General Security Mandate and Intent of the Management - Assignment Example

?Univesity Of Wales port campus) Information Security Policy Document Bespoke Forensic and Information Security Laboratory 9 Table of Contents Introduction and Methodology ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 2-4 Information Security Policy Document (ISPD) ~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 4-9 Purpose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 4 Scope ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 5 Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 5 Ownership Responsibilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 5 Universal Configuration Necessities ~~~~~~~~~~~~~~~~~~~~~~~~~ Page 8 Enforcement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 9 Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 9 Analysis of ISPD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Page 9-11 Conclusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 11-12 References ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Page 13 Introduction and Methodology As this is an information age, information is now in the form of digits that flows on an electronic computerized network. Organizations are dependent on these digital communication channels for transferring and exchanging classified information such as confidential information, mission critical information and information that is published for the people. As information is a blood life of any organization, it is vital to protect information by implementing physical, logical and environmental controls. In the context of protecting information security, three fundamental factors must be considered to make use of digitized information in an effective manner i.e. Confidentiality, Integrity and Availability. As there is a requirement of protecting this digital information internally and externally, policy is a control that provides necessary steps, procedures and processes to protect information. These are also considered as high level statements derived from the board of the organization. “Information security policy is therefore considered an essential tool for information security management” (Ilvonen 2009). However, information security policy is customized by company to company and department to department. Different factor that may influence to tailor the policy includes organization size, dependence on information systems, regulatory compliance and information classification scheme. For addressing all issues related to information security via a single policy is not possible, however, to cover all aspects related to information security, a set of information security policy document focusing on different group of employees within the organization is more suitable. This paper will discuss different factors that must be taken in to account when constructing and maintaining an information security policy. However, there are many methods available for constructing an information security policy, the initial step before adopting any one of the methods is to identify the current maturity level of the policy construction process within the organization. The outputs will be either no information security policy development process in place or there is an extensive policy development process exists. As University of Wales has inaugurated a new bespoke digital forensic and information security laboratory, we will use a phased approach that will use a basic policy framework that will address key policies followed with the development of more policies. Likewise, the phased approach will also revise the existing policies that are already in place. In the current scenario there is no policy in place, as the laboratory is new. One key element for a policy development process is the process maturity level. For instance, a newly derived comprehensive and complex security policy cannot be successful because organizations need time for compliance. Common pitfalls for compliance are different organization cultures, lack of management buy-in, insufficient resources and many other factors. For a newly inaugurated forensic laboratory, the initial step would be to publish a policy that includes bulleted points i.e. in the form of checklists. Afterwards, when the processes are matured, more policies can be developed with comprehensive and detailed requirements along with documentations for Standard operating procedures (SOP). Moreover, providing awareness of the newly developed policy will also need time to mature and align with different departmental policies already in place. To gain management buy in for any newly develop policy, it must be operational as early as possible so that changes can be made and customized in alignment with the corporate business requirements. As the policy development process can be triggered at various stages, regulations are vital motivators that are one of the key reasons for developing or modifying a policy. Moreover, any security breach resulting in a poor incident response plans and procedures can also be a factor to review or create a new incident response policy and incident response plan. The ‘top-down’ approach that will consult policy making from best practices and regulations will make only the presence of an non-natural policy with no results, as it will not be effective in the real world scenario. On the other hand, ‘bottom-up’ approach that will take inputs from the network administrator or Information Technology specialist will be too specific and according to the local practices that will not address issues in the current operational environment of a corporate organization. Recommendations will be to find a balance and combination between these two approaches. --------------------------------------- Information Security Policy Document (ISPD) for Information Security and Forensic Laboratory The information security policy is drafted from one of the templates from SANS that claims on their website to be the most trusted and the largest source for information security research in the world that focuses on certification, research and training (, SANS: Information Security Policy Templates ). Moreover, many authors refer to SANS information security policy templates to facilitate organizations for an initial step of fundamental and basic requirements that are stated in these templates. However, in some cases these policy templates only require a change in the name of organization only. In spite, the focus needs to be on aligning business objectives to the policy, as it is considered to be one of the vital controls that governs from top to bottom (Osborne, Summitt ). 1. Purpose This policy demonstrates requirements for protecting or securing information for University of Wales, City port campus information security and forensic laboratory to safeguard that the universities information that is classified and categorized as confidential cannot be conceded or breached and the services related to production and third party service providers security is safeguarded from the operations of the information security and forensic laboratory. 2. Scope This policy is applicable to all other laboratories that are internally connected, University of Wales, City port campus students, employees and third parties who have access to University of Wales, City port campus information security and forensic laboratory. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentations. If any other laboratories exist in the University of Wales, City port campus will be exempted from the scope of this policy and will be treated as per the specific policy if available. 3. Policy 3.1. Ownership Responsibilities 3.1.1. The first factor that must be addressed is the ownership criteria. University of Wales, City port campus is responsible for recruiting or assigning a digital forensic and information security laboratory manager for a customized laboratory, a point of contact for communication and an alternate point of contact in case of unavailability of the primary point of contact. Employees who are assigned as the owners of the laboratory must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Managers of the laboratory must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to laboratory operations. In case of any lack of mismanagement, legal action is applicable against the employee. 3.1.2. Moreover, laboratory managers are also liable for the vital factor that is the security of the bespoke information security and forensic laboratory and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding information security and forensic laboratory of University of Wales, City port campus from security weaknesses and vulnerabilities. 3.1.3. Laboratory managers are also liable for aligning security policies of the laboratory in compliance with University of Wales, City port campus security policies. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy. 3.1.4. The laboratory manager is the owner of the University of Wales, City port campus information security and forensic laboratory, and is responsible for granting and approving access to employees or students requiring access for information or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, lab manager will also ensure effective procedures for terminating unwanted access to the laboratory resources. 3.1.5. The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the laboratory network or network appliance / equipment / device. 3.1.6. The network support staff or administration must be entitled to have full rights for interrupting network connections of the laboratory that may impose impact or security risk on processes, functions and operation on the production network 3.1.7. The network support and administration staff must maintain and record all the IP addresses that are operational in the laboratory of University of Wales, City port campus networks, any database associated with routing information from these IP addresses. 3.1.8. Any laboratory for department requires external connection to or from the laboratory must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection. 3.1.9. User passwords must meet the requirements of the access management or password policy of University of Wales, City port campus password policy. Moreover, any inactive account must be deleted within 2 days from the access list of the laboratory and any device that involves critical and sensitive information of University of Wales, City port campus, passwords of group based accounts from the group membership modules must be modified within 24 hours. 3.1.10. The customized information security and forensic laboratory will not facilitate other university services apart from network and data transmission, storage, modification, monitoring and protection. All the other university departments will be facilitated by their respective support functions. 3.1.11. In case of non-compliance, information security management must consider business justifications and allow waivers accordingly. 3.2. Universal Configuration Necessities 3.2.1. The network traffic between the laboratory and the other networks for instance, campus area network, will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the university will be prohibited. 3.2.2. In order to configure or modify any configuration settings on the firewall must be reviewed and approved by the information security personnel. 3.2.3. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the laboratory, as they can trigger information security risks and disrupt the University of Wales, City port campus, campus area network or any other network that may be operational. 3.2.4. Right to audit for all inbound and outbound activities of the laboratory is applicable to the information security personnel anytime. 3.2.5. For ensuring physical access, every employee or student must identify themselves via physical security controls before entering in the laboratory is mandatory. 3.2.6. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device must be according to the open area security policy. 3.2.7. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 3.3. Enforcement If any violation of this policy is found, the matter maybe subjected to disciplinary action including termination of employment and students of the campus maybe expelled. 4. Revision History Version 1.0 ---------------------------------------------------------- Analysis of the ISPD As the purpose of information security and forensic laboratory is to practice and implement security controls within the university campus, every aspect must be considered in terms of confidentiality, Integrity and Availability. In our information security policy document, we have addressed the following factors: Scope Scope of the policy defines the requirement of compliance to a specific department i.e. Information security and Forensic laboratory Purpose Purpose is derived from the management that defines the requirements of creating the policy Logical security controls In the policy document, several logical controls are addressed including firewall configuration and management, wireless network protection and encryption. Physical security controls Policy states that no employee or student may enter the laboratory without justified identification and purpose. Moreover, usage of communication devices must be according to the open space policy of the university. Impact Analysis Impact on other computer networks of the university were addressed by restricting any additional overhead of network traffic that may be generated by network tools. Non- compliance issues / Exclusion Exceptions are mentioned in the policy document only on submitting a justification for non-compliance that will only be approved by the information security personnel. Moreover, a right to audit for checking the compliance with policy is also mentioned in the policy for assurance and compliance for standards and procedures (Harris, 2008) Ownerships Policy has entitled laboratory owners for setting the direction of overseeing, managing and approving access to the laboratory. Moreover, they are also responsible for managing all the laboratory activities as required by the university. Enforcement of Policy It is necessary to enforce compliance with the policy. However, the level of strictness must not be too high otherwise it may subject to a higher cost of ownership i.e. more resources may be required to enforce a policy (Isaca, 2011). Configurations In order to meet the requirements of the university’s laboratory, support staff takes care of the firewall configuration, monitoring and management and the approval process is entitled to the owner. Conclusion A good information security policy must demonstrate a general security mandate and intent of the management. Information security policy must be detailed to cover all the aspects that may involve risks and threats to the organization. Moreover, human risks are one of the prime factors that cannot be prevented but can be counter with awareness and training. In the creation of an initial draft of the ISPD document, we have created a comprehensive information security policy for the laboratory of the university to address internal logical threats, external logical threats, human threats and physical threats. As mentioned before, every policy must be different for every organization and every department. There is a requirement of addressing risks that may gave opportunities to threats to utilize vulnerabilities and gain access to critical servers, in this case, the database which may include college papers and other confidential data. References OSBORNE, M. and SUMMITT, P.M., How to Cheat at Managing Information Security Syngress Publishing. ILVONEN, I., 2009. Information Security Policies in Small Finnish Companies. Proceedings of the European Conference on Informations Warfare & Security, , pp. 112-117. , SANS: Information Security Policy Templates . Available: http://www.sans.org/security-resources/policies/ [1/2/2012, 2012]. ISACA, CISM Review Manual 2011 Isaca. HARRIS, S., 2008. CISA Certified Information Systems Auditor All-in-One Exam Guide (All-in-One) McGraw-Hill Osborne Media. Read More