Corporate Security Management - Research Paper Example

?STAGE 5: SECURITY PLAN Stage 5: Security Plan Affiliation Table of Contents Purpose 3 Scope 4 Target Application Identification and Description 5 Security Issues: 5 Target Application 6 Plan Owner Contact Information 7 Enterprise Architecture/Infrastructure That Supports the Application 7 Organizational Roles and Responsibilities 10 Director or CEO of the Organization: 10 Incident Response Point of Contact: 10 Security Plan Owner: 10 End User: 11 Security Requirements 11 Security Solutions 12 Security Controls 13 Plan Maintenance 14 Plan Approval 14 Well-Health Executive 15 References 15 Elemental Cyber Security, Inc. (2011). Elemental Security and Information Security Policy. Retrieved December 20, 2011, from http://www.elementalsecurity.com/glossary/information-security-policy.php 15 Introduction Computer security is the process of protecting a computer system and data stored in it from being damaged or accessed by unauthorized persons. A computer system must be protected to access it from unauthorized persons. In addition, different methods and techniques are used to protect a computer system from unauthorized access. In this scenario, a security plan consists of rules and measures that will be followed by an organization to ensure the information security (Whitman & Mattord, 2011; Smith & Spafford, 2004; Williams, 2007). This paper is outlines the process of developing a security plan to addresses the security requirements identified by ACME IT Manager and control gaps (security requirements) identified previously by Well-Health Inc. ISSO. This security plan is aimed at identifying the basic security needs for Well-Health Inc. along with other security issues and dangers. This research will also suggest mitigation procedures and measures that can be incorporated to handle and manage the corporate security management. Plan Scope and Purpose Purpose Basically, the information security plans contain a wide variety of guidelines and rules that promote standardized response to some information security issue that can be encountered, as a result facilitating a team of IT experts to instantly recognize what action should be taken in some situation. However, the information security plan should be placed into situation by an enterprise that has a computer and communication network. Though, these procedures and policies are tremendously complicated to plan as well as implement, however sound information security policies facilitate an operation to care-for its data with relative ease (Elemental Cyber Security, Inc., 2012; Whitman & Mattord, 2011). In the previous stages, we have assessed a number of aspects regarding new security controls arrangements, applications, requirements which need to be updated before application of new health care insurance system. This section outlines scope and purpose of the information security plan. The purpose of this security plan is to offer some guidelines and policies that could be adopted by ACME IT in case of a disaster. Scope The implementation of an information security plan for ACME IT would be extremely helpful and profitable and beneficial while launching any new information technology project by the Well-Health Inc. The scope of this plan includes offering following capabilities to the ACME IT: Effective data protection Disaster management and handling Application of suitable controls and authentication Enhanced data security Better data quality No breach of copyright Assessment of daily tasks Quality authentication Easy way of working Easy management of the data Less conflicts among data formats Easy data sharing among all division of the corporate Target Application Identification and Description The purpose of applying this security plan is to deal with security issues assessed by ACME IT: Security Issues: Main security issues are: Lack of suitable security policies No enhanced cryptographic modules No record of staff i.e. their current and past employment history No proper mechanism for employees to sign a statement confirming that they have read and understood the security policy of the company No facility of CCTV cameras in entry and exit points Have no suitable intrusion detection system No facility of backup snapshots Have no multiple internet providers Have no Secure File Transfer Protocol (SFTP) Have no Secure Socket Layers (SSL) No suitable and updated anti-virus and anti-spyware software Target Application This section discusses the target application, identification and description of security plan. This basic purpose of this section is to describe purpose of the information security plan. I have outlined below the target application with description: The first target application of this security plan is to secure business data (health care insurance, business revenue details) and information Another target will include implementing the regulations and rules for predictable behaviors by system administrators, users, security personnel and management It will be applied for approving and verifying security workers to check, search, and investigate It will be used to describe as well as approve the outcomes of breaches It will be used to describe the business agreement baseline stance on corporate information security It will be applied for minimizing the impact of risk It will ensure compliance with regulations and legislation ACME Company’s information security plan will offer a structure for most excellent practices that could be easily managed by the staff members. This plan will help make sure risk is reduced as well as security events are successfully responded to. In addition, ACME Company’s information security plan will as well facilitate turn staff into members in the business’s attempts to protect its essential data and information assets, and the process of building up these strategies will facilitate to describe a business’s information assets. Moreover, this information security plan will describe the organization’s approach to information and distribution of that information inside and outside the business is a corporate asset, the possessions of the business, and is to be secured from illegal change, access, expose, and destruction. Plan Owner Contact Information The security plan will be maintained by the Well-Health ISSO, and the System Owner for the CW application is Mr. Smith. Here we will plan for enhanced authentication for the owner of database systems and there access level. The staff of Well-Health Inc. will have rights to limited information access while the management staff will be given more privileges for accessing the corporate data and information assets. This will be based on the application of very strict access management rules and regulations that will offer a great deal of capability to manage the overall access to corporate assets. This plan will be owned by Mr. Smith (at Well-Health ISSO). Enterprise Architecture/Infrastructure That Supports the Application We are going to develop an information security policy for Well-Health Company, which is aimed at improving the web service's security that is the opening of a exact yet enforceable safety policy, notifying staff on a variety of features of their tasks, common utilization of business resources and describing how responsive information have to be handled. The plan will as well explain the meaning of satisfactory usage, and list out forbidden tasks. The development and good implementation of an information security plan is extremely helpful as it will not simply turn all our employees into members in the corporation effort to protect its communications but as well help minimize the risk of a possible security break due to "human-factor" faults. These are typically concerns like that revealing information to unidentified (or illegal sources), the unconfident or inappropriate use of the Internet and a lot of other risky activities. In addition, the development of this security plan will facilitate ACME Company’s information security plan to describe corporate vital assets, which means they have to be secured and will as well serve as a basic document to ensure that the information security assets are apprehensive (Danchev, 2003). Figure 1: Enterprise architecture, Image Source: http://itil.osiatis.es/ITIL_course/it_service_management/security_management/introduction_and_objectives_security_management/introduction_and_objectives_security_management.php The above given image demonstrates the enterprise architecture to show the working of the information security plan. The effective application of security plan at ACME Company will offer a great deal of support regarding protection of Well-Health Inc. information assets. In this scenario, the basic architecture will be based on the suitable tracking of each area and aspect of information system. In addition, these aspects could be tracked and managed for handling and controlling the corporate information management operations. In this scenario, the access to clients will be available through SLA supported web browsers and also there will be proper reporting of each aspect of corporate information transfer and working. Organizational Roles and Responsibilities One of the initial steps in the development and application of better information security policy is to define the organizational parameters for the management of security plans. Director or CEO of the Organization: Responsible for information security throughout the health organization Responsible for minimizing threat exposure Making sure that the organization’s processes do not initiate unwarranted risk to the organization.1 Incident Response Point of Contact: Responsible for communicating with State Incident Response Team Responsible for coordinating organization’s actions against an information security incident2 Security Plan Owner: Responsible for classifying data and information Responsible for taking decisions regarding access privileges and controls Responsible for performing cyclic reclassification Responsible for carrying out standard reviews for value and updates to deal with changes to risk.3 End User: Responsible for strictly following the requirements of policies, procedures and practices established in the security plan.4 Security Requirements This section outlines a number of security requirements which were established while analyzing needs and requirements for Well-Health Inc’s system application. These requirements are outlined below: 1. Utilize only FIPS 140-2 certified cryptographic modules 2. Must have an intrusion detection system 3. Managed backup snapshots with at least two weeks retention are provided 4. Install Secure File Transfer Protocol (SFTP) 5. Must have Secure Socket Layers (SSL) 6. Must have HIPAA and PCI compliance-ready configurations available 7. Provide for server and application monitoring with immediate response 8. Install anti-virus and anti-spyware software 9. Increase the number of servers 10. Install the Oracle Fusion Middleware 11g to have two new single sign on solutions 11. Install an internal firewall software Security Solutions In scenario of above stated security requirements, this section presents a detailed security management plan for the ACME Company for managing the web services of Well-Health Inc’s system. In this scenario, we will require following IT security management tools and techniques to deal with above stated requirements: (Massachusetts Society of Certified Public Accountants, 2012) Security firewalls Secure verification Dial-in security Management Use of encryption techniques Training workers for security management Virus inspection software Implementing standardized mechanisms Safe storage, back-up and retrieval of data Physical security management Installing burglar alarm Physically secure or lock Security Controls The security plan will be maintained by the Well-Health ISSO, and the system owner for the CW application is Mr. Smith. Now I will discuss security controls from 800-53 Rev 3 for the management of corporate security for Well-Health Inc’s system application for web services. These controls are: Control from 800-53 Rev 3 (from previous stage) Awareness and Training Audit and Accountability Security Assessment and Authorization Contingency Planning Incident Response Planning Access Control Identification and Authentication Media Protection Personnel Security Physical and Environmental Protection System and Services Acquisition System and Information Integrity Plan Maintenance The plan will be maintained by the Well-Health ISSO, and the System Owner for the CW application is Mr. Smith. In case of such security plan we also need constant plan maintenance. Here we also need to keep record of the basic working procedures online for addressing any security issue. This plan maintenance will also involve staff training sessions that will offer a great deal of capability to improve their skills and capabilities for better handling corporate security management aspects. Plan Approval Plan is finalized and approved for implementations: Mr. Smith System Owner for the CW application Signature _____________________ Date: Mr. ABC ACME Business Security Manager Signature _____________________ Date: Mr. XYZ Well-Health Executive Signature _____________________ Date: References Elemental Cyber Security, Inc. (2011). Elemental Security and Information Security Policy. Retrieved December 20, 2011, from http://www.elementalsecurity.com/glossary/information-security-policy.php Massachusetts Society of Certified Public Accountants. (2012). Sample Written Information Security Plan. Retrieved March 03, 2012, from http://www.mscpaonline.org/pdf/wisp.pdf Smith, S. W., & Spafford, E. H. (2004). Grand Challenges in Information Security: Process and Output. IEEE Security and Privacy, Volume 2 Issue 1, pp. 69-71. Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security. Course Technology. Williams, R. H. (2007). Introduction to Information Security Concepts. Retrieved July 12, 2010, from http://www.rhwiii.info/pdfs/Introduction%20to%20Information%20Security%20Concepts.pdf Read More