Information Security: Policy, Processes, and Practices - Research Proposal Example

?Contents Contents Part A 3 1 Introduction 3 2 Overview 4 3 Scope 4 4 Gold Star Goals and Objectives 5 5 Purpose of Establishing Policy 51.5.1 Success Factors 6 1.6 Application of the Policy 7 2 Computer Hardware and Software Policy 7 2.1 Ownership 7 3 Acceptable Use Policy 10 3.1 Network Security Policy 11 4 Legislation and Other Policy 12 4.1 Associated and Applicable Legislation 12 4.2 Intellectual Property Rights 13 4.3 Intellectual Property Standards and Training 13 4.4 Using Software from Outside Sources 13 5 Enforcement 14 6 Revision History 14 7 Definition of Terms used in this policy 14 8 Easy Access Matrix 15 9 Passwords policy 15 10 Privileges policy 16 11 Email Use Policy 16 12 Network Use Policy 16 13 Internet Use policy 16 14 Backup 16 15 Conclusion 16 16 Part B 17 16.1 NMAP 17 17 NESSUS 19 17.1 Vulnerability Details and Fixing Recommendations 20 18 References 22 1 Part A 1.1 Introduction As this is an information age, information is now in the form of digits that flows on an electronic computerized network. Organizations are dependent on these digital communication channels for transferring and exchanging classified information such as confidential information, mission critical information and information that is published for the people. As information is a blood life of any organization, it is vital to protect information by implementing physical, logical and environmental controls. In the context of protecting information security, three fundamental factors must be considered to make use of digitized information in an effective manner i.e. Confidentiality, Integrity and Availability. As there is a requirement of protecting this digital information internally and externally, policy is a control that provides necessary steps, procedures and processes to protect information. These are also considered as high level statements derived from the board of the organization. “Information security policy is therefore considered an essential tool for information security management” (Ilvonen 2009). However, information security policy is customized by company to company and department to department. Different factor that may influence to tailor the policy includes organization size, dependence on information systems, regulatory compliance and information classification scheme. For addressing all issues related to information security via a single policy is not possible, however, to cover all aspects related to information security, a set of information security policy document focusing on different group of employees within the organization is more suitable. This paper will discuss different factors that must be taken in to account when constructing and maintaining an information security policy. However, there are many methods available for constructing an information security policy, the initial step before adopting any one of the methods is to identify the current maturity level of the policy construction process within the organization. The outputs will be either no information security policy development process in place or there is an extensive policy development process exists. 1.2 Overview As information security (Detmar Straub, Goodman et al. 2008) has now become everyone’s business, every employee of Gold Star is accountable making themselves aware with the compliance with Gold Star policies, procedures and standards associated with information security. Likewise, a policy is considered as a tactical control followed by budgets and organizations (Osborne, Summitt, n.d). Information Security is defined as: “The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats” (Vacca, n.d ). Information security has three fundamental objectives that must be met i.e. Confidentiality, Integrity and Availability. The policy in this draft is based on these three objectives. 1.3 Scope This policy is applicable to all information resources, systems that are internally connected, Gold Star, employees and third parties who have access to Gold Star. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentation. 1.4 Gold Star Goals and Objectives Gold Star and Gold Star employees are intrinsic and responsible for protecting the physical information assets, confidential data and intellectual property of the organization. Likewise, these physical and intangible assets must be protected from potential threats to Gold Star and Gold Star employees. Consequently, the information security policy for Gold Star is a critical business function that must be integrated within the business operations covering all aspects of Gold Star business procedures, processes and tasks. However, to achieve these objectives, policies and procedures are already in place i.e. Acceptable Use Policy of Gold Star. Information security is the basis for the business that must be integrated into each function of the organization i.e. administrative service, planning and development, sales and marketing and operations, as these functions require precise controls for mitigating the risk from normal business operations. State and federal laws associated with information security and privacy are applicable to Gold Star, as non-compliance will impose fines, stakeholder confidence, audits and direct revenue loss for Gold Star. 1.5 Purpose of Establishing Policy Gold Star needs an information security policy to secure information resources from threats, as it will build confidence in stakeholder confidence. Moreover, by securing information resources, competitive advantage can be achieved in the market, that will result in maximizing profitability along with trust in data. Security of the organization should not focus on Information technology only. Some of the sources of threats includes vandalism, sabotage, espionage, natural disasters, online frauds, phishing etc. however, cyber criminals can also compromise networks while data in transit. Some of the threats are non-ethical hacking, viruses, Trojan, malicious codes, and denial of service attacks. 1.5.1 Success Factors Critical success factors for the effective and successful application of security within Gold Star are: Complete and comprehensive security policy, security objective that aligns with Gold Star business objectives A methodology that is steady and aligns with Gold Star culture Comprehensively Visible Senior management support for Gold Star Highly visible support from Gold Star executive management Comprehensive and in-depth knowledge of risk management and security requirement practices Communicating security requirements to Gold Star managers, business partners, customers, and software developers and outsourcing companies. Assistance and guidance to all Gold Star managers, business partners, customers, software developers and outsourcing companies. Awareness and training on Information security Measuring the effectiveness of information security by periodic reviews of controls and mechanisms Identifying weak areas and adjustment on Gold Star modified business objectives where necessary For updating or modifying the policy, Annual review of the information security policy of Gold Star for addressing changed business objectives along with risk environments 1.6 Application of the Policy The information security policy is drafted from one of the templates from SANS that claims on their website to be the most trusted and the largest source for information security research in the world that focuses on certification, research and training (, SANS: Information Security Policy Templates ). Moreover, many authors refer to SANS information security policy templates to facilitate organizations for an initial step of fundamental and basic requirements that are stated in these templates. However, in some cases these policy templates only require a change in the name of organization only. In spite, the focus needs to be on aligning business objectives to the policy, as it is considered to be one of the vital controls that governs from top to bottom (Osborne, Summitt). 2 Computer Hardware and Software Policy This policy defines the scope for interaction of physical computing components with the employees. For instance, the policy may restrict opening and inspecting a workstation for any error or no hard drive detection. Employees by no means can open the case and unplug hardware components from the system. Moreover, the policy also defines all the required software required for every employee working on different levels and grades. Moreover, installation and configuration rights against each role are also mentioned. 2.1 Ownership The first factor that must be addressed is the ownership criteria. Gold Star is responsible for recruiting or assigning an information security manager, a point of contact for communication and an alternate point of contact in case of unavailability of the primary point of contact. Employees who are assigned as the owners of the systems must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Information security manager must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to production operations. In case of any lack of mismanagement, legal action is applicable against the employee. Moreover, Information security managers are also liable for the vital factor that is the security of the information resources of Nesux Solutions and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding information security of Gold Star, from security weaknesses and vulnerabilities. Information security managers are also liable for aligning security policies in compliance with Gold Star, security policies. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy. The information security manager is of the Gold Star is responsible for granting and approving access to employees requiring access for information or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, information security manager will also ensure effective procedures for terminating unwanted access to the Gold Star resources. The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the Gold Star network or network appliance / equipment / device. The network support staff or administration must be entitled to have full rights for interrupting network connections of the Gold Star that may impose impact or security risk on processes, functions and operation on the production network The network support and administration staff must maintain and record all the IP addresses that are operational in the Gold Star, any database associated with routing information from these IP addresses. Network access of Gold Star by departmental or external organizations to or from the network must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection. User passwords must meet the requirements of the access management or password policy of Gold Star, password policy. Moreover, any inactive account must be deleted within 2 days from the access list and any device that involves critical and sensitive information of Gold Star, passwords of group based accounts from the group membership modules must be modified within 24 hours. The customized network of Gold Star will not facilitate third party or outsourced organization apart from network and data transmission, storage, modification, monitoring and protection. All the other departments of Gold Star will be facilitated by their respective support functions. In case of non-compliance, information security management must consider business justifications and allow waivers accordingly. 3 Acceptable Use Policy Any vulnerability detected in the Gold Star computer security must be reported to the adequate security staff. Vulnerabilities in computer systems are detected by unknown software or abnormal system behavior that may lead to accidental invasion of confidential information. Misuse Reporting processes section can be used to report any policy violation by the staff that can be related to Intranet, Extranet, Internet, and Email procedures. No user is allowed to access data, personal documents, emails and applications installed on Gold Star without documented authorization. All employees of Gold Star must not share their email passwords, Personal Identification Numbers, system passwords, server passwords with anyone. No employee of Gold Star is entitled to make copies of licensed software that is purchased by Gold Star. No employee of Gold Star is entitled to install any software on their systems without Gold Star management approval. No employee of Gold Star must involve in offensive contents or material that is used for transmitting, storing, harassing intentionally or that is not legal in terms of federal legislation. No employee of Gold Star will involve in practices that may slow down the performance of Gold Star information resources, remove authorize access to Gold Star information resources, gain approval for additional resource allocation. No employee of Gold Star will install and execute software such as packet sniffers, password cracking software or tools to reveal system vulnerabilities of Gold Star, unless approved and authorized by the Gold Star acting CISO Information resources of Gold Star are not entitled for gaining personal objectives, political movements, fund raising programs and every such activity that is prohibited by the federal legislation. Gold Star employees must provide authorized access to researchers and Gold Star employees for accessing patient information and medical records stored on Gold Star Ltd staff must not allow non-employees to access confidential patient and medical records stored on Gold Star information resources. 3.1 Network Security Policy The network traffic between different departments and the other networks for instance, Gold Star network traffic, will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the organization will be prohibited. In order to configure or modify any configuration settings on the firewall, it must be reviewed and approved by the information security personnel. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the premises of Gold Star, as they can trigger information security risks and disrupt the Gold Star network operations, or any other network that may be operational. Right to audit for all inbound and outbound activities of any department of Gold Star is applicable to the information security personnel anytime. For ensuring physical access, every employee must identify themselves via physical security controls before entering in the premises of Gold Star. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device in the parameter of Gold Star, must be according to the open area security policy. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 4 Legislation and Other Policy 4.1 Associated and Applicable Legislation To sidestep for any legal issues or security breaches, Gold Star will define, document and demonstrate compliance with all applicable statutory, regulatory and contractual requirements for each information system. Owners of the systems must take advice from the information security officers for all issues related to Legal and security information. Local regulations must be addressed that are applicable where data is handled, stored or protected. Likewise, legal officer of Gold Star will examine applicable laws and regulations of policies at different regions. The legal officer will consult chief information security officer for establishing required exceptions to policies and specific policies to different regions. 4.2 Intellectual Property Rights All employees at Gold Star will conform to the legal requirements of intellectual property protection along with license agreements related to copyright software. The objectives of this policy is to make employees of Gold Star aware and to make them comply with copyrights, trademarks etc. Employees of Gold Star are accountable if they not use Gold Star intellectual property with guidelines and standard procedures. In case of non-compliance, employee will face a disciplinary action, termination of employment and criminal or civil charges. 4.3 Intellectual Property Standards and Training The Chief information security officer or any role acting in this category along with system owners will develop educational and training session. 4.4 Using Software from Outside Sources Employees of Gold Star must not install or download pirated or non-licensed software on Gold Star systems. Employees of Gold Star will not download and install any software from the Internet without approval. If approval is granted, it be justified and must contribute to business objectives. 5 Enforcement If any violation of this policy is found, the matter maybe subjected to disciplinary action including termination of employment and students of the campus maybe expelled. 6 Revision History Version 1.0 7 Definition of Terms used in this policy Local regulations: applicable laws of the region where the company is located. Encryption: raw data is converted in to a coded form. VPN connections: a secure dedicated tunnel for transmitting data in encrypted form. Physical security controls: Physical controls are incorporated for adding security for human factors Registered / Unregistered ports: Also called as sockets, used for registering them for specific applications running on the network. Firewall: A security appliance used for adding baseline security for the network that allows and deny packets on the defined criteria. Federal legislation: applicable laws and regulations of the current region. Packet sniffers: Used for tracing data packets traveling through the network. Password cracking software: Used for exposing or gaining access to a password protected application. CISO: Chief Information Security Officer implements and enforce information security policies and procedures within the organization. Intranet: Application that is accessed and travels within the local network Extranet: Application that is accessed and travels within the local as well as wide area network. 8 Easy Access Matrix Resources Roles E-Mail Server Firewall Applications Information Security Officer Utilize, Configure Review logs, Ensure Compliance with policy Review violation logs, password logs, application security control review Network Administrators Utilize Install, backup, configure, utilize Utilize configure Support Staff Monitor Monitor and communicate anomalies Monitor and communicate logs 9 Passwords policy Password policy defines the complexity level and password length that must be standardized in all modules of applications. The policy also defines ‘Do’s’ and ‘Don’ts’ for setting the password. 10 Privileges policy This policy illustrates mandatory and discretionary levels of access on applications, networks and databases. 11 Email Use Policy This policy defines the attachment requirements of emails, communication via email to third parties or individuals publicly available. No company information will be shared publicly by using company email address. Moreover, users may not spread non ethical information, religious information via email within the company. 12 Network Use Policy This policy restricts and allows the user to access data, network services and applications available on the network. Users may not be able to access shared files pertaining to other departments. Likewise, if any confidential data is shared, it must not be accessible to other department employees. 13 Internet Use policy This policy defines the permitted and restricted information requested via Internet connection. However, certain department may have access to certain websites that may facilitate them, such as marketing department requires research. 14 Backup Backup of data and applications is maintained by the network administration staff of gold star. 15 Conclusion A good information security policy must demonstrate a general security mandate and intent of the management. Information security policy must be detailed to cover all the aspects that may involve risks and threats to the organization. Moreover, human risks are one of the prime factors that cannot be prevented but can be counter with awareness and training. In the creation of an initial draft of the ISPD document, we have created a comprehensive information security policy for Gold Star to address internal logical threats, external logical threats, human threats and physical threats. Every policy must be different for every organization and every department. There is a requirement of addressing risks that may gave opportunities to threats to utilize vulnerabilities and gain access to critical servers, in this case, the database which may include college papers and other confidential data. Terms used in this policy: human threats, physical threats, external and internal logical threats, 16 Part B 16.1 NMAP Step 1 IP Address: 192.168.1.2 Net Mask: 255.255.255.0 Gateway IP: 192.168.1.1 DNS: 192.168.1.1 Fully Qualified Domain Name (FQDN): None Step 2 Ping Scan.txt Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-18 00:09 Nmap scan report for 192.168.1.3Host is up (0.0080s latency).MAC Address: 00:1B:77:9A:F0:33 (Intel Corporate)Nmap done: 1 IP address (1 host up) scanned in 17.22 seconds TCPScan1.txt Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-18 00:12 NSE: Loaded 106 scripts for scanning.NSE: Script Pre-scanning.Initiating ARP Ping Scan at 00:12Scanning 192.168.1.3 [1 port]Completed ARP Ping Scan at 00:12, 0.33s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 00:12Completed Parallel DNS resolution of 1 host. at 00:12, 16.50s elapsedInitiating SYN Stealth Scan at 00:12Scanning 192.168.1.3 [481 ports]Discovered open port 139/tcp on 192.168.1.3Discovered open port 135/tcp on 192.168.1.3Discovered open port 445/tcp on 192.168.1.3Completed SYN Stealth Scan at 00:12, 6.89s elapsed (481 total ports)Initiating Service scan at 00:12Scanning 3 services on 192.168.1.3Completed Service scan at 00:13, 6.20s elapsed (3 services on 1 host)Initiating OS detection (try #1) against 192.168.1.3NSE: Script scanning 192.168.1.3.Initiating NSE at 00:13Completed NSE at 00:13, 40.01s elapsedNmap scan report for 192.168.1.3Host is up (0.0055s latency).Not shown: 478 filtered portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn445/tcp open netbios-ssnMAC Address: 00:1B:77:9A:F0:33 (Intel Corporate)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Microsoft Windows 2008OS CPE: cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp2OS details: Microsoft Windows 7 SP1 or Windows Server 2008 SP1 - SP2Uptime guess: 53.042 days (since Sun Nov 25 23:13:10 2012)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=260 (Good luck!)IP ID Sequence Generation: IncrementalService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| nbstat: | NetBIOS name: HUDA-PC, NetBIOS user: , NetBIOS MAC: 00:1b:77:9a:f0:33 (Intel Corporate)| Names| HUDA-PC Flags: | HUDA-PC Flags: | WORKGROUP Flags: | WORKGROUP Flags: | WORKGROUP Flags: |_ \x01\x02__MSBROWSE__\x02 Flags: | smb-os-discovery: | OS: Windows 7 Professional 7600 (Windows 7 Professional 6.1)| OS CPE: cpe:/o:microsoft:windows_7::-:professional| Computer name: HUDA-PC| NetBIOS computer name: HUDA-PC| Workgroup: WORKGROUP|_ System time: 2013-01-18T00:12:51+05:00| smb-security-mode: | Account that was used for smb scripts: guest| User-level authentication| SMB Security: Challenge/response passwords supported|_ Message signing disabled (dangerous, but default)|_smbv2-enabled: Server supports SMBv2 protocolTRACEROUTEHOP RTT ADDRESS1 5.46 ms 192.168.1.3NSE: Script Post-scanning.Read data files from: C:\Program Files (x86)\NmapOS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 73.52 seconds Raw packets sent: 1481 (67.002KB) | Rcvd: 27 (1.490KB) VerScan1.txt Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-18 00:36 UK Standard TimeNSE: Loaded 106 scripts for scanning.NSE: Script Pre-scanning.Initiating ARP Ping Scan at 00:36Scanning 192.168.1.3 [1 port]Completed ARP Ping Scan at 00:36, 0.33s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 00:36Completed Parallel DNS resolution of 1 host. at 00:37, 16.50s elapsedInitiating SYN Stealth Scan at 00:37Scanning 192.168.1.3 [80 ports]Completed SYN Stealth Scan at 00:37, 2.74s elapsed (80 total ports)Initiating Service scan at 00:37Initiating OS detection (try #1) against 192.168.1.3Retrying OS detection (try #2) against 192.168.1.3NSE: Script scanning 192.168.1.3.Initiating NSE at 00:37Completed NSE at 00:37, 0.00s elapsedNmap scan report for 192.168.1.3Host is up (0.0052s latency).All 80 scanned ports on 192.168.1.3 are filteredMAC Address: 00:1B:77:9A:F0:33 (Intel Corporate)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 5.23 ms 192.168.1.3NSE: Script Post-scanning.Read data files from: C:\Program Files (x86)\NmapOS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds Raw packets sent: 197 (11.784KB) | Rcvd: 5 (680B) Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-18 00:38 UK Standard TimeNSE: Loaded 106 scripts for scanning.NSE: Script Pre-scanning.Initiating ARP Ping Scan at 00:38Scanning 192.168.1.3 [1 port]Completed ARP Ping Scan at 00:38, 0.34s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 00:38Completed Parallel DNS resolution of 1 host. at 00:39, 16.50s elapsedInitiating SYN Stealth Scan at 00:39Scanning 192.168.1.3 [21 ports]Completed SYN Stealth Scan at 00:39, 1.61s elapsed (21 total ports)Initiating Service scan at 00:39Initiating OS detection (try #1) against 192.168.1.3Retrying OS detection (try #2) against 192.168.1.3NSE: Script scanning 192.168.1.3.Initiating NSE at 00:39Completed NSE at 00:39, 0.00s elapsedNmap scan report for 192.168.1.3Host is up (0.0065s latency).PORT STATE SERVICE VERSION1/tcp filtered tcpmux2/tcp filtered compressnet3/tcp filtered compressnet4/tcp filtered unknown5/tcp filtered unknown6/tcp filtered unknown7/tcp filtered echo8/tcp filtered unknown9/tcp filtered discard10/tcp filtered unknown11/tcp filtered systat12/tcp filtered unknown13/tcp filtered daytime14/tcp filtered unknown15/tcp filtered netstat16/tcp filtered unknown17/tcp filtered qotd18/tcp filtered unknown19/tcp filtered chargen20/tcp filtered ftp-data21/tcp filtered ftpMAC Address: 00:1B:77:9A:F0:33 (Intel Corporate)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 6.55 ms 192.168.1.3NSE: Script Post-scanning.Read data files from: C:\Program Files (x86)\NmapOS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 22.52 seconds Raw packets sent: 79 (6.592KB) | Rcvd: 5 (680B) 17 NESSUS The first step for executing the scan is to create new scan from the Nessus web client. After creating new scan, we have to set the parameters for the new scan i.e. scan name, scan type, and scan targets. For targeting the same machine, we will enter the system IP address on the scan targets window and click the run button. Step 1 is in Excel File Step 2 and Step 3 Signing is disabled on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server. SMB Signing Disabled Synopsis Signing is disabled on the remote SMB server. Description Signing is disabled on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server. Solution Enforce message signing in the host's configuration. On Windows, this is found in the Local Security Policy. On Samba, the setting is called 'server signing'. See the 'see also' links for further details. Step 4 To fix this vulnerability, SMB Signing should be enabled and possess the most updated version. 17.1 Vulnerability Details and Fixing Recommendations Server Message Block (SMB) protocol lays the foundation for Microsoft File and Print services along with various network services, for instance, remote access and administration. In order to secure man in the middle attacks from modifying SMB data packets in transition, SMB protocol as the capability to digitally sign SMB packets. Policy can be configured on the server that will determine the negotiation of SMB packets signing prior permitting further communication with the SMB client. Likewise, if this policy configuration is activated, Microsoft network server will not permit communication with network client without agreement to enable SMB packet signing. In case of unavailability of this policy configuration, SMB packet signing starts negotiating via server and the client. The default setting for this policy configuration will be: Deactivated for member servers and activated for domain controllers. The policy configuration is activated by expanding the console tree i.e. Computer Configuration ?Windows Settings ?Security Settings ?Local Policies ? Security Options . 18 References VACCA, J.R., Computer and information security handbook Amsterdam ; Morgan Kaufmann, c2009. DETMAR STRAUB, GOODMAN, S.E. and BASKERVILLE, R., 2008. Information security: policy, processes, and practices Armonk, N.Y.: M.E. Sharpe. OSBORNE, M. and SUMMITT, n.d, P.M., How to Cheat at Managing Information Security Syngress Publishing. ILVONEN, I., 2009. Information Security Policies in Small Finnish Companies. Proceedings of the European Conference on Informations Warfare & Security, , pp. 112-117. OSBORNE, M. and SUMMITT, P.M., How to Cheat at Managing Information Security Syngress Publishing. , SANS: Information Security Policy Templates. Available: http://www.sans.org/security-resources/policies/ [1/2/2012, 2012]. Read More