a suspicious event is, to whom it needs to be reported, and what further steps need to be taken; - Internet Threats Web Browsing: define what constitutes restricted, forbidden and potentially malicious web sites, provide staff members with brief, and well summarised tips for safer browsing, additionally let them know that their Internet usage is strictly monitored in order to protect company's internal systems; E-mail Use: define the "acceptable use" criteria of the E-mail system, what is allowed and what is not, the company policy on using the mail system for personal messages, etc. Also briefly explain the potential threats posed by (abusing) the mail system and of the potential problems as far as spreading malicious code is concerned; Instant Messaging (IM) Software (ICQ, AIM, MSN, etc.): whether it is allowed or completely forbidden, provide them with short examples of how an attacker might use these programs to penetrate and steal/corrupt/modify company data; Downloading/Attachments: is downloading allowed or not, useful tips for safer downloading, explanation of trusted and untrustworthy sources, best practises for mail attachments if allowed, discussion of potential threats and dangers, use of virus scanners, etc. These elements will later be covered in detail in a Security Awareness Program. Staff need to understand why some activities are prohibited, what the impact of certain dangers can have on the company, actions they must follow if and when a potential security problem has been suspected or discovered. By involving staff in a Security Awareness Program staff will not just broaden their knowledge on the information security field, but also learn how to act in a secure manner while using any of the company's information assets. 09. Security Policy Violation In order to realise the importance of a security policy, staff need to be aware and fully understand the consequences of violating the policy, thereby exposing critical systems to a malicious attacker, or causing unintended damage to other companies worldwide. Violations should be handled accordingly; those who in one way or the other violate the security policy should be made aware that they may face being put through a "trial period", which involves also the limited use of some of the company information assets until they can show they are able to act in a secure manner while using the corporate systems. They should also be aware that in some (severe) cases they also may risk being fired or even prosecuted. Whereas this may seem as overkill to some, appropriate action needs to be taken in every violation case in accordance with the terms of the AUP and the policy, with the focus on reiterating the security basics and not punishment. Otherwise there will most likely be a successful penetration, either due to human error, or misunderstanding the policy. 10. Revising The Security Policy The purpose of this section is guide you through the process of revising your security policy, as well as to ensure its effectiveness by closely reviewing several critical factors for its lasting success.

Let us assume you have already created (or revised) the security policy, and it looks perfect to you; but how does it look to staff members? Do they understand each of the terms, devices or the applications mentioned? How clear and precise is your policy; is it maybe a little too detailed, or precise that people loose sight of what it is trying to convey. Or is it just the opposite, missing the point entirely and/or not covering any of the important issues? These are some of the critical factors that will be explored below. In order to reduce the chance of any misunderstanding, your security policy needs to fully outline the responsibilities of each and every one of your staff members. It should clearly state what needs to be protected, how the staff should protect it, and most importantly why it needs to be protected; that way they will be able to understand the importance and distinguish between critical and less critical information assets. The policy needs to be clear, concise and approximately two pages. Don't turn your security policy into a complete security awareness course; each of the elements contained in it should be discussed in the Security Awareness Program, not in the Policy. Define the purpose of the security policy from the very beginning; does it apply to the information assets of the whole company, or is just created to cover a particular division or department. It is a good idea to provide users with a better understanding of how important information security is to the company, pointing out why there is no such thing as 100% security, but that the risks can be tremendously reduced if everyone realises that "security is everyone's responsibility". Each of the assets needs to be precisely described to include, among others, items such as hardware, software, personnel, acceptable Internet use, etc. If your company has already created a security policy, don't waste valuable time and resources building a new one; just rebuild and update the current one instead, thus saving a lot of research time. You frequently need to monitor and update your security policy as new threats and technologies appear almost every day. Try to always keep up to date with the latest security problems (and the related remedies) in order to have the information assets of your company protected to a reasonable degree. Your policy must clearly state how the Information Security Office (ISO) can be contacted (if there is one, otherwise, a relevant contact person); staff need to know with whom they should get in touch when they have questions, doubts, or have detected any suspicious activity. You should at least have a (cell)phone and an e-mail address available for this point of contact. 11. The Implementation Of The Policy When the security policy is all drawn up, revised, updated and agreed upon, the implementation process will follow. This is usually harder than the creation of the policy itself, due the fact that at this stage you also need to coach and educate your staff to behave in a "secure" manner, following each of the core elements pointed in the formal security policy. The final version of the security policy must be made available to all of your employees having access to any of your information assets. The policy must be easily obtainable at any time, with a copy placed on the internal network and intranet, if applicable. A proper implementation requires not only educating staff on each of the core elements flagged as critical in the formal Security Policy, but also changing their role in the effort to protect critical company data. The next section will aim to guide you through the creation process of a basic Security Awareness Program, along with various innovative and interesting ways of educating your staff, using user-friendly & informal lines of communication between the Information Security Office (ISO) members and your employees.

12. What Is A Security Awareness Program The Security Awareness Program can be defined as one of THE key factors for the successful implementation of a company-wide security policy. The main aim is to define and outline the specific role of each of the employees in the effort to secure critical company assets, as well as covering in detail each of the core elements pointed in the security policy. The program is aimed at generating an increased interest in the Information Security field in an easy to understand, yet effective way. The Security Awareness Program is often divided into two parts, one being the 'awareness' section, the other, the 'training'. The purpose of awareness is to provide staff with a better understanding of security risks and the importance of security to the daily business procedures of the company. The training part is aimed at covering a lot of potential security problems in detail, as well as introducing a set of easy to understand (and follow) rules to reduce the risk of possible problems. 13. The Process Of Developing This section will provide you with the various strategies of building a solid Security Awareness Program. We will discuss various methods, their advantages and disadvantages, and will also give you get a better understanding of the essential steps to building the Program. At the beginning you must answer yourself the following questions: - What is the Security Awareness Program supposed to accomplish, and how are you going to draw attention on that? - Who is your audience, how "educated" they are; is it going to be necessary to divide the program into two parts, one for those who have more knowledge about computers, and one for those who are not much into computers at all? - How are you going to reach and motivate your audience? More importantly, how are you going to get your audience interested in improving the Information Assets of the company? - Is the Program going to rely on a formal or an informal way of communication between you and the staff members? In which way are you going to conduct and present it? The Purpose Of The Program First of all, you need to explain to staff what the program will be trying to accomplish, how it will aim to improve the operations of the company, and how vital the protection of Information Assets really is. You will need to explain why "Security is everyone's responsibility", and ensure everybody understands it; explain that even if the company has the latest technological improvements like firewalls, intrusion detection systems, etc., an uneducated staff member could easily endanger sensitive information, and render any technical security measure in place, completely and utterly useless. Another common misunderstanding that you will definitely face while conducting the Program is that the majority of people often tend to think that it is not their responsibility to help improve the security of their company. Generally people are of the (wrong) opinion that only the IT department or Information Security Office(ISO) can and need to take care of issues like these, and that is where generally the buck stops. WindowSecurity.com - Windows Security resource for IT admins. 9 Copyright © 2003 Internet Software Marketing Ltd. All rights reserved. Addressing The Audience One major problem that I am sure you are going to be facing is the difference in the levels of computer skills (of your audience), which will sometimes force you to pay additional attention to those who are not that much into computers. On the other hand you could also choose to differentiate between those who need security education, and those who don't; the idea is to separate staff having access to any of the company information assets from those who don't (and can't endanger sensitive data in any way), as this will definitely save you a lot of time and resources. It would be a good approach to hold informal meetings with staff in order to talk on a personal level and also conduct several surveys in order to measure their skill level; this way you will know where to focus your attention to.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.