StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information Security Audit and Assurance - Case Study Example

Cite this document
Summary
This paper, Information Security Audit and Assurance, outlines that in the ever-changing society, the need for comprehensive security measures cannot be overstated. The continued emergence of various security-related challenges in the recent past has not made things any better. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER92.1% of users find it useful
Information Security Audit and Assurance
Read Text Preview

Extract of sample "Information Security Audit and Assurance"

Task one: Security Policy for KD 2.14 Laboratory Introduction In the ever changing society, the need for comprehensive security measures can not be overstated. The continued emergence of various security related challenges in the recent past has not made things any better. Most notably, information security has grown to become one of the world’s greatest assets since it might make the difference between failure and success. To say that there is an urgent need by organisations to come up with comprehensive security policies would be an understatement. Hence, this document is a security policy for KD 2.14 laboratory of the University of East London. In particular this security policy is coded as UEL-KD 2.14/ 17/2009: 5. Authority of the Policy The source of this security policy is the University Vice-Chancellor - Academic Affairs. Its implementation on the other hand shall be overseen by the computer department. Intent Statement/Policy Statement The primary and broad intent of this policy is to make sure that all the information systems which are installed by KD 2.14 Laboratory are maintained. In particular, this security policy seeks to enable the laboratory to maintain appropriate security levels. At the same time, this security policy seeks to remove any limitations on the ability of the various users of KD 2.14 Laboratory as well as support its employees to effectively perform their work or duties. In this regard, the main function of this security policy is to be defined in terms of the following objectives. To define authorised persons who may access KD 2.14 university laboratory equipment To define how to control access to equipment in the laboratory during the hours of operations. To define the types of materials allowed into the laboratory. To define how to protect data travelling through the and from the laboratory. To define the location or place that all the equipment in the laboratory are to be kept To define the appropriate time for the non-staff to access the laboratory. Applicability/Scope of the policy In principle, this policy applies to the following persons and cases Both full-time and short-term employees of the university attached to the laboratory. Any IP Network within the university across which data from the laboratory travels. All the personnel managing these networks and their associated equipment Data that is in transit over any of the university network to the laboratory. Definitions and Classification in Context With particular reference to the university classification criteria, all the laboratory users shall be classified as level 1 (regular students), level 2 (P-3 and below) and level 3(P-4 and above). This university standard model for classification is contained in the University Human Resource Management Framework. On the other hand, all the equipment within the university is classified in accordance to the guidelines issued by the Executive security officer. User Classifications Every user of KD 2.14 laboratory is deemed to be regular until the time when such status shall be defined or changed explicitly. In the event of a new employee joining the KD 2.14 Laboratory team, a written request is to be made by the team leader to the laboratory manager within 48 hours for an employee access clearance. All the new employees to this laboratory shall only be cleared for KD 2.14 level 3 unless stated otherwise based on a valid justification. All the university students; both graduate and undergraduate shall be cleared to use the laboratory under level 1. Time of Use The time of access and use of KD 2.14 laboratory by both students and staff shall be based on the university office operations policy. In this regard, access to and use of this laboratory is restricted to half past 8 in the morning to 5.30 pm as it is stipulated in the office hour operations policy. Controls All the computers within the laboratory must be protected using the preventive control devices. In a nutshell, all the computers must be protected using updated anti-virus, firewalls and authentication through the use of password. In order to ensure for effectiveness of these controls, it is mandatory for them to be changed and updated after every two months. These preventive controls shall be supplemented by detective controls. In particular, the following detective controls shall be used namely; Clearance level IDs, motoring and logging as well as information security audit. Exceptions/Privileged Accounts It is imperative to note that exceptions to the regulations put forward in this policy shall be kept to the minimum as far as possible. The said access and use privileges shall strictly be considered on the need-to-use basis. In this regard, these privileges are only applicable to university staffs that are defined to be in job level P-4 in tandem with the university employment scale. With regard to students, this privilege shall be restricted to those who have special access identification cards. Furthermore, authorisation to access the laboratory under this category shall have to be processed within 48 hours prior to the date of actual use of the laboratory. Of importance to note that the use of group identification cards is restricted to extremely very special cases. Equipment Classification All the computing equipment shall be categorised based on the criteria given by the University security Officer. Classification for all the KD 2.14 laboratory computing equipment shall therefore be as follows; 1. All user workstations, cameras, servers are classified as laboratory only. 2. All the equipment used for data transfer to and from the laboratory are classified as shared. 3. All the equipment designated as backbone are also classified as shared. The said equipment includes; switches, cameras, and conditioner among others. All the laboratory equipment must be classified and the record maintained by both the laboratory manager and university security officer. Data Classification It should be noted that all the users of KD 2.14 laboratory, having been provided with legitimate access; with reasonable justification is allowed to change the type of data within this laboratory. However, the user may only change the type of data upon sufficient or justifiable reason. Hence, KD 2.14 laboratory users shall be held responsible for such changes to the classification of information. With this in mind, the information within this laboratory shall be classified according to the following criteria; KD 2.14 Business information is categorised as company only information or data. This information comprises of financial documents, memos, planning documents and notices among others. KD 2.14 user information or data shall be classified as company only data. KD 2.14 Laboratory data management information data is categorised as confidential. This information includes passwords, IP addresses, and configuration files among others. KD 2.14 Laboratory employee management record is classified as confidential, and includes information such as employment contracts, disciplinary management or actions and salary information. All the published information within the laboratory in the form of pamphlets, quarterly review journals, reports and magazines is classified as shared. E-Mail correspondence between employees of KD 2.14 laboratory is classified as KD 2.14 only. E-mail and any other form of correspondence between employees of KD 2.14, and other university staff or the wider public is designated to be unclassified. Alterations to any data within the laboratory are prohibited to the users unless it is extremely justified to do so. Hence, users shall be required to seek express authority from the staff in the event that it is deemed to be absolutely necessary to cause such alterations. Classification of Materials/Substances The only substances or materials allowed into the laboratory are academic materials. Academic materials in this context are limited to the laptop, writing and reading materials. The use of laptop within KD 2.14 laboratory is subject to appropriate scrutiny and inspection by the laboratory staff on duty. In addition, the use of external storage devices such as CDs and USBs is limited to further verification from the laboratory staff. Responsibilities: 1. All users of KD 2.14 laboratory are charged with the following responsibilities; To know the laboratory access clearance level. Furthermore, it is the responsibility of every user of KD 2.14 laboratory to know the rights as well as the limitations attached to his/her respective access clearance level. To correctly classify the type of data he/she might be working on at any given time. To understand all the necessary restrictions that might be attached to the type of data she/he might be working on. To ensure that all the equipments within the laboratory are properly functioning in addition to be correctly classified. To ensure for the protection of any data that she or he might be working on while in the laboratory. To know the appropriate time to access the laboratory. 2. The University Security officer is charged with the following responsibilities To approve all the equipment classifications in relation to the laboratory. To keep an updated list of such classifications. To determine the overall type of security protection for all the data both within and without the laboratory in addition to that in transit to and from KD 2.14 laboratory. To ensure security of KD 2.14 laboratory and its assets. 3. It is the responsibility and duty of all the employees of KD 2.14 Laboratory to see to it that this security policy is adhered to the strictly. To add to that, all the employees are tasked with the responsibility of reporting any security breach-related incidences to the laboratory manager through their respective team leaders. Compliance 1. Any KD 2.14 laboratory user found to be accessing equipment, physical location or data without sufficient clearance shall face disciplinary action, civil or criminal prosecution; or dismissal. 2. Any user of this laboratory who shall knowingly allow access by someone not authorised as such to access data, equipment or physical location shall face disciplinary action, civil or criminal prosecution or dismissal. 3. Any user found to be transmitting data while in the laboratory but however without appropriate protection shall face dismissal, disciplinary action or civil or criminal prosecution. 4. Any person found to have brought equipment; substances or materials not authorised shall face disciplinary action, dismissal, civil or criminal prosecution. Any of the aforementioned violations should be reported by the staff on duty through his or her respective team leader as soon as possible. This procedure also applies to the reporting of any security breach, emergencies or other incidents. Updating schedule and Revisions Subject to its implementation two months from now, this policy document shall be designated as living policy. Against this backdrop, subsequent revisions on this policy documents shall be made by the Dean of this faculty in consultation with the Vice-Chancellor and the laboratory manager. The schedule for such revisions has been designated to be after every 12 months. By so doing, this shall enable KD 2.14 management to respond to the emerging challenges. During these revisions or updates, inputs in form of recommendations shall be sought from all the employees of KD 2.14 laboratory. Such views shall be limited to security related challenges and feasible strategies of overcoming them. Contact information For any additional information concerning this security policy, it is imperative to contact the Dean of the Faculty and the Vice-Chancellor - Academic Affairs Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Information Security Audit and Assurance Case Study, n.d.)
Information Security Audit and Assurance Case Study. Retrieved from https://studentshare.org/finance-accounting/1730889-information-security-audit-and-assurance
(Information Security Audit and Assurance Case Study)
Information Security Audit and Assurance Case Study. https://studentshare.org/finance-accounting/1730889-information-security-audit-and-assurance.
“Information Security Audit and Assurance Case Study”, n.d. https://studentshare.org/finance-accounting/1730889-information-security-audit-and-assurance.
  • Cited: 0 times

CHECK THESE SAMPLES OF Information Security Audit and Assurance

Activities of Equinox Company

They give assurance to potential investors of some companies with an aim of encouraging investment in these entities.... This gives the stakeholders of the companies concerned an assurance of the safety of their resources.... It also performs audit for companies on ad hoc basis.... A reporting entity is an organization that collects analyses and gives a report pertaining to the financial information.... It contributes in the market liberalization as it reveals to the public some crucial information with regard to the credit worthiness of many companies hence enabling consumers to make informed decisions....
6 Pages (1500 words) Essay

Project Specification for the Auditors

Other examples are cleaving to nontoxic articles in many declarations, the legal agreement demands to offer assurance reporting for another party's assistance, and insurance.... The author highlights the security plan to guarantee the exchange of information, B2B infrastructure, and transfer security as well.... Even though it's frequently intelligent to extend to five-year plan for IT security, new practical application and new risks are consistently rising....
8 Pages (2000 words) Essay

Security Audits

One of the most vital business… A security audit is the a final steps towards implementing an organization's security protocols.... A security audit is the a final steps towards implementing an organization's security protocols.... Obtaining a security audit can tremendously add value to organization (2011).... In order to enforce this policy, one must understand that running a security audit can save an organization millions of dollars in case of a crucial emergency(2011)....
2 Pages (500 words) Essay

Fundamentals of Financial Management

Consequently, the management could plan and conduct the audits; hence, it obtained a rational assurance of the lack of material misstatement in their financial statements.... Finally, the company's audit of control over internal financial reporting relies on realizing an understanding of control over internal financial reporting....
4 Pages (1000 words) Essay

ROLES OF Contract Management Agency (DCMA) and Defense Contract Audit Agency (DCAA)

This is also pert of quality assurance that the agency is concerned with.... This transportation support is vital so as to reduce costs in contracting private firms especially where matters of security are a huge concern.... The Department of Defense and other authorized federal agencies have their contracts performed by the Defense Contract Management Agency of the federal government of the United States....
4 Pages (1000 words) Research Paper

Audit and Assurance, Fraud and Errors in Car Dealz

It is the duty of management to establish whether a business is a going concern, thus an auditor has to consider this implication on every audit they perform (Messier, Glover & Prawitt, 2008).... The role of the auditor is segmented by giving reliable information on the performance of the business.... It is this information which will add up to the data to be used by the auditor.... The auditor is required to review the information used by the clients who are basically the business management organs in establishing whether the going concern basis is appropriate....
12 Pages (3000 words) Assignment

New York Life: Diversity Management

It has an impressive design with provisions for information links and clearly authenticated access points.... Since its inception on 12 April, 1845 in New York, the company has been rendering priceless services to the customers for 170 years.... During its remarkably long and… ul journey, it has come witnessed a number of natural calamities, terror strikes and economic recessions that shook the peace and prosperity of the people of the country....
7 Pages (1750 words) Research Paper

HIPAA Security Policy

Impact of security culture on security compliance in healthcare in the United States of America: A strategic assurance approach.... Record of activities on the hardware or the software is made possible by tracking logs or audit reports.... I would then ensure that the physician protects all the HIPAA security Policy Introduction Health Insurance Portability and Accountability Act (HIPAA) ensures that sensitive information regarding a patient is well protected using the set standard....
2 Pages (500 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us