Information Security Audit and Assurance - Case Study Example

Task one: Security Policy for KD 2.14 Laboratory Introduction In the ever changing society, the need for comprehensive security measures can not be overstated. The continued emergence of various security related challenges in the recent past has not made things any better. Most notably, information security has grown to become one of the world’s greatest assets since it might make the difference between failure and success. To say that there is an urgent need by organisations to come up with comprehensive security policies would be an understatement. Hence, this document is a security policy for KD 2.14 laboratory of the University of East London. In particular this security policy is coded as UEL-KD 2.14/ 17/2009: 5. Authority of the Policy The source of this security policy is the University Vice-Chancellor - Academic Affairs. Its implementation on the other hand shall be overseen by the computer department. Intent Statement/Policy Statement The primary and broad intent of this policy is to make sure that all the information systems which are installed by KD 2.14 Laboratory are maintained. In particular, this security policy seeks to enable the laboratory to maintain appropriate security levels. At the same time, this security policy seeks to remove any limitations on the ability of the various users of KD 2.14 Laboratory as well as support its employees to effectively perform their work or duties. In this regard, the main function of this security policy is to be defined in terms of the following objectives. To define authorised persons who may access KD 2.14 university laboratory equipment To define how to control access to equipment in the laboratory during the hours of operations. To define the types of materials allowed into the laboratory. To define how to protect data travelling through the and from the laboratory. To define the location or place that all the equipment in the laboratory are to be kept To define the appropriate time for the non-staff to access the laboratory. Applicability/Scope of the policy In principle, this policy applies to the following persons and cases Both full-time and short-term employees of the university attached to the laboratory. Any IP Network within the university across which data from the laboratory travels. All the personnel managing these networks and their associated equipment Data that is in transit over any of the university network to the laboratory. Definitions and Classification in Context With particular reference to the university classification criteria, all the laboratory users shall be classified as level 1 (regular students), level 2 (P-3 and below) and level 3(P-4 and above). This university standard model for classification is contained in the University Human Resource Management Framework. On the other hand, all the equipment within the university is classified in accordance to the guidelines issued by the Executive security officer. User Classifications Every user of KD 2.14 laboratory is deemed to be regular until the time when such status shall be defined or changed explicitly. In the event of a new employee joining the KD 2.14 Laboratory team, a written request is to be made by the team leader to the laboratory manager within 48 hours for an employee access clearance. All the new employees to this laboratory shall only be cleared for KD 2.14 level 3 unless stated otherwise based on a valid justification. All the university students; both graduate and undergraduate shall be cleared to use the laboratory under level 1. Time of Use The time of access and use of KD 2.14 laboratory by both students and staff shall be based on the university office operations policy. In this regard, access to and use of this laboratory is restricted to half past 8 in the morning to 5.30 pm as it is stipulated in the office hour operations policy. Controls All the computers within the laboratory must be protected using the preventive control devices. In a nutshell, all the computers must be protected using updated anti-virus, firewalls and authentication through the use of password. In order to ensure for effectiveness of these controls, it is mandatory for them to be changed and updated after every two months. These preventive controls shall be supplemented by detective controls. In particular, the following detective controls shall be used namely; Clearance level IDs, motoring and logging as well as information security audit. Exceptions/Privileged Accounts It is imperative to note that exceptions to the regulations put forward in this policy shall be kept to the minimum as far as possible. The said access and use privileges shall strictly be considered on the need-to-use basis. In this regard, these privileges are only applicable to university staffs that are defined to be in job level P-4 in tandem with the university employment scale. With regard to students, this privilege shall be restricted to those who have special access identification cards. Furthermore, authorisation to access the laboratory under this category shall have to be processed within 48 hours prior to the date of actual use of the laboratory. Of importance to note that the use of group identification cards is restricted to extremely very special cases. Equipment Classification All the computing equipment shall be categorised based on the criteria given by the University security Officer. Classification for all the KD 2.14 laboratory computing equipment shall therefore be as follows; 1. All user workstations, cameras, servers are classified as laboratory only. 2. All the equipment used for data transfer to and from the laboratory are classified as shared. 3. All the equipment designated as backbone are also classified as shared. The said equipment includes; switches, cameras, and conditioner among others. All the laboratory equipment must be classified and the record maintained by both the laboratory manager and university security officer. Data Classification It should be noted that all the users of KD 2.14 laboratory, having been provided with legitimate access; with reasonable justification is allowed to change the type of data within this laboratory. However, the user may only change the type of data upon sufficient or justifiable reason. Hence, KD 2.14 laboratory users shall be held responsible for such changes to the classification of information. With this in mind, the information within this laboratory shall be classified according to the following criteria; KD 2.14 Business information is categorised as company only information or data. This information comprises of financial documents, memos, planning documents and notices among others. KD 2.14 user information or data shall be classified as company only data. KD 2.14 Laboratory data management information data is categorised as confidential. This information includes passwords, IP addresses, and configuration files among others. KD 2.14 Laboratory employee management record is classified as confidential, and includes information such as employment contracts, disciplinary management or actions and salary information. All the published information within the laboratory in the form of pamphlets, quarterly review journals, reports and magazines is classified as shared. E-Mail correspondence between employees of KD 2.14 laboratory is classified as KD 2.14 only. E-mail and any other form of correspondence between employees of KD 2.14, and other university staff or the wider public is designated to be unclassified. Alterations to any data within the laboratory are prohibited to the users unless it is extremely justified to do so. Hence, users shall be required to seek express authority from the staff in the event that it is deemed to be absolutely necessary to cause such alterations. Classification of Materials/Substances The only substances or materials allowed into the laboratory are academic materials. Academic materials in this context are limited to the laptop, writing and reading materials. The use of laptop within KD 2.14 laboratory is subject to appropriate scrutiny and inspection by the laboratory staff on duty. In addition, the use of external storage devices such as CDs and USBs is limited to further verification from the laboratory staff. Responsibilities: 1. All users of KD 2.14 laboratory are charged with the following responsibilities; To know the laboratory access clearance level. Furthermore, it is the responsibility of every user of KD 2.14 laboratory to know the rights as well as the limitations attached to his/her respective access clearance level. To correctly classify the type of data he/she might be working on at any given time. To understand all the necessary restrictions that might be attached to the type of data she/he might be working on. To ensure that all the equipments within the laboratory are properly functioning in addition to be correctly classified. To ensure for the protection of any data that she or he might be working on while in the laboratory. To know the appropriate time to access the laboratory. 2. The University Security officer is charged with the following responsibilities To approve all the equipment classifications in relation to the laboratory. To keep an updated list of such classifications. To determine the overall type of security protection for all the data both within and without the laboratory in addition to that in transit to and from KD 2.14 laboratory. To ensure security of KD 2.14 laboratory and its assets. 3. It is the responsibility and duty of all the employees of KD 2.14 Laboratory to see to it that this security policy is adhered to the strictly. To add to that, all the employees are tasked with the responsibility of reporting any security breach-related incidences to the laboratory manager through their respective team leaders. Compliance 1. Any KD 2.14 laboratory user found to be accessing equipment, physical location or data without sufficient clearance shall face disciplinary action, civil or criminal prosecution; or dismissal. 2. Any user of this laboratory who shall knowingly allow access by someone not authorised as such to access data, equipment or physical location shall face disciplinary action, civil or criminal prosecution or dismissal. 3. Any user found to be transmitting data while in the laboratory but however without appropriate protection shall face dismissal, disciplinary action or civil or criminal prosecution. 4. Any person found to have brought equipment; substances or materials not authorised shall face disciplinary action, dismissal, civil or criminal prosecution. Any of the aforementioned violations should be reported by the staff on duty through his or her respective team leader as soon as possible. This procedure also applies to the reporting of any security breach, emergencies or other incidents. Updating schedule and Revisions Subject to its implementation two months from now, this policy document shall be designated as living policy. Against this backdrop, subsequent revisions on this policy documents shall be made by the Dean of this faculty in consultation with the Vice-Chancellor and the laboratory manager. The schedule for such revisions has been designated to be after every 12 months. By so doing, this shall enable KD 2.14 management to respond to the emerging challenges. During these revisions or updates, inputs in form of recommendations shall be sought from all the employees of KD 2.14 laboratory. Such views shall be limited to security related challenges and feasible strategies of overcoming them. Contact information For any additional information concerning this security policy, it is imperative to contact the Dean of the Faculty and the Vice-Chancellor - Academic Affairs Read More