Fair and Responsible Use of Data Mart Equipment - Case Study Example

Data Mart ISSP FAIR AND RESPONSIBLE USE OF DATA MART EQUIPMENT BY EMPLOYEES ment of Purpose Scope and Applicability This policy will apply to the contractors, employees, consultants or any other worker within Data Mart including the fellows who have some relationships or dealings with the third party vendors. The employees to whom the policy will be applicable will be individuals who are authorized to access the available computer resources with an intention of performing the daily business duties. It equipment are fundamental in the daily operations carried out within Data Mart Company hence the need to render proper protection. In view of this, it is mandatory that every employee within Data Mart complies with this policy. The facilities covered under this policy will be every equipment found within the premises of Data Mart Company whether they are owned or leased. Definition of Technology Addressed Within the scope of this policy recommendation, we will use the term “IT equipment” to refer to any hardware, software or different LAN protocols that Data Mart has authorized for use among the contractors as well as internal employees. In addition, hardware facilities like servers that operate on Data Mart-owned network system and monitored by Data Mart will as well be treated as IT equipment. Responsibilities This policy must be implemented by different departments in the Information Technology arena. Similarly, every IT equipment users within Data Mart will be rendered responsible for all actions that lead to violation of the conventional security rules at their respective stations of work. 2. Authorized Access and Usage User Access Employees of Data Mart might not access the organization’s It equipment without a prior authentication. After accessing the given IT equipment, it is the responsibility of the involved users must make sure that usage does not go beyond the specifications in Data Mart’s Issue Specific Policy. The authentication credentials are not to be shared within anybody else. Not even the head IT office will dare ask for such credentials from the end users. If a need arises to issue an employee with an It equipment, it will be the duty of the employee’s departmental supervisor to coordinate with the IT Department then avail the employee with the equipment in question. Fair and Responsible Use Use of Data Mart Company’s IT equipment should be left for business-based operations. Business-based operation will encompass every task that the management has delegated to an employee. Every user remains responsible to comprehend then comply with every rule, policy, law, license along with contracts that are relevant to their respective areas of use. Users have the duty to ensure that every moment of use of IT equipment within Data Mart does not result into violation of local, state or federal laws. In addition, internet usage will be granted majorly to aid in the execution of business routines that are crucial while the employees perform their day-to-day duties. Data Mart will not in any way be held responsible if any employee uses unlicensed software and this will apply even if the concerned manager proves to have been unconscious of the scene. Every employee will be issued with the necessary software in order to safety and efficiently carry out their routinely obligations. Protection of Privacy Data Mart will assume ownership of every data that is resident within its IT equipment. Not any user of Data Mart’s IT equipment will have any justified expectation regarding stored, processed or sent materials. Users have to be informed that any data that is sent or stored in a user account featuring in the organization-owned equipment will go through review. Besides, users should be informed that the scope of use of the stored information will occasionally increase in response to court orders or a need for a government agency or a law enforcement body to carry out an investigation. 3. Prohibited Usage Disruptive Use and Misuse The scope of use of Data Mart’s IT equipment will be restricted to actions that are centered on work-related duties that the management shall have assigned to employees. Users should never be found using the IT equipment within the organization’s premises for personal, non-business needs or any other service that is tended to personal gain. Within the context of this policy, the activities that will treated as prohibited will be: use of software applications without notification, evaluation and approval from the Information Security Officer’s end, employee’s using working periods to surf through web pages that do not bear any relationship with the tasks assigned to them by the management, downloading abnormally large files which brings about bandwidth-related concerns plus any other manner of usage that the management deems as harmful to the normal state of operation of the Data Mart-owned IT facilities. Nobody else other than the Information Security Officer or delegated IT personnel will assume the responsibility to carry out enterprise-wide system modifications like software upgrades or hardware replacement. In addition, the duty to approve and distribute the software packages and applications that the employees need to aid in the execution of the daily routines should be entirely left to the office of the Information Security Officer. Criminal Use Employees who communicate with fellows in other systems, networks, states or countries will remain subjects of the laws and rules to that govern those other environments. Data Mart as an organization will have the authority to inform the relevant law enforcement agency about any illegal activity that leads to misuse of Data Mart’s IT equipment. Offensive and Harassing Materials A user should never utilize Data Mart’s IT equipment in creating, posting, transmitting harassing, unlawful or offensive materials especially sexual oriented messages, discriminatory rhetoric enhance racism and graphics which depict political violence among others. Information Security Officer will be fully charged to define the scope of posts that are to be treated as acceptable. It is worth noticing that this policy will apply as long as the end user of Data Mart’s equipment happens to be an employee of the organization. Copyrighted, Licensed and Other Intellectual Property Users should not try downloading, copying or distributing materials if they are not in possession of a writing authentication from the Information Security Officer unless the move is covered inside Federal Copyright Act of 1976 definition of fair use. Copyrighted materials will include graphic illustrations, videos, audio files, software packages as well as photographs. Acquisition of facilities like software packages and applications plus the associated data should be through a legal means (Bueno, 2014). Besides, the IT facilities being acquired should be licensed and compliant with the laws that govern intellectual property, trademark as well as copyright issues. Internet users should not transmit, duplicate or receive materials that infringe the copyrights, patent rights, trademarks or trade secrets that pertain to Data Mart. To be safe, this category of users should bear the assumption that any web-based material is protected or copyrighted unless it is precisely stated otherwise. Other Restrictions Mail users should not download any attachment that has no relationship with the task that the management has assigned to them. Users should never take advantage of false identity and send deceptive or harassing messages to other people through the Data Mart-owned IT equipment. The management in liaison with the office of the Information Security Officer has the right to change this policy as it deems appropriate. Communication about policy changes will be communicated in time to the affected parties using mail messages. 4. System Management Management of Stored Materials Any person who uses the equipment owned by Data Mart to collect, examine, analyze, transmit or store research information that is needed by the law or regulatory body will ensure that such information is under protection against unauthorized access or modification. The IT office has the duty to designate sufficient storage spaces for different departments based on their needs. According to McFedries (2014), this will go along way aiding in proper use of the IT equipment. The IT office also has the duty to maintain back-up copies of data from different departments. This helps to ensure that Data Mart’s operations are not impeded because of loss of data that supports such information (Kissell, 2011). Employer Monitoring The organization has the right to keep track of the email traffic without issuing a prior notification to the employees. Data Mart will introduce web filters as a means to control access to given websites, mails and the internet in general. Virus Protection Data Mart reserves the right to install anti-spam, anti-spyware, anti-virus and anti-malware or any other software that the ISO deems appropriate for protection of data integrity and security. The installation tasks under this category will be entirely left in the hands of the authorized IT officer. Employees should attend appropriate awareness training as a measure to reinforce the security efforts that the management has put in place. This measure will help in reducing instances of accidental installation of virus or malware. Physical Security Data Mart should formulate and implement a Clean Desk Policy that encompasses every employee. Apart from eliminating clutter, this move shall help to lock portable computers, disks along with other removable computer equipment each evening to minimize the risk of theft of information or IT equipment under use inside Data Mart. All IT equipment supporting the operation of Data Mart should be used then stored within secure environments. The privilege to access Data Mart equipment shall be revoked as soon as the management identifies the person in question to be posing security risk. The same will happen, if the end user demonstrates a history of involvement in numerous security problems inside Data Mart. Encryption Mobile PDA storage devices and computer networks should employ powerful passwords plus encryption schemes so as to protect non-public client and Data Mart-owned information. Employees shall use the encryption software installed by the system administrator to safeguard both confidential and sensitive information. 5. Violation of Policy Procedures for Reporting Violations Any instance of non-compliance with security policies or procedures in Data Mart must be immediately reported to the ISO who is attached to the affected department. All employees shall hold their colleagues accountable to this policy and have violations reported if need be. The mail address for use in reporting violations is infosec@datamart.com and the email message sent to the ISO to report violations should include the name of the violator, the category of the violation, the section of the security policy that has been breached as well as the time and date of the event. Penalties for Violation Any user who violates this policy could be subjected to a disciplinary action or even be rendered jobless. Depending on the extent of violation, Data Mart could invite legal remedies for the damages that arise as a result of violation of any policy by the end users. Besides, the law could require that Data Mart reports all illegal activities to the relevant law enforcement bodies. 6. Policy Review and Modification Scheduled Review of Policy Data Mart has the right to alter this policy as deemed appropriate by the top management in liaison with the IT office. Procedure for Modification The reviews might prompt the IT office to add, delete or modify the usage policy to attain a better match with Data Mart’s information-related needs. All policies subjected to review and modification should be kept inside General Policy Archive with a clear description of the involved personnel, date of modifications and the factor that triggered the need to modify the policy. 7. Limitations of Liability Statement of Liability Data Mart shall not be held accountable for web content or graphics that end-users connect to using the web pages of the company. In addition, Data Mart will not accept any responsibility regarding any pieces of advice or information that a user receives through the use of Data Mart’s IT equipment. Other Disclaimers Data Mart shall not be held responsible for the damage, financial costs or liabilities that are brought about by non-legitimate or unauthorized use of the IT equipment that ends up violating local, state or federal laws. Data loss resulting from delays, unauthorized access to email systems or servers shall all be treated as non-legitimate uses. DATA MART MANAGERIAL FIREWALL STANDARDS AND PROCEDURES 1. Statement of Purpose Scope and Applicability This policy partly applies to all internet users who gain access to the Internet using the enterprise-owned IT equipment. Examples of the parties included under this category include part-time employees, business partners, contract workers as well as temporary agency workers. The group to which this policy is primarily centered is the set of network engineers employed by Data Mart to deal with firewall configuration issues. Firewalls form part of the essential components of Data Mart’s information security infrastructure. Definition of Technology Addressed For the purpose of this information security policy, a firewall will be defined as a program or device that regulates the flow of network traffic between networks that use varied security platforms. Host firewalls are not covered in this policy. Responsibilities The primary implementers of this policy should be the networking crew alongside different security personnel that serve inside Data Mart. In addition, every Data Mart user should use common sense then use proper judgments during the use of Data Mart equipment. 2. Firewall Security Objectives Restriction of Internet Access Only users who have been authorized by the management are allowed to gain access to the Internet using Data Mart’s corporate network. The IT office shall document then distribute a list of approved services and paths to departmental system administrators in order to ensure that employees are up to date with the existing security policies. External Access Every external request should be blocked except for requests that are destined for particular Internet-facing servers placed within the Data Mart. Every in-bound real time internet connection to Data Mart’s multi-user computer systems or internal network shall have to pass through a firewall prior to permitting users to reach a logon banner. VPN Access As a measure to evade unauthorized disclosure of valuable and sensitive information, in-bound traffic accessing Data Mart networks should be encrypted using the products that are approved by the IT office. However, push broadcasts, approved news services and internal mail shall be exempted from this. Restriction of ICMP ICMP traffic should never be allowed to go through the premier network belonging to Data Mart. Besides, Internet facing servers need some configuration so as to be permissive of ICMP requests, though any moment of troubleshooting would be an exemption for some short period. Internet-facing Servers Every internet-facing server like Data Mart’s e-commerce and web servers should be configured using NAT and should be seriously monitored and restricted to avoid attack. SMTP Traffic Network engineers must adjust the firewall-based SMTP rules to permit traffic from services that are explicitly needed in performing the daily business routines. Deny All Network engineers of Data Mart Company should follow DENY ALL outbound policy during traffic configuration. This measure shall ensure that nothing leaves Data Mart’s network systems without any explicit permission. 3. Operational Security Rules Before the deployment of any firewall within Data Mart, a diagram showing permissible paths together with a justification associated with each of the paths together with a detailed description of allowable services plus the associated justifications have to be submitted to the ISO. The ISO shall grant the permission to enable such services and paths only if the stated services and paths are found essential for IT-related business needs, and sufficient security practices shall be constantly applied. The duty to periodically check the extent to of compliance of the firewall deployment environment with the provided documentation will be left to the lead network engineer. In addition, an inventory of every access path into and out of Data Mart networks should be maintained by the IT office. 4. Procedures and Guidelines New Firewall Rule Request All requests for new rules should be submitted through the service request form. The network crew shall assess the requests based on the justification of the submitted requests and the security implications in case the request is implemented. Any request that meets this pattern will be processed within 24 business hours. Otherwise the request will be denied. Internal Change Control Policy In view of their support for critical activities within Data Mart, firewalls are treated as production systems. Every change made to the vendor-provided firewall software must be subjected to change management process. The process shall encompass completion of the change request form, assessment of the required change by the lead network engineer, approval or rejection of the proposed change together with a justification for the course of action taken followed by change implementation. Every change procedure should be fully documented, authorized then retained by the network crew. References Bueno, P. (2014). Data Mart Information Security Policy Recommendations McFedries, P. (2014). Fixing your computer: Absolute beginners guide. Kissell, J. (2011). Take Control of Backing Up Your Mac. Sebastopol: TidBITS. Read More