Enterprise Security Policy Plan for MEMATECH Solutions Limited - Case Study Example

Enterprise Security Policy Plan al Affiliation) A strong security policy plan is maintained by applyingsecurity controls, responsibilities of data ownership, and maintaining the security infrastructure. The policy will articulate requirements that will help the management of MEMATECH Solutions Limited to define a framework that comes up with a secure working environment. The policy plan offers the overarching structure that safeguards the Information Technology resources, attaining confidentiality, availability of data, integrity, and Information Technology resources used in managing the services that is offered by the company’s business partners, agencies, and other state authority. It is the responsibility of Agency managers to have benchmarks and in effect offer quality assurance that the objectives of security are attained. The auditors have the role of exercising due diligence in adopting the framework. The agencies must attain compliance with the general information security objectives of the company including the regulations, law, standards, and policy where the data and resources are not confined to personal information. Who the Policy Applies to Executive Department of MemaTech, in addition any third partner that links to the company’s wide area network must conform to this policy. MemaTech is required to make sure compliance by all the business partners that can access the Executive Department Information Technology Resources or the shared environment. The Executive Department of MemaTech is needed to make sure compliance by third partners in any framework of the process of offering services to their companies. These entails, collection, storage, maintenance, dissemination, and electronic data. The business partners can interact with the resources of the company are required to abide with this policy. The company is encouraged to implement the security requirements according to the Enterprise Information Security Policy at stringent agency policy according with the business and agency related regulations, directives, and laws (Tudor, 2001). Policy Plan IT security attack and Defense MemaTech is required to implement procedure, associated policies, and controls that safeguard the company’s information assets, including the personal information and Information Resources from all attacks, where external, internal, accidental, or deliberate. Additionally, the guiding principles of IT information (availability, Confidentiality, and integrity) must be defensed from attacks. The company must review the general implementation of the security safety against all the regulations, associated risk, standards, and applicable laws. Security Auditing Principles MemaTech is required to implement the Information Security Program. The program is a management system representing the controls and policies implemented within the company. An effective and efficient management system offers both the users and the management control to secure the information asset of the company, its sensitive information, and must take note the lifecycle of Information Security Program. These include the risk treatment, risk assessment, implementation and selection of security control, and ongoing maintenance and evaluation. The company is required to prioritize, quantify, and identify risks against the control and operational objectives and to exercise, design, and implement controls that offer reasonable assurance that aims will be achieved and that risk will be mitigated to a level that is acceptable. Risk Auditing considers the perspective threat to information and the resources of Information Technology including losing information from accidents, system unavailability, and system dynamics. Consequently, the company needs to identify threats on their costs and threats. Implementing Audits for Various Activities The company needs and requires evaluating and monitoring the specified controls that need to be implemented to achieve the stated objectives of the security. The process need to identify the security that will be implemented and justify and identify which controls of security are not deemed applicable or necessary. Establishing Baseline for User Activities The statement of applicability is a paper that lists the company’s information security control goals, controls, objectives, and adopted policies which are applicable and relevant to MemaTech information program of security management. The company is required to maintain this document for all Information Technology information and Resources assets, including the personal information. Specific company information Security goals and objectives, including the sources of document and details are stipulated within the statement. Planning and development of security policies MemaTech is required to implement and document a strong policy of information security. The company may adopt granular policy or Enterprise Information Security Policy based on the evaluation of the business leaders. The company is required to review the policy adopted annual. The goal of reviewing is to make sure that suitability is continuous, adequacy, and policies effectiveness. The company is required to review the information security policy frequently, especially when there are changes in the organization. The company should inform the Information Technology Department of any related changes in the company that are required but in conflict with the present policies. Information Security Organization The company is required to maintain the organization’s information security and facilities of processing information that are communicated, accessed, processes, or managed by workers, staff, and third parties through documentation of specific responsibilities of workers and third parties and make sure the contractual agreements support and incorporate the requirements that ate security based. Management of Asses The company is needed to maintain and achieve proper protection of assets including the personal information and resources of IT by assigning tasks to implement the policy to achieve data classification, inventory of information Technology assets, appropriate data handling and tagging per classification, and acceptable through the acceptance and implementation of acceptable use policy. Human Resource Security MemaTech requires to make sure the contractors, employees, and third party comprehend their responsibilities and have the pre-skills and knowledge in ensuring the effective implementation of the responsibilities they are assigned (Straub, Goodman, & Baskerville, 2008). This is important in reducing the uncertainties of unauthorized access, modification or use of Information Technology Resources including assessing the risks in determining the employees’ level upon their changes in responsibility during their employment. The employees need to undergo security training and awareness during the employment. Data systems should be denied access after inactivity for a long time. In addition, they should return the company’s properties and equipment after termination of change of terms. They should also be denied the rights to access the company’s information after termination. Planning improvements to compliance to a security MemaTech is required to embrace the security requirements of the policy in addition to federal law, contractual obligations, and state law where the IT resources and Information assets are subject but not confined to privacy and security of personal information, trade secret guidelines, copyright, and patent. The company needs to document guidelines for all requirements for information assets and systems, and their compliance with standards and policies. Identification of a security auditor’s chief duties The auditor is responsible for carrying out diligence in adopting the framework to achieve the obligation of the company to ensure that proper security controls are designed and in effect promoting reasonable security assurance that protect the assets of information, including but not confined to personal information. He also ensures that the Information Technology applications and Systems developed abide to this and all the policies, procedures, and standards that are promulgated by the Secretary of IT. IT systems that do not conform can never be deployed unless the entity the purchases and contractor have applied for and received in the form of writing from the Secretary. He is also responsible for communicating, training, and enforcing the security objectives of the secretariat. The third also provides oversight of the third party as applicable for any information Technology applications and systems. The auditor also reviews and signs the company’s security program, self-audits, plans, and reported submitted by the company. The auditor also ensures compliance with the regulations, contractual obligations, and laws (Calder & Watkins, 2010). Installation and configuration of network-based and host-based discovery software The company is required to install, configure, implement, and test the discovery software for security provisions to reduce the effect to processes or systems from the impact of major failures of Information Technology Resources through continuation of operations plan and plan for disaster recovery. Reference Calder, A., & Watkins, S. G. (2010). Information security risk management for ISO27001/ISO27002. Cambridge shire: IT Governance Pub. Straub, D. W., Goodman, S. E., & Baskerville, R. (2008). Information security policy, processes, and practices. Armonk, N.Y.: M.E. Sharpe. Tudor, J. K. (2001). Information security architecture: an integrated approach to security in the organization. Boca Raton, Fla.: Auerbach. Read More