Information Security Policy for AMERCO Car Leasing Company - Term Paper Example

of the of the 14 December Introduction AMERCO Car Leasing is an E-commerce based company with its head officein Bathesda office and three local pick up points located in DC metro area. Primary business is associated with car leasing for personal and business use. AMERCO Car Leasing Company wants to draft an information security policy we will use a phased approach that will use a basic policy framework that will address key policies followed with the development of more policies. Likewise, the phased approach will also revise the existing policies that are already in place. In the current scenario there is no policy in place, as the company is new. One key element for a policy development process is the process maturity level. For instance, a newly derived comprehensive and complex security policy cannot be successful because organizations need time for compliance. Common pitfalls for compliance are different organization cultures, lack of management buy-in, insufficient resources and many other factors. For a newly inaugurated car leasing company, the initial step would be to publish a policy that includes bulleted points i.e. in the form of checklists. Afterwards, when the processes are matured, more policies can be developed with comprehensive and detailed requirements along with documentations for Standard operating procedures (SOP). Moreover, providing awareness of the newly developed policy will also need time to mature and align with different departmental policies already in place. To gain management buy in for any newly develop policy, it must be operational as early as possible so that changes can be made and customized in alignment with the corporate business requirements. As the policy development process can be triggered at various stages, regulations are vital motivators that are one of the key reasons for developing or modifying a policy. Moreover, any security breach resulting in a poor incident response plans and procedures can also be a factor to review or create a new incident response policy and incident response plan. The ‘top-down’ approach that will consult policy making from best practices and regulations will make only the presence of an non-natural policy with no results, as it will not be effective in the real world scenario. On the other hand, ‘bottom-up’ approach that will take inputs from the network administrator or Information Technology specialist will be too specific and according to the local practices that will not address issues in the current operational environment of a corporate organization. Recommendations will be to find a balance and combination between these two approaches. --------------------------------------- Information Security Policy Document (ISPD) for AMERCO Car Leasing Company The information security policy is drafted from one of the templates from SANS that claims on their website to be the most trusted and the largest source for information security research in the world that focuses on certification, research and training. Moreover, many authors refer to SANS information security policy templates to facilitate organizations for an initial step of fundamental and basic requirements that are stated in these templates. However, in some cases these policy templates only require a change in the name of organization only. In spite, the focus needs to be on aligning business objectives to the policy, as it is considered to be one of the vital controls that govern from top to bottom (Chen, Ramamurthy, and Wen 157-188). 1. Purpose This policy demonstrates requirements for protecting or securing information for AMERCO Car Leasing company information and information that is classified and categorized as confidential cannot be conceded or breached and the services related to production and third party service providers security is safeguarded from the operations of the information security and AMERCO Car Leasing company. 2. Scope This policy is applicable to employees and third parties who have access to head office in Bathesda office and three local pick up points located in DC metro area. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentations. 3. Policy 3.1. Ownership Responsibilities 3.1.1. The first factor that must be addressed is the ownership criteria. AMERCO Car Leasing Company is responsible for recruiting or assigning a chief information security manager for a point of contact for communication and an alternate point of contact in case of unavailability of the primary point of contact. Employees who are assigned as the owners of the company must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Managers of the company must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to company operations. In case of any lack of mismanagement, legal action is applicable against the employee. 3.1.2. Moreover, company managers are also liable for the vital factor that is the security of AMERCO Car Leasing Company and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding AMERCO Car Leasing Company from security weaknesses and vulnerabilities. 3.1.3. Company managers are also liable for aligning security policies of the AMERCO Car Leasing Company in compliance with security policies of local pick up points located in DC metro area. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy, Information System policy, backup and recovery policy, media handling and disposal policy, network access control policy, third part service delivery management policy. 3.1.4. The Chief information security manager is the owner of AMERCO Car Leasing Company, and is responsible for granting and approving access to employees requiring remote access for information located on critical servers or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, the chief information security manager will also ensure effective procedures for terminating unwanted access to the company resources. 3.1.5. The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the network or network appliance / equipment / device. They are also responsible for safeguarding the remote channels from the public web server located in the DMZ. 3.1.6. The network support staff or administration must be entitled to have full rights for interrupting network connections of the company that may impose impact or security risk on processes, functions and operation on the production network 3.1.7. The network support and administration staff must maintain and record all the IP addresses that are operational in the AMERCO Car Leasing Company and any database associated with routing information from these IP addresses. 3.1.8. Any personnel requires external connection to or from the company must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection. 3.1.9. User passwords must meet the requirements of the access management or password policy of AMERCO Car Leasing Company password policy. Moreover, any inactive account must be deleted within 2 days from the access list of the company and any device that involves critical and sensitive information of AMERCO Car Leasing Company, passwords of group based accounts from the group membership modules must be modified within 24 hours. 3.1.10. AMERCO Car Leasing Company will not facilitate other business partner services apart from network and data transmission, storage, modification, monitoring and protection. All the other university departments will be facilitated by their respective support functions. 3.1.11. In case of non-compliance, Chief information security management must consider business justifications and allow waivers accordingly. 3.2. Universal Configuration Necessities 3.2.1. The network traffic between the public web server of AMERCO Car Leasing Company and the other networks such as financial and banking transactions will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the company will be prohibited. 3.2.2. In order to configure or modify any configuration settings on the firewall must be reviewed and approved by the information security personnel. 3.2.3. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the company, as they can trigger information security risks and disrupt the AMERCO Car Leasing Company network or any other network that may be operational. 3.2.4. Right to audit for all inbound and outbound activities of the company is applicable to the information security personnel anytime. 3.2.5. For ensuring physical access, every employee or student must identify themselves via physical security controls before entering in the company is mandatory. 3.2.6. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device must be according to the information security policy. 3.2.7. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 3.3. Enforcement If any violation of this policy is found, the matter maybe subjected to disciplinary action including termination of employment. 4. Revision History Version 1.0 Conclusion A good information security policy must demonstrate a general security mandate and intent of the management. Information security policy must be detailed to cover all the aspects that may involve risks and threats to the organization. Moreover, human risks are one of the prime factors that cannot be prevented but can be counter with awareness and training. In the creation of an initial draft of the ISPD document, we have created a comprehensive information security policy for AMERCO Car Leasing Company to address internal logical threats, external logical threats, human threats and physical threats. Likewise, we have also made secure remote access to the critical servers. Every policy must be different for every organization and every department. There is a requirement of addressing risks that may gave opportunities to threats to utilize vulnerabilities and gain access to critical servers, in this case, the database which may include financial and banking transactions. Work Cited Chen, Yan, K. Ramamurthy, and Kuang-Wei Wen. "Organizations' Information Security Policy Compliance: Stick Or Carrot Approach?" Journal of Management Information Systems 29.3 (2012): 157-88. Print. Read More