Information security policy - Essay Example

? Introduction As this is an information age, information is now in the form of digits that flows on an electronic computerized network. Organizations are dependent on these digital communication channels for transferring and exchanging classified information such as confidential information, mission critical information and information that is published for the people. As information is a blood life of any organization, it is vital to protect information by implementing physical, logical and environmental controls. In the context of protecting information security, three fundamental factors must be considered to make use of digitized information in an effective manner i.e. Confidentiality, Integrity and Availability. As there is a requirement of protecting this digital information internally and externally, policy is a control that provides necessary steps, procedures and processes to protect information. These are also considered as high level statements derived from the board of the organization. “Information security policy is therefore considered an essential tool for information security management” (Ilvonen 2009). However, information security policy is customized by company to company and department to department. Different factor that may influence to tailor the policy includes organization size, dependence on information systems, regulatory compliance and information classification scheme. For addressing all issues related to information security via a single policy is not possible, however, to cover all aspects related to information security, a set of information security policy document focusing on different group of employees within the organization is more suitable. This paper will discuss different factors that must be taken in to account when constructing and maintaining an information security policy. However, there are many methods available for constructing an information security policy, the initial step before adopting any one of the methods is to identify the current maturity level of the policy construction process within the organization. The outputs will be either no information security policy development process in place or there is an extensive policy development process exists. Information Security Mission Statement Nexor Solutions and Nexor Solutions employees are intrinsic and responsible for protecting the physical information assets, confidential data and intellectual property of the organization. Likewise, these physical and intangible assets must be protected from potential threats to Nexor Solutions and Nexor Solutions employees. Consequently, the information security policy for Nexor Solutions is a critical business function that must be integrated within the business operations covering all aspects of Nexor Solutions business procedures, processes and tasks. However, to achieve these objectives, policies and procedures are already in place i.e. Acceptable Use Policy of Nexor Solutions. Information security is the basis for the business that must be integrated into each function of the organization i.e. administrative service, planning and development, sales and marketing and operations, as these functions require precise controls for mitigating the risk from normal business operations. State and federal laws associated with information security and privacy are applicable to Nexor Solutions, as non-compliance will impose fines, stakeholder confidence, audits and direct revenue loss for Nexor Solutions. Overview As information security (Detmar Straub, Goodman et al. 2008) has now become everyone’s business, every employee of Nexor Solutions is accountable making themselves aware with the compliance with Nexor Solutions policies, procedures and standards associated with information security. Likewise, a policy is considered as a tactical control followed by budgets and organizations (Osborne, Summitt, n.d). Information Security is defined as: “The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats” (Vacca, n.d ). Information security has three fundamental objectives that must be met i.e. Confidentiality, Integrity and Availability. The policy in this draft is based on these three objectives. Purpose of Establishing Information Security Policy Nexor Solutions needs an information security policy to secure information resources from threats, as it will build confidence in stakeholder confidence. Moreover, by securing information resources, competitive advantage can be achieved in the market, that will result in maximizing profitability along with trust in data. Security of the organization should not focus on Information technology only. Some of the sources of threats includes vandalism, sabotage, espionage, natural disasters, online frauds, phishing etc. however, cyber criminals can also compromise networks while data in transit. Some of the threats are non-ethical hacking, viruses, Trojan, malicious codes, and denial of service attacks. Success Factors Critical success factors for the effective and successful application of security within Nexor Solutions are: Complete and comprehensive security policy, security objective that aligns with Nexor Solutions business objectives A methodology that is steady and aligns with Nexor Solutions culture Comprehensively Visible Senior management support for Nexor Solutions Highly visible support from Nexor Solutions executive management Comprehensive and in-depth knowledge of risk management and security requirement practices Communicating security requirements to Nexor Solutions managers, business partners, customers, software developers and outsourcing companies. Assistance and guidance to all Nexor Solutions managers, business partners, customers, software developers and outsourcing companies. Awareness and training on Information security Measuring the effectiveness of information security by periodic reviews of controls and mechanisms Identifying weak areas and adjustment on Nexor Solutions modified business objectives where necessary For updating or modifying the policy, Annual review of the information security policy of Nexor Solutions for addressing changed business objectives along with risk environments Information Security Policy The information security policy is drafted from one of the templates from SANS that claims on their website to be the most trusted and the largest source for information security research in the world that focuses on certification, research and training (, SANS: Information Security Policy Templates ). Moreover, many authors refer to SANS information security policy templates to facilitate organizations for an initial step of fundamental and basic requirements that are stated in these templates. However, in some cases these policy templates only require a change in the name of organization only. In spite, the focus needs to be on aligning business objectives to the policy, as it is considered to be one of the vital controls that governs from top to bottom (Osborne, Summitt ). 1. Scope This policy is applicable to all information resources, systems that are internally connected, Nexor Solutions, employees and third parties who have access to Nexor Solutions. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentation. 3. Policy 3.1. Ownership 3.1.1. The first factor that must be addressed is the ownership criteria. Nexor Solutions is responsible for recruiting or assigning an information security manager, a point of contact for communication and an alternate point of contact in case of unavailability of the primary point of contact. Employees who are assigned as the owners of the systems must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Information security manager must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to production operations. In case of any lack of mismanagement, legal action is applicable against the employee. 3.1.2. Moreover, Information security managers are also liable for the vital factor that is the security of the information resources of Nesux Solutions and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding information security of Nexor Solutions, from security weaknesses and vulnerabilities. 3.1.3. Information security managers are also liable for aligning security policies in compliance with Nexor Solutions, security policies. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy. 3.1.4. The information security manager is of the Nexor Solutions is responsible for granting and approving access to employees requiring access for information or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, information security manager will also ensure effective procedures for terminating unwanted access to the Nexor Solutions resources. 3.1.5. The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the Nexor Solutions network or network appliance / equipment / device. 3.1.6. The network support staff or administration must be entitled to have full rights for interrupting network connections of the Nexor Solutions that may impose impact or security risk on processes, functions and operation on the production network 3.1.7. The network support and administration staff must maintain and record all the IP addresses that are operational in the Nexor Solutions, any database associated with routing information from these IP addresses. 3.1.8. Network access of Nexor Solutions by departmental or external organizations to or from the network must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection. 3.1.9. User passwords must meet the requirements of the access management or password policy of Nexor Solutions, password policy. Moreover, any inactive account must be deleted within 2 days from the access list and any device that involves critical and sensitive information of Nexor Solutions, passwords of group based accounts from the group membership modules must be modified within 24 hours. 3.1.10. The customized network of Nexor Solutions will not facilitate third party or outsourced organization apart from network and data transmission, storage, modification, monitoring and protection. All the other departments of Nexor Solutions will be facilitated by their respective support functions. 3.1.11. In case of non-compliance, information security management must consider business justifications and allow waivers accordingly. 3.2. Acceptable Use Requirements Any vulnerability detected in the Nexor Solutions computer security must be reported to the adequate security staff. Vulnerabilities in computer systems are detected by unknown software or abnormal system behavior that may lead to accidental invasion of confidential information. Misuse Reporting processes section can be used to report any policy violation by the staff that can be related to Intranet, Extranet, Internet, and Email procedures. No user is allowed to access data, personal documents, emails and applications installed on Nexor Solutions without documented authorization. All employees of Nexor Solutions must not share their email passwords, Personal Identification Numbers, system passwords, server passwords with anyone. No employee of Nexor Solutions is entitled to make copies of licensed software that is purchased by Nexor Solutions. No employee of Nexor Solutions is entitled to install any software on their systems without Nexor Solutions management approval. No employee of Nexor Solutions must involve in offensive contents or material that is used for transmitting, storing, harassing intentionally or that is not legal in terms of federal legislation. No employee of Nexor Solutions will involve in practices that may slow down the performance of Nexor Solutions information resources, remove authorize access to Nexor Solutions information resources, gain approval for additional resource allocation. No employee of Nexor Solutions will install and execute software such as packet sniffers, password cracking software or tools to reveal system vulnerabilities of Nexor Solutions, unless approved and authorized by the Nexor Solutions acting CISO Information resources of Nexor Solutions are not entitled for gaining personal objectives, political movements, fund raising programs and every such activity that is prohibited by the federal legislation. Nexor Solutions employees must provide authorized access to researchers and Nexor Solutions employees for accessing patient information and medical records stored on Nexor Solutions Ltd staff must not allow non-employees to access confidential patient and medical records stored on Nexor Solutions information resources. 3.3. Configuration Requirements 3.3.1. The network traffic between different departments and the other networks for instance, Nexor Solutions network traffic, will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the organization will be prohibited. 3.3.2. In order to configure or modify any configuration settings on the firewall, it must be reviewed and approved by the information security personnel. 3.3.3. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the premises of Nexor Solutions, as they can trigger information security risks and disrupt the Nexor Solutions network operations, or any other network that may be operational. 3.3.4. Right to audit for all inbound and outbound activities of any department of Nexor Solutions is applicable to the information security personnel anytime. 3.3.5. For ensuring physical access, every employee must identify themselves via physical security controls before entering in the premises of Nexor Solutions. 3.3.6. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device in the parameter of Nexor Solutions, must be according to the open area security policy. 3.3.7. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 3.4. Compliance with Legal Requirements 3.4.1. Associated and Applicable Legislation To sidestep for any legal issues or security breaches, Nexor Solutions will define, document and demonstrate compliance with all applicable statutory, regulatory and contractual requirements for each information system. Owners of the systems must take advice from the information security officers for all issues related to Legal and security information. Local regulations must be addressed that are applicable where data is handled, stored or protected. Likewise, legal officer of Nexor Solutions will examine applicable laws and regulations of policies at different regions. The legal officer will consult chief information security officer for establishing required exceptions to policies and specific policies to different regions. 3.4.2. Intellectual Property Rights All employees at Nexor Solutions will conform to the legal requirements of intellectual property protection along with license agreements related to copyright software. The objectives of this policy is to make employees of Nexor Solutions aware and to make them comply with copyrights, trademarks etc. Employees of Nexor Solutions are accountable if they not use Nexor Solutions intellectual property with guidelines and standard procedures. In case of non-compliance, employee will face a disciplinary action, termination of employment and criminal or civil charges. 3.4.3. Intellectual Property Standards and Training The Chief information security officer or any role acting in this category along with system owners will develop educational and training session. 3.4.4. Using Software from Outside Sources Employees of Nexor Solutions must not install or download pirated or un licensed software on Nexor Solutions systems. Employees of Nexor Solutions will not download and install any software from the Internet without approval. If approval is granted, it be justified and must contribute to business objectives. Information Labeling and Handling 3.5. Enforcement If any violation of this policy is found, the matter maybe subjected to disciplinary action including termination of employment and students of the campus maybe expelled. 4. Revision History Version 1.0 Conclusion A good information security policy must demonstrate a general security mandate and intent of the management. Information security policy must be detailed to cover all the aspects that may involve risks and threats to the organization. Moreover, human risks are one of the prime factors that cannot be prevented but can be counter with awareness and training. In the creation of an initial draft of the ISPD document, we have created a comprehensive information security policy for Nexor Solutions to address internal logical threats, external logical threats, human threats and physical threats. Every policy must be different for every organization and every department. There is a requirement of addressing risks that may gave opportunities to threats to utilize vulnerabilities and gain access to critical servers, in this case, the database which may include college papers and other confidential data. References VACCA, J.R., Computer and information security handbook Amsterdam ; Morgan Kaufmann, c2009. DETMAR STRAUB, GOODMAN, S.E. and BASKERVILLE, R., 2008. Information security: policy, processes, and practices Armonk, N.Y.: M.E. Sharpe. OSBORNE, M. and SUMMITT, n.d, P.M., How to Cheat at Managing Information Security Syngress Publishing. ILVONEN, I., 2009. Information Security Policies in Small Finnish Companies. Proceedings of the European Conference on Informations Warfare & Security, , pp. 112-117. OSBORNE, M. and SUMMITT, P.M., How to Cheat at Managing Information Security Syngress Publishing. , SANS: Information Security Policy Templates. Available: http://www.sans.org/security-resources/policies/ [1/2/2012, 2012]. Read More