Establishing Information Security Policy - Report Example

? Full Paper Project Deliverable 1 Information Security Mission ment The Global Distribution, Inc. and Global Distribution, Inc. staff are inherent and responsible for protecting the physical information assets, confidential data and intellectual property of the organization. Similarly, these physical and indefinable assets must be protected from upcoming threats to Global Distribution, Inc. and Global Distribution, Inc. employees. As a result, the information security policy for Global Distribution, Inc.is a serious business function that must be incorporated within the business operations covering all aspects of Global Distribution, Inc. business dealings, processes and tasks. However, in order to achieve these objectives, policies and procedures that are already in place such as, Acceptable Use Policy of Global Distribution, Inc. Information security is the basis for the business that must be incorporated into each element of the organization for instance, administrative service, planning and development, sales and marketing and operations. In addition, these functions need particular controls for mitigating the risk from normal business operations. State and federal laws that are associated with information security and privacy policies are applicable to Global Distribution, Inc., as non-compliance will impose fines, stakeholder confidence, audits and direct revenue loss for Global Distribution, Inc. 1.1 Overview Information security has now become everyone’s business. In fact, every member of staff present at Global Distribution, Inc.is responsible in making themselves alert with the compliance with Global Distribution, Inc. policies, procedures and standards connected with information security. Similarly, a policy is measured as a strategic control followed by budgets and organizations (Osborne, 2006). Information Security is defined as: “The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats” (Vacca, 2009). The three fundamental objectives regarding Information Security includes Confidentiality, Integrity and Availability. This policy draft is based on these three objectives. 2 Purpose of Establishing Information Security Policy An Information Security policy is required by the Global Distribution, Inc. in order to secure information resources from upcoming threats. This is to establish confidence in stakeholder. Moreover, valuable benefits are achieved in the market by securing information security resources. In addition, maximum profit along with trust is generated among the organizations. However, security of any organization does not fully depend on Information technology. Other sources regarding threats to an organization includes vandalism, sabotage, espionage, natural disasters, online frauds, phishing etc. In fact, cyber-crimes can also compromise networks while data in transit. Some of the other threats are non-ethical hacking, viruses, Trojan, malicious codes and denial of service attacks. 2.1 Success Factors In order to implement an effective and successful security policy within Global Distribution, Inc. these factors should be made into consideration: Absolute and inclusive security policy along with security objectives that is parallel to the business objectives of Global Distribution, Inc. A methodology that is compatible along with the Global Distribution, Inc. In order to support Global Distribution, Inc., a comprehensive and visible senior management is needed. Extremely visible support from Global Distribution, Inc. executive management. Complete and thorough information regarding risk management and security requirement practices. Security requirements are communicated to the Global Distribution, Inc. managers, business partners, clients, software developers and outsourced firms. To all the Global Distribution, Inc. managers, business partners, clients, software developers and outsourced firms, assistance and guidance is provided. Training sessions are provided on Information Security. With the help of periodic reviews of controls and mechanism, the effectiveness of information security is measured. Vulnerabilities are identified and adjustments are made over Global Distribution, Inc. in order to modify business objectives. Annual review of the Information Security policy regarding the Global Distribution, Inc. is processed, In order to modify or update security policy. 3 Information Security Policy Outline The information security policy is sketched from one of the templates of SANS. SANS states that their websites are considered to be one of the most trusted and the widest source for the information security research globally. This website focuses on the certifications, research and trainings (Sjouwerman, n.d). Moreover, for basic requirements and fundamental needs, many authors refer to SANS information security policy templates as the most effective policy for the organizations. In fact, these templates can be utilized by just replacing the organizations names in some cases. Here the focus is on the alignment of business objectives and goals regarding policy implementation as, it are considered to be the core control that helps in governance of the organization from top to bottom (Osborne, 2006). 1. Purpose 2. Scope 3. Policy 3.1. Ownership 3.2. Acceptable Use Requirements 3.3. Configuration Requirements 3.4. Compliance with Legal Requirements 3.4.1. Associated and Applicable Legislation 3.4.2. Intellectual Property Rights 3.4.3. Intellectual Property Standards and Training 3.4.4. Using Software from Outside Sources 4. Enforcement 5. Revision History Version 1.0 Project Deliverable #2 4 Executive Summary 5 Analysis of the ISPD The purpose of information security policy is to designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. In our information security policy document, we have addressed the following factors: 5.1 Scope Scope of the policy defines the requirement of Global Distribution, Inc. (GDI) Computer network i.e. protecting critical assets of the organization; maintain generic security architecture, real time protection, monitoring mechanisms 5.2 Purpose Purpose of this policy is to ensure integrity, availability and confidentiality for Global Distribution, Inc. (GDI) computer and Global Distribution, Inc. (GDI) information assets. 5.2.1 Logical security controls In the policy document, several logical controls are addressed including firewall configuration and management, wireless network protection and encryption. 5.2.2 Physical security controls Policy states that no employee who may want access to Global Distribution, Inc. (GDI) network without justified identification and purpose. Moreover, usage of communication devices must be according to the open space policy of the organization. 5.3 Impact Analysis Impact on other computer networks of Global Distribution, Inc. (GDI) were addressed by restricting any additional overhead of network traffic that may be generated by network tools. 5.4 Non- compliance issues / Exclusion Exceptions are mentioned in the policy document only on submitting a justification for non-compliance that will only be approved by the information security personnel. Moreover, a right to audit for checking the compliance with policy is also mentioned in the policy for assurance and compliance for standards and procedures (Gregory, 2009) 5.5 Ownerships Policy has entitled for Computer Security Program Manager (CSPM) for protect the physical and operational security of GDI’s corporate information system. Moreover, they are also responsible for managing all the activities as required by Global Distribution, Inc. (GDI). 5.6 Enforcement of Policy It is necessary to enforce compliance with the policy. However, the level of strictness must not be too high otherwise it may subject to a higher cost of ownership i.e. more resources may be required to enforce a policy (Isaca, 2012). 5.7 Configurations In order to meet the requirements of Global Distribution, Inc. (GDI), support staff takes care of the firewall configuration, monitoring and management and the approval process is entitled to the owner. 6 Real Time Monitoring For continuous and real time monitoring digital streams on different network segments of Global Distribution, Inc. (GDI), intrusion detection and prevention system IDS/IPS is necessary. IDS and IPS are of different types and technologies. We will discuss anomaly based and signature based IDS. The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. 6.1 Suggested Solution Lot of approaches has been already highlighted, as organizations tend to implement only one type of IDS, whether signature based IDS or Anomaly based IDS. The previous study was based on Active networks. This study is a more advanced form of the previous study that was based on mobile agents. The research will illustrate the integration of both these technologies for superior protection against threats and vulnerabilities in an active network. The core component of this research is a Flexible Intrusion Detection and Response Framework for Active Networks (FIDRAN). FIDRAN is a flexible intrusion detection and response system that is based on active networking and enables security specialist to combine emerging security technologies to provide superior protection for the network. The research demonstrates the features and capability of FIDRAN to combine strengths for eliminating weaknesses in order to provide superior protection. The architecture of FIDRAN allows adding dynamic functionalities and the ability to configure the IDS on runtime. The security operation distribution among FIDRAN hosts facilitates FIDRAN to resist against intrusions and to balance the load on per host basis. Anomaly and Signature based IDS can be integrated with FIDRAN architecture to provide superior protection from the network as the active networking mechanism aids to locate the op modules dynamically for keeping the balance of load on individual FIDRAN host in a definite upper limit. 7 Continuous Monitoring Threat profile is always changing, as advanced persistent threats (APT) are getting advanced day by day. These APT use new methods of attacks possessing built-in engines. Likewise, a new threat means a new risk for a vulnerability to be exploited by these APT. Therefore, there is a requirement of a comprehensive risk management program for Global Distribution, Inc. (GDI) that will address risks on critical assets. Vulnerabilities are defined as weaknesses in a system, network, workstation, or server. This weakness can be exploited by a virus, Trojan, work, malware etc. Likewise, vulnerabilities are not inherent, as they can be created by poorly managing patch management procedures, operating system critical updates procedures, virus definition updates procedures, no adequate rules on firewall etc. These vulnerabilities can be exploited by threats such as a weak hole in an operating system can be exploited by a worm or virus attack. Threats are the known viruses, Trojans, root kits, malware, adware, spyware etc. Following are the result of Risk Assessment performed that will be used by Incident management group for activation of business continuity plan. Business continuity plan is develop to mitigate threats that have low probability of occurrence but high impact. Name of Threats Probability H / L Impact Action Required Power Failure / Fluctuation H H Reduce (Avoid or Transfer) IT Asset Damage H H Virus Attack H H Failure of Application System H L Develop Control Failure System Software H L Fraud H L Telecommunication Failure H L Internal IT attacks H L External IT Attacks H L Unauthorized access H L Head office Sabotage L H Business Continuity Plan Terrorism L H Explosion L H Fire L H War L H Bomb Threats L H Civil Disorder L H Flooding L H Nuclear Fallout L H Tornado, Hurricane, typhoon L H Tidal Waves L H Data loss L H Heating, Ventilation or Air Conditioning Failure L L Accept High Winds L L Robbery L L 8 References Gregory, P. (2009). CISA certified information systems auditor all-in-one exam guide McGraw-Hill Companies,Incorporated. Isaca. (2012). CISM review questions, answers and explanations manual 2013 supplement - spanish Information Systems Audit and Control Association. Osborne, M. (2006). How to cheat at managing information security Elsevier Science. Rumkin.com, n.d, Retrieved 1/17/2013, 2013, from http://rumkin.com/ Sjouwerman, S.Cyberheist KnowBe4 LLC. Vacca, J. R. (2009). Computer and information security handbook Elsevier Science. Read More