Developing a Security Plan - Term Paper Example

Running Head: I.T. SECURITY PLAN I.T. Security Plan Insert Name Institution Date I.T. Security Plan Knowledge and Information Security Introduction Information security is the safeguarding of the information and information systems. This is done to ensure that only the authorized people get to access such information or use it. Moreover, it protects such information from any tampering or damages. Many organizations irrespective of their size gather and store vast volume of information that is confidential only to them. The information could be regarding the organization’s employees, clients, research, products or fiscal operations. Most of this information is normally gathered, processed and stored in computers and conveyed through networks to other computers (Masahiro & Zheng, 1999). Incase such important information landed into the wrong hands, the business could collapse, law suits, stealing or bankruptcy in an organization. Thus, information security is necessary to prevent all this. Some areas requiring information security include network security, business stability planning, record security and information systems auditing. Physical holdings at risk Physical holdings at risk include the organization buildings and room outlay which could be photographed by some people who may want to know something about such organization. Again, other physical holdings at risk include the computers and other USB devices which normally store sensitive information regarding the organization. These equipments could be stolen and hence this data concerning such an organization could be lost and eventually land into the wrong hands. The offices are also at risk since they normally have important information inform of hardcopy. This could be in files and papers that are filed. Thus, if the offices are broken into, it is very easy to access information that belongs to someone else or is absolutely confidential to selected few within the organization. Landing on such documents on wrong hands will consequently lead to a breach of very confidential information (Timothy, 2006). Human holdings at risk This includes the information regarding the organization’s employees which could be known by for example the human resources department. Again, some employees within the organization could also be aware of confidential information regarding the organization. This information is at risk since such people could opt to disclose this information to parties who are not authorized. Another human holding at risk is employees’ passwords and private information which could be investigated secretly by privy employees (Harris, 2005). Electronic holdings at risk The electronic holdings at risk include the confidential emails sent within the organization, the organization’s network system and all the organization’s information stored in the computers. The organization’s programs are also at risk. Some people could track others email passwords to access their emails hence tracking important information maybe they are not authorized to know. Still, some people could hack the organization’s system and get to know of what the organization employees do. The data also in the USB’s, flash disks and CD-ROMs could be at risk of being accessed illegally. This is most likely to happen since such data storage devices are portable hence easy to steal without notice. Thus the organization is at risk of losing such data. Physical threats The potential physical threats to the organization’s information include electric and cooling problems, human malice, accidental fire outbreaks, leaks and air quality. Some of these threats are linked to power and some to cooling or even fire. Usually such threats are checked by built-in capabilities of power, cooling, and fire containment equipments. Some of the physical threats are very serious. For instance, poor humidity threat could land anywhere within the data. Such threat is distributed anywhere all through the data center, at capricious location that are particular to room arrangement and devices positioning (Masahiro & Zheng, 1999). Air temperature is a possible threat since some equipments store information and function at some appropriate temperature levels. In this building, the temperature keeps on varying hence there is no stable specified temperature for the devices. Undesirable temperature has the potential of leading to failure of the equipment containing the information thus losing the data. The liquid leaks could also damage sensitive and valuable information that could be in paper form. Finally, inappropriate temperature is likely to make devices like computers faulty. This also could lead to loss of overly significant information. Dustbins could also have rubbish having sensitive information. This information could get accessed by unwanted people or get destroyed accidentally. Human threats The possible human threats include human error and staff access. Some employees could tamper with the data unknowingly while others could access the information they are not authorized intentionally. They could thus end up accessing confidential information and some may have malicious intentions like giving out such information to a competitive organization. These human threats are likely to lead to information getting lost, equipment getting damaged or theft and sabotage of such information holding equipments. Again, some employees could give out private information to people who are not authorized through the phone thus breaching confidentiality (Timothy, 2006). Another human threat is stealing. There are visitors who occasionally visit the organization could get access to organization’s information. Still, some people could steal organization’s information devices thus ending up with maybe organization’s sensitive data concerning the organization’s employees could end up leading to a breach of confidentiality (Vanstone, 1997). Finally, there are is no policy that deals with alarm systems, type of keys available and who keeps the keys. Again, it does not have a protocol of the kind of visitors to be allowed in the office. Lack of addressing such areas could finally lead to the visitors plying into the organization’s confidential information. Lack of alarm systems could also simply illegal entrance within the organization and thus stealing devices contain valuable information. When such devices are stolen and then sold could again lead to breach of confidential information (Michael, 2004). Human threats include can be insiders or hackers. Insiders are the employees who are within the organization hence are rightful users of a system. When such employees utilize that chance to access information they are not authorized, it is an inside attack. Hackers break into the system without being known and monitor the organization’s data secretly. Usually, insiders are apt to have precise target and objectives, and have justifiable access to the system. Insiders can browse through the file system. This kind of attack can be very hard to detect or guard against. The insider attack can have an effect on all workings of computer security. Browsing attacks the privacy of information on the system. Insiders can change information availability through overloading the system's processing or storage capability, or through crashing the system. Electronic threat Information within the computers throughout the organization is likely to be attacked by viruses from internet. The viruses could extend through internet by emails or some WebPages and this implies it can infect the computers because most of them are not protected. Other viruses could spread through flash disks and USB memory sticks. Viruses have the ability of attacking and infecting and destroying organization’s important information. There is threat of hackers who could be attempting to access organization’s sensitive information secretly. There is also a threat of spyware whereby some people outside the organization could be trying to monitor what people within the organization are doing through internet network. This is likely to be done by competitive organizations that are interested in acquiring important information regarding organization’s confidential activities (Michael, 2004). This can be prevented through installing anti virus programs and regularly scanning the computers. Still, the data that is not authorized to everyone and is being conveyed through external communication network, it should be sent only in encrypted state. Security plan to manage organization’s information- Electronic counter measures Cryptography The information could be secured through cryptography. With this, the information could be changed into a form that is not usable to anyone who is not authorized to access the information through encryption. After this, the information that has been encrypted could then be changed to usable form by the users who are authorized through a cryptographic key since only who are authorized will be having the key. Cryptography avails information security with some other applications that are very helpful in addition to enhanced authentication methods, message digests and encrypted network communications. PGP is a software application which could be used in encrypting the organization’s information files and Emails. The encrypting key should be long and strong enough to provide sufficient security. PGP encryption makes use of sequential amalgamation of hashing, information compression, symmetric key cryptography and eventually a public key cryptography. Every step involves usage of one of the numerous supported algorithms. Usually, every public key is connected to a user name. After this, the public key is then given only to the authorized people or only to people who are required to access the information. The keys used in encryption should be protected and should be kept confidential by the authorized workers (Harris, 2005). Still, anti virus software could be instilled to protect the computers from getting infected hence protecting such virus from infecting organization’s important information. Security plan to manage organization’s information- Human counter-measures Access control The computer programs, mostly computers involved with processing of the information should be authorized to acknowledge only the authorized people. This means that mechanisms will be installed to control the access of the information. The most valuable information within the organization will require the strongest control mechanisms. The following are the mechanisms to be followed to access the information. Identification Foremost, the person identifies himself or herself. For example “Hi, my name is James Dess”. Such a person is claiming who he is. However, he could be or not be James Dess. Before James Dess is approved access to the information that is protected it will be made a requirement for the person claiming to be James Dess to verify to the one. Or still, a username known to the authorized users could be used for identification (Thomas, 2002). Authentication This verifies the identity claim. This is like Identification Card. After the username or the name has been entered, the computers should be programmed to request for a password. After the person has been verified, it is necessary to determine what information they are allowed to have access and the actions they are permitted to operate. These actions include viewing, running, creating, deleting or changing the information. This then requires the next step known as authorization. The user IDs that are not logging after several attempts should be disabled. There should be a system that will automatically alert security administrator when this threshold is reached, may be after 3 to 5 attempts for it will allow investigations concerning the issue. This will put off system hackers from using automated programs that try to compute user logon ID and password combinations. Execution of this control could offer an efficient denial-of-service hacker attack (i.e. the disabling of a user-id is instigated by a hacker to lock out the legitimate user) Authorization Authorization use or access the information should starts with administrative rules and procedures. The rules will set down the information and computing services that can be accessed and by whom and under which circumstances. The access control mechanisms are then constructed to implement these policies. A non-discretionary approach will be used as the access control mechanism. The access of information shall be based on the people’s responsibilities within the organization. This will provide the information owner the ability to be in charge of access to those resources. Role based access control could be used as the access control mechanism (Timothy, 2006). To be successful, policies and other security controls have to be enforceable and endorsed. Efficient policies guarantee that people are held responsible for their actions. All unsuccessful and successful authentication trials must be logged, and all access to information should leave some kind of review track. Security plan to manage organization’s information- Physical counter-measures Physical controls could be installed to monitor and regulate the workplace and computing environment. They could also examine access to and from these services. For example at the gate entrance no unauthorized person should be allowed to enter within the organization. Any person getting into the organization should produce his or her job identification card before getting inside. This means that security guards should be located at the gate to ensure the right protocol is followed. The doors, fencing, cable locks and barricades could be installed to prevent illegal entrances. Again, cameras should be prohibited within the organization to protect taking of unauthorized photographs (Bekenstein, 2003). Another physical control measure could be to detach the network place from the work place. Duty separation could be done to make sure that a single person does not complete an important task all alone. For instance, the person who submits an application for payment ought not to be the one who is authorizing payment or printing the check. Also, the employee who manages the server should not be the applications programmer. Such duties should be separated. Surveillance camera is supposed to be installed all over the organization to monitor what each and every employee is doing. Information security education and awareness program Educating the employees regarding the information security is very important. All the employees will be aware on how to protect the organization’s information and information devices from spyware, virus attacks, identity theft, hackings and phishing. This is very important since lack of such awareness could lead to the organization losing vital information or unauthorized people accessing the information. How to guard a computer from spyware Spyware is a software that can track what someone is doing on the computer and internet and convey this information to someone who is not authorized to have access to such information. Since malicious WebPages are the leading causes of spyware infection, every employee has to be keen on the websites one visits and ensure that the browser setting is safe. Still, it would be helpful to install anti spyware software to guard the computer against this thereat (Vanstone, 1997). Spybot is an example of a program that is very good in identification and removal of a spyware. It is also important to make sure that spybot software is regularly updated and the computer goes through regular scans. If the organization’s information system is infected by spyware, the organization will be affected severely. The computer will take a lot time when processing and this is likely to cost an organization a lot since production level is likely to be low. Again if the computers are infected with spyware internet browser is not likely to start up and some computer parts will not be accessed without computer freezing. Above all, the organization’s information will be lost or transformed. This is a very grave loss since the organization will lose important data and to restore the lost and changed information would cost the organization a lot of expenses. Another vital antivirus is McAfee Virus Scan. It is important to update it daily to prevent virus from spreading and infecting the computers and other information systems.   Around the office Every person within the organization should make sure that they are at least aware of their neighbors. Neighbor refers to the people working in the same office including the workers near your office since they can also access your office. This is important since it will help either knowing the neighbor can watch your work especially in your absentia or help someone know whether the neighbor is a possible thereat. The doors and windows should not be left open and all points of entry to the office should be protected. It is important to ensure that the visitors should be met at a separate place from the normal working place. This is to ensure that they cannot in anyway tamper with someone’s work (Shari, 2003). Within the office Every organization’s employee should make sure that the network cables are protected through running them within the office and that network equipments are always locked when not in use in places like cabinets. Such equipments that require careful storage include modems, servers, flash disks and routers. Each and every employee has the responsibility of keeping his or her devices safe. This is necessary since an intruder who can access such devices physically could install malware thus enabling such person to steal information being conveyed enable him or her to attack the organization’s network after leaving. At work space Each and every organization’s employee should ensure that the computer screen is positioned carefully when working and after leaving. This will stop others from reading what is on your computer. This means that one should for example ensure that his or her computer screen is located away from the visitor waiting area. The workers should also ensure that security cables are used to secure the computers for this will prevent the intruders from physically stealing the computers hence get away with the information. This is in particular useful for laptops and small desktops that are possible to sneak away with a bag (Bekenstein, 2003).  It is necessary to install a screen saver password to avoid other employees from accessing ones compute when one is away. After setting the password, a delay should be set to a short time intermission, for example 5 or 10 minutes. This will turn on the computer screen saver after the precise time delay and inquire for a password to exit the screen saver. This is the best method of protecting the computer if someone is leaving for a short time or incase someone forgets to log off or turn off the computer. Software and settings security The employees should ensure that when the computer is restarted, it requests for a password before permitting someone to operate any software or have access to any file. The password chosen should be secure and each and everyone must kept private and confidential (Shari, 2003). Moreover, all employees should configure their computers so that it will not be in a position to boot from the floppy or DVD drives. Again, the password should be set on the BIOS (Basic Input/Output System). BIO is a program in PC and controls a compute from time it is started to when the operating system takes over. This is to prevent an intruder from undoing the preceding setting. Again, everyone should make sure that the password is secure and confidential. Still, it is also the responsibility of every employee to ensure that their account is locked any time someone is not using the computer. On windows, some can perform this very fast by clasping down the Windows logo key and holding down the L key. This is functional only is someone has a password for his or her account. How to destroy susceptible information To make sure that the information that has been deleted does not land on an unauthorized person, after deleting the information one should use software that gets rid of information securely and permanently. Eraser could be used. This means that before deleting a document, one should first erase it using an eraser and then delete it. Incase someone discovers that he or she had deleted sensitive information before erasing; one can destroy any outdated backup or delete any previous user account. Once the retention time for the information has elapsed, the information should be destroyed immediately in a secure way. Some secure methods of destruction include shredding, pulping and burning. The information awaiting destruction should not be kept in insecure places like dustbins or waste sack; they should be kept in secure places whereby no unauthorized person can have access. Choosing and retaining secure passwords A password should be hard for any computer program to deduce. This is done through making the password long and complicated. A long and complex password helps to stop involuntary password cracking software from deducing the correct mixture of characters. If possible, mix the lower and upper case letters in addition to including of the punctuation marks in the password. The password should also be applicable and it is not advisable to write it somewhere since this is another threat by anyone able to reach one’s desk. Incase the password is difficult to remember, it is important to record it through utilization of secure password database like KeePass. Other kinds of files that have protected passwords like Microsoft word documents are not suitable for this function since it is possible to break most of them by using some tools that are freely accessible in the internet (Bekenstein, 2003). The password also should not be personal. This means that the password must not be connected with someone personally. It is not appropriate to select a password basing on your name, birth day date or telephone number among many others. The password should also be kept confidential and secret therefore one should not share the password with someone unless it is totally essential. A password should be chosen wisely so as to reduce harm if someone else learns about it. Again, a password should be unique and it is not appropriate to use a similar password in the same account. When someone discovers a certain password will be in a position to access to yet more sensitive data. This is mainly correct since some services make it comparatively simple to crack a password. Finally, a password should be always fresh in that it must be changed on regular basis. This is because the more someone maintains a password the higher the chances of others getting to know such a password. Again if one manages to steal one’s password to access information unknowingly, they will do so until one changes the password. The length of the password should be set to accept only a minimum of eight characters, and it should be a mixture of letters and digits. Still, the system in use should be automatic and the system should reject any password that has stayed for more than 30 days. Systems should necessitate more recurrent password changes for users with broad access privileges, for example network or system administrators. The passwords that are reusable and are in storage should be protected. A secure directory for these reusable passwords should be availed and stored in a system password file. Only allow the secure directory, and related password file, to be accessed by restricted numbers of system running workers with security-related tasks. Visitors No visitor should be allowed to get into any organization’s office or compound without authorization. The visitors should avail their Identification Cards at the gate and leave them with the gate guard. They should also give the purpose of the visit and the person they intend to visit. Furthermore, all visitors should wait at guest waiting room and should not be allowed to use any organization’s machinery. Assessing any Human threat Assessing any electronic threat (Shari, 2003). Conclusion Securing of an organization’s information improves profitability within an organization through reduction of the number and the degree of information security infringement. This thus reduces the indirect and directs expenses of an organization. For example a lot of productivity and time is lost when inspecting and resolving information breaches and also an organization could lose a lot irrecoverable valuable information. Moreover, costs are incurred when recovering lost data and repairing breached information systems and the reputation of an organization could be distorted leading to clients’ defection or worse organization’s brand devaluation. Additionally, comprehensive and stable information security decreases an organization’s general risk. High-quality information security creates administration’s self-reliance and trust thus giving organization courage to proceed with business opportunities which could seem so risky to contemplate. Therefore it is very necessary for any organization to have stable and working information security. References Bekenstein, J.D. (2003). Information in the holographic universe. Cambridge: Scientific American Press. Harris, S. (2005). All-in-one CISSP Exam Guide, Third Edition, California: McGraw Hill Masahiro M. & Zheng, Y. (1999). Information security: Second International Workshop. Malaysia: Springer. Michael, A. (2004). Caloyannides, Privacy protection and computer forensics. Sydney: Artech House. Shari, L. P. (2003). Security in computing. New York: Prentice Hall PTR. Timothy, P. L. (2006). Information security: design, implementation, measurement, and compliance Information technology. London: CRC Press. Thomas, R. P. (2002). Information security policies, procedures, and standards: guidelines for effective information security management. London: CRC Press, Vanstone, S. A. (1997). Handbook of applied cryptography; CRC Press series on discrete mathematics and its applications. London: CRC Press. Read More