Security Policy GDI Company - Case Study Example

? The Executive Management Team of GDI James Moravec, Computer Security Program Manager Security Policy Document 28th October 2012 Executive summary This security policy outline outlines how GDI can protect its information technology infrastructure from various threats. This policy documents underscore the fact that information technology form the core of GDI’s success, which justify why this security policy documents concerns itself with protecting various part of the information technology assets. Given that GDI has made significant gains in its business, there is need to preserve the capability the firm receive from its information technology assets. This security policy understands that protecting the physical and operation security of GDI is the main challenge underlying its writing. Therefore, the report presents several policies that seek to protect named assets of GDI with a goal of preserving the security and operation of the firm. Vacca (2010) argues that information technology polices form the first line of defence against threats. There are several policies this security policy document outlines, which are a result of careful analysis of the firms existing network topology. Because information technology forms a critical backbone to the operations of GDI, a careful analysis characterized the writing of this document. Among the essential goals of the security, policies were the establishment of confidentiality, integrity, and availability of the firm’s information technology asset. Policy 1: Email Security Policy Email remains a preferred medium of communication for the GDI Corporation. Because of the widespread use of email in the firm, there is need for GDI to implement policies that will limit the loss of essential loss through email exchange within or outside the firm. While email is one of the most effective techniques for communication, firms like GDI stand a risk of exposing their data and information technology infrastructure to threats that can emerge from lack of email security policy. Bayuk, Healey and Rohmeyer (2012) contend that email remains vulnerable to a wide variety of threats such as worms. These threats can interfere with the operations of the organization, as well as lead to the loss of data. Given the danger that could emanate from email use, this report understand the need of an appropriate email security policy, which will ensure that email exchange do not result to the loss of data, introduction of threats and breach of confidentiality. First, GDI should implement a policy that restricts its employees from sharing any fi.es that belong to the organization. This clause could limit the loss of information that GDI’s employees have the privilege to view as compared to other people. This policy should be printed and given to all employees using the firms email. In addition, GDI should also produce a policy that would restrict all the employees from using the firms email for their own private use. The use of emails for any other purpose could introduce threats such as worms. To add on this, the firms should stipulate that all employees scan their emails to ensure that they have no threats such as worms or Trojan horse that could spy on the company’s data. Policy 2: Server Security Policy GDI servers are essential assets that must be protected from physical and operations risks that may have profound effect on the operations of the firm. To ensure that GDI’s servers are secure, there has to be an elaborate policy in place. The server security policy calls for the hardening of GDI’s server to ensure that all vulnerable areas are addressed to limit the impact of threats. This policy ensures that GDI’s administrators carry out periodic maintenance of the system by applying patches and other software updates. Servers that lack essential patches are vulnerable to attacks (TechRepublic, 2004). Updating the servers by installing patches would ensure that the server is secure and up to date. Being that updates are critical to the operation of the server, essential updates must be installed as soon as possible. The operating system for the server should also be upgraded to ensure that the server is secure and running the most recent upgrades. For instance, GDI should ensure that recent server operating systems are installed. This implies that legacy operating system like windows 2003 server must be upgraded with the recent windows 2008 server. The new server operating systems should have the appropriate configurations that reflect a secure security policy. For example, GDI’s server administrators should optimize the server and ensure appropriate server services are running. Equally, important, unnecessary services should be turned off to ensure that GDI’s servers are not vulnerable to intrusion that may compromise the operation of the firm. At the same time, GDI’s server administrators must secure the servers by blocking unnecessary port. Most important, several precautions should be put in place to secure the server from threats. For instance, users should have varying access to the server with root access granted to high-level administrators. The server should also have strong passwords and access to the system should be logged to a central server. To guarantee secure access to information, secure channels, with encryptions, should be used to enable access to the server. Policy 3: Wireless Security policy GDI’s network topology reveals the presence of several wireless networks, which must be secure to prevent authorized intrusion into the firm’s network. To promote the server of the wireless network, the information technology department will approve and document all devices that connect to the firm’s access points. The wireless access point should also receive periodic testing to ascertain their ability to withstand intrusion from hackers. Maynor and Mookhey (2007) argue that penetration testing forms the first line of ascertaining the security of a wireless network. Apart from the penetration testing, the department should also keep in inventory of the devices accessing the wireless environment along with their owners. The wireless access point should also be secured against theft or physical damage. In an event where the wireless access point becomes damaged, GDI can suffer significantly from the resulting downtime. As a result, GDI must ensure that wireless network equipment are secured and locked using various locking mechanisms. Locking the devices would prevent any access that may compromise their function by introducing authorized use or change. In addition to the locking of the devices, the information technology department should ensure that all reset buttons are accessible to authorized personnel only. This prevents unauthorized reset of the device that can affect the operation of the wireless access points. The wireless access point should have segment that direct users to appropriate resources. The default configuration of the access points, such as the service set identifier, should be changed from the default value to prevent intrusion. The service set identifier should also be disabled to prevent hackers knowing about the access point. When accessing the wireless access point, users should provide the correct authentication code to receive access. Policy 4: Acceptable Use Policy GDI attempts to promote the physical and operational security of its system would be incomplete without the use of acceptable use policy. Many organizations use this policy to inform their employees on what they can do and what they are not supposed to do with regard to the use of information technology services (Kelley, Campagna &Wessels, 2007). With regarding to GDI’s information technology infrastructure, users can use the network for communicating with other users in the organization. However, the use of the network must lawful and in furtherance to the activity of the organizations. GDI, thus, has the responsibility of ensuring that its employees use the information technology infrastructure to further its goals. GDI also limit the use of its network infrastructure by users for purposes that are unlawful. The acceptable use policy limits activities such as creation and transmission of materials that may be offensive or obscene. GDI should also restrict users from creating content that can lead to loss of confidential information that may affect the operation of the company. The same applies to material that may cause annoyance or inconvenience to other users in the company. The acceptable use policy also restricts users from using the network services for purposes that can affect the operation of the company’s network. For instance, GDI prohibits the use of network services that could limit the function of the company’s network services. For instance, users of GDI’s network should refrain from carrying out activities that waste the network resources. Similar, this acceptable use policy restricts users from engaging in activities that could damage the firms systems. For instance, users should not corrupt the information about the company or violate privacy policies that could lead to loss of critical information. Moreover, GDI expect users to carry out activities that will refrain from overloading the network or denying services to other users. Most significant, user must make correct use of the firm’s hardware and avoid introducing worms and viruses into the information technology infrastructure. Policy 5: Hardware Disposal Policy GDI Computer hardware and network device contain important information and disposing these hardware should be done appropriately. Being that GDI network has several storage devices, this hardware should be disposed in an appropriate way. GDI employees should not throw away storage media such as floppy disks, computer and server hard drives. Instead, they should hand such media to the IT department for proper disposal. The information technology department should track data all computer hardware and place tags on them. When such devices have reached their end of life, the tags should be removed and data cleared from the devices (Ciampa, 2010). Clearing of data from storage device could prevent loss of information that could jeopardize the operation of GDI. The information technology department should also ensure that some hardware are reused where appropriate. While some hardware would require disposal, it is important to consider reusing some hardware in some low cost areas, but this should be done appropriate. In such a case, the hardware should be erased using appropriate technique that would ensure that all data are wiped out. In cases where the hardware cannot be reused, it would be essential to destroy the media. This is because some attackers can recover erased data from storage media, which could lead to loss of confidentially (Kim & Solomon, 2011). In cases where GDI donates the equipment to other firms, the hardware must have documentation that attest to the erasure of data from the hardware material. However, such equipment must receive approval by the information technology for erasure and the approved technology used to erase the information. Where the hardware is disposed, the hardware inventory tags should be recorded and the file stored with the department of information technology. Policy 6: Password policy Password policy is vital in governing the use of passwords in an organization. With the use of a password policy, GDI should be able to restrict how users create passwords and how often they should be changed to secure the system from intrusion. While passwords are vital in restricting access to computer resources and data, lack of a strong policy can limit the effectiveness of password in protecting confidential data (Windley, 2005). To ensure that passwords protected from authorized personnel, no employees of GDI should write their password down. This will minimize chances of other users reading the passwords. In addition, users should also refrain from sending their passwords through emails, which could lead to compromise of the login credentials (Windley, 2005). Instead, all users should memorize their password to limit any unauthorized access that may allow other persons to access confidential data about the organization. To create strong passwords, users must avoid using password of common names, which hackers could decipher using dictionary hacks. Instead, all employees of GDI should use combinations of words, numbers, and special characters to create their passwords. In addition, users should refrain from asking their colleagues to help them create passwords as this may lead to compromise of user account where there could be loss of integrity or confidentiality of information.To ensure that passwords are safe, there should be a minimum password age. This could be 60 day, on which users should change their password. Where necessary, the system should be configured to remind users of the password requirement to ensure that user compliant with the password expiry option. In cases where users fail to provide the correct password for their accounts, the system should lock the account for some time before acting them. Similar, the administrators should also configure the server and the workstation to display protected screen saver screen that would require users to provide password after some minutes of inactivity. This precaution would limit users from accessing workstation or servers when others leave them briefly. Policy 7: IT Audit Despite the implementation of several information security policies, it is vital to use an IT audit policy to ensure that GDI employees follow laid down rules and policies. Given that GDI has an expansive network, it is vital to ascertain the levels of compliance within the organization. Most important, the audit provides a framework to perform system audit to ensure that GDI’s information technology (Wallace & Weber, 2008). The system administrator of GDI will be responsible for conducting audit and ensuring that all facets of the information technology are in order. For instance, the administrator should ensure that all GDI’s employees are aware of the policies that govern the IT department. The administrator should also ascertain whether employees could access the policies through hardcopy or electronic copy. The IT audit team should also determine if there are sufficient personnel who can implement various IT policies in the organization. As per the IT audit policy, the administrator should determine if the IT personnel have the training on how to implement basic security. The administrator should also ascertain the whether there are enough hardware that could ensure IT operations continue in an event of a hardware failure. Similar, the IT administrator should also determine if there are plans to replace hardware and monitor various systems to ensure that do no fail. In addition, it would be necessary for the administrator to find out if there are plans to conduct maintenance at regular intervals. The IT audit policy should also cover software aspect. It the responsibility of the administrator to determine if there are original disk that could be used to replace applications that crash. Moreover, the administrator should also ascertain if the vendors of various network software applications are in touch, should there be need to contact them. Being that GDI operations is critical, the administrator should determine if there are enough precautions such as uninterruptible power supplies and cooling systems. On the physical security, it is vital for the administrator to ensure that there are regulations regarding the locking of computers and network gears in their rooms. In addition, the administrator should ascertain if there are regulations governing the movement of equipment from all offices. On the same note, it would be essential for the administrator to determine if GDI has regulations government how hardware is disposed and how employees use email. Policy 8: Remote Control Given that GDI has a lean information technology department, the network technicians and administrators rely on remote access to carry out some function such as technical support. In addition, connections to remote data centres are done remotely. To protect the privacy of the users along with maintaining the confidentially, integrity and availability of information, this remove access policy applies to all employees of GDI. First, this remove access policy applies to all the employees, agents, contractors and vendors who collaborate with GDI. The policy also addresses any sort of remote control that includes WiFi, ISDN, or VPN. All users of remote access should ensure that they do not store any information on remote devices without the prior approval of the firm. In addition, all remote connections should be treated as onsite connection with regard to the use of workstation and other devices used during the remote connection (Whitman & Mattord, 2011). For this reason, all users who access devices remotely should comply with other policies such as those that limit them from engaging in unlawful activities such as hacking, sending of obscene material or engaging in activities that are outside the business interests of GDI. During remote control session, the sessions should be granted to users who have unique credential given to them by the administrators. Concerning this, only the bearers of the information will have access to the remote connection sessions. Equally important, users with remote access credentials should use their password to access other devices, but refrain from sharing them with other users, as this is unacceptable. When using a shared medium such as the internet, users who remote control should use some encryption to avoid some attackers from viewing their information. This approach may limit the loss of confidential information to attackers who may eaves drop remote access connection. For the security of the GDI network, all devices that are used in remove access should have up-to-date antivirus system. The operating systems of these computers should also be up-to-date and having current patches that reduce the vulnerability to attacks. For vendors and other organizations that collaborate with GDI, the GDI administrators must approve remote access sessions before they occur. During remote access sessions, users may not carry out any modification that could affect the operation of respective workstation or devices. Users who violate terms of this policy risk losing remote access privilege within the GDI network. In some severe cases, GDI may terminate the services of users who engage in criminal activities using the network resources of GDI or using remote access to disclose confidential information about the company. Policy 9: Documentation of IT assets The documentation of IT assets policy aims at protecting the asset of GDI along with maintaining the confidentiality, integrity and availability of information in servers, computers and other devices in GDI premise. In addition, this policy protects the security of the network and ensures that all assets are tracked. Because of this, all employees should comply with the policy and enforce the policy in their departments. There are several assets, which GDI will track for the purpose of documenting their particulars. These assets include desktop workstation, servers, switches, routers, and firewalls among other network devices. While GDI may no track some small assets, it shall ensure that all devices, which store data, are tracked and their location documented. To enhance the security of information, GDI will track devices such as servers and hard drives and document their location along with details of data they contain. When tracking assets, all IT assets will have a unique identifying number, which GDI will store in the database. During the acquisition of an asset, the new asset will be given an asset ID and its particulars stored in the database. During asset transfer, the affected department must record pertinent information about the asset transfer. When GDI’s employees transfer, dispose, or change the asset trustee, it is vital for the employees to document the details of the assets and include the new information relating to the asset. In addition, during asset transfer, special attention must be taken to ensure that such assets do not have sensitive information. Where the assets have unclassified information, the media can be erased by formatting the disk. However, assets that have classified information may require special techniques to remove the data. In addition, such assets must be removed from their location with approval the approval of the Computer Security Program Manager. For assets that contain top secret of GDI, such assets must be documented and never removed from their location. Policy 10: Ethics Policy Users who comply with ethics policy have a positive influence on computer security and operation of GDI’s information technology systems. This ethics policy applies to all employees’ and personnel using GDI’s information technology infrastructure. Users who comply with the ethics policy must respect the integrity of the computer systems by not sharing information such as passwords, private keys or pertinent information about the network devices or computers (Stematellos, 2007). In addition, users shall not exploit any weakness in the network or use devices that are not logged off by other users. Users should also refrain from intruding the privacy of other users. Instead, all users must understand that some data are private and cannot be shared or accessed without appropriate approval. As a result, no user will be allowed to access files or email of other users without permission. The ethics policy also prohibits commercial use of the network infrastructure. For this reason, users must respect the rules governing the use of the computers and use the network infrastructure and computers for intended purposes only. Policy 11: GDI internet security The internet is an essential infrastructure for GDI. However, there are many threats that come with the use of the internet. To ensure the security of GDI’s data, the following internet security shall guide the use of the internet. GDI information security department will implement a firewall to regulate connection between the internal network and the internet. All users of the internet will thus connect their traffic through the firewall. GDI network will also have a proxy server that will receive requests from users and connect them to the internet. All users shall therefore connect to the proxy server using provided credentials. The proxy server will act as an intermediate between the internet users and the web servers (Whitman & Mattord, 2011). When using the internet, users must ensure that they visit website that are of business interest. At no time should users access websites that could make the network vulnerable. Website with copyrighted material such as music or videos should not be visited. Moreover, users should not visit websites that have absence content or those that further messages against others. Most important, internet users should not download software without approval from the IT department. Policy 12: Network Security The network security policy seeks to protect GDI’s network from various threats. GDI information technology will install virus-scanning software that will check all traffic for viruses or worms that could harm the network. Likewise, users should have antivirus software installed in their computes before they use their network. The IT department will also protect network devices by restricting their access using MAC address filtration or firewalls. A firewall uses list of rules to determine access to a network from the public domain (TechRepublic, 2004). In addition, the IT department will ensure that there are multiple paths to critical assets such as switches and routers to reduce redundancy in communication. The IT department will also configure all network devices and ascertain that they can detect intrusion and log network use for audit. To improve performance, GDI IT department shall also conduct network performance analysis. Conclusion GDI’s interest is to protect is physical and operation security as it relies heavily on information technology. This report present 12 policies that are essential in ensuring GDI’s information is confidential and that their integrity and availability of the information is maintained within the organization. In this security policy document, the 12 policies are outlined each having distinct ways of making GDI IT infrastructure secure and operational. References Bayuk, J.L., Healey, J. & Rohmeye, P. (2012). Cyber Security Policy Guidebook. New Jersey: John Wiley & Sons. Ciampa, M. D. (2010). Security awareness: Applying practical security in your world. Boston, MA: Course Technology/Cengage Learning. Kelley, J., Campagna, R., & Wessels, D. (2009). Network access control for dummies. Hoboken, NJ: Wiley Pub. Kim, D., & Solomon, M. (2011). Fundamentals of information systems security. Sudbury, MA: Jones & Bartlett Learning. Maynor, D., & Mookhey, K. K. (2007). Metasploit toolkit for penetration testing, exploit development, and vulnerability research. Burlington, MA: Syngress. Stamatellos, G. (2007). Computer ethics: A global perspective. Sudbury, Mass: Jones and Bartlett Publishers. TechRepublic (2004).Administrator's guide to Windows server 2003. (2004). Louisville, Ky: TechRepublic. Whitman, M. E., & Mattord, H. J. (2011). Readings and cases in information security: Law and ethics. Boston, MA: Course Technology, Cengage Learning. Windley, P. J. (2005). Digital identity: unmasking identity management architecture (IMA).New York: O'Reilly. Read More