Information Security Policies - Assignment Example

INFORMATION SECURITY POLICY DOCUMENT Name Date Table of Contents INTRODUCTION Information security policies and strategies are based on a set of guidelines and rules that promote standardized response to some information security issue that can be come across, as a result permitting a team of IT experts to instantly recognize what is being performed in some situation. In addition, information security policies should be placed into situation by any enterprise that has a computer and communication network. However, this kind of policies are very complicated to plan as well as implement, but sound information security policies formulated simply to facilitate an operation to care-for its data with relative ease (Elemental Cyber Security, Inc., 2011; Levya et al., 1999). Moreover, information security policy is normally believed to be extremely helpful, profitable and beneficial when an organization is going to start new information technology based project. Additionally, the process and general development of information security policy is sometimes executed in an ad hoc way, however it can be assumed through support of frameworks. In fact, some of these frameworks comprise the codification of existing practice, as others are the outcome of theoretical information system development (Elemental Cyber Security, Inc., 2011; Levya et al., 1999). This research report discusses the development of information security policy document for University of Wales, Newport, City Center Campus’s New Digital Forensic and information technology laboratory setup. BACKGROUND University of Wales, Newport, City Center Campus has decided to implement a new technology based Digital Forensic and IT laboratory. For the establishment of such a technology based arrangement we need to keep in mind some of the important aspects of the technology based working and operation. In this scenario we need to consider a lot of critical security related issues and possible attacks those can damage the corporate credibility. Here we need to take care of information and data that need to be managed and maintained for the enhanced corporate performance. CONTEXT FOR IT SERVICE DELIVERY The new technology of University of Wales, Newport, City Center Campus is aimed at offering and delivering enhanced Digital Forensic and information technology laboratory services and management of the corporate data. The new technology is aimed at improving the following areas of the organization: Effective data detection Enhanced data security Better data quality No Plagiarism Students work assessment Quality knowledge production New mobile technology Easy way of working Better data collection Easy management of the data Less confects among data formats Easy data sharing among all division of the corporate Less or no dirty data METHOD AND APPROACH For the sake of development of the information security policy document for University of Wales, Newport, City Center Campus, we will address the following main questions: Main technology needs Possible issues in data Security needs Possible attacks sides Security Attacks nature What technology we having currently What type of facilities are required How can be obtain main objectives Security management needs Security handling tools and technology OBJECTIVE OF SECURITY POLICY As developing a high-quality security policy document will be able to offer the basic support for flourishing accomplishment of security associated projects in the future, this is without a hesitation the initial evaluation that has to be formulated in an attempt to minimize the risk of illegal utilization of some of the precious university's information resources. For University of Wales, Newport, City Center Campus project for Digital Forensic and information technology laboratory implementation; we are going to develop an information security policy that would be aimed at improving the university's security that is the opening of exact yet enforceable safety policy, notifying staff a variety of features of their tasks, general access of university resources as well as describing how responsive information have to be handled. Additionally, the strategy will as well explain in future the meaning of satisfactory utilization, and listing forbidden tasks (Danchev, 2010; Ruskwig, 2011; Abu Dhabi Government, 2011). In addition, the development (as well as the good implementation) of a information security policy is extremely helpful as it will not simply turn our employees into members in the corporation effort to protect its communications though as well help minimize the risk of a possible security breach due to "human-factor" faults. In fact, these are typically concerns like that revealing information to unidentified (or illegal sources), the unconfident or inappropriate utilization of the internet and a lot of other risky activities. As well the building procedure of a security strategy will as well facilitate our University to describe a university's vital assets; the means they have to be secured and will as well provide as a central document, as far as caring information security assets are apprehensive (Danchev, 2010; Ruskwig, 2011; Abu Dhabi Government, 2011). Figure 1: OBJECTIVE OF SECURITY POLICY, Source: http://itil.osiatis.es/ITIL_course/it_service_management/security_management/introduction_and_objectives_security_management/introduction_and_objectives_security_management.php INFORMATION SECURITY POLICY DOCUMENT APPLICATION AREAS In this section I will outline the basic application areas for University of Wales, Newport, City Center Campus’s information security policy document. The basic aim of this section is to outline the purpose of our university security policy. I have outlined below some of the main aspects those will elaborate the basic need for the development of security policy for our University. Secure people as well as university data and information Place the regulations and rules intended for predictable behaviors through system administrators, users, security personnel and management Approve security workers to check, search, as well as investigate Describe as well as approve the outcomes of breaches Describe university agreement baseline stance on corporate information security Facilitate to minimize risk Facilitate to track fulfillment by regulations plus legislation Here University of Wales, Newport, City Center Campus’s information security policies will offer a structure for most excellent practice that could be easily managed by the whole staff. They can facilitate to make sure risk is reduced as well as that some security events are successfully responded to (Diver, 2006). AUDIENCE GROUPS This section will define our audience regarding this policy. Certainly our audience regarding this policy will be workers; however this group can be divided into other sub-types, with the members of every sub-group probable to look for dissimilar things from information security strategy. The major audiences groups of this policy will be: University of Wales, Newport, City Center Campus Management at every levels University of Wales, Newport, City Center Campus Technical Staff (network and systems administrators, etc) End Users 1 (University staff personals) End Users 2 (University Students) All types of users will fall into at least one group (end-user) as well as a number of will fall into two or even the entire three groups. INFORMATION SECURITY POLICY CONTENT The audience of University of Wales, Newport, City Center Campus’s information security policies will decide what is incorporated in every policy document. For instance, we cannot for all time desire to have an explanation of why something is essential in a strategy, if our reader is a technical keeper and accountable for configuring the system this cannot be essential for the reason that they are probable to previously recognize why that particular act requires to be performed. Likewise, an executive is improbable to be worried by the procedures of why something is performed, however they can desired the high-level impression or the leading standard at the back the act. Though, if our reader is an end-user, it can be supportive to include a explanations of why a particular data and information security control is essential for the reason that this will not simply support their recognition, however will as well formulate them more probable to fulfill by the strategy (Danchev, 2010; Mscpaonline, 2010). In addition, given the multiplicity of matters, readers, as well as uses intended for policy, how they can be tackled in one document? Our University will make sure that their data and information security strategy documents are logical that audience requires as well as to perform this it is frequently essential to utilize a number of dissimilar document kinds inside a policy structure. That kind of document we want to make use of will be decided in huge part by the audience for that document. For instance, a general acceptable use policy will be in the shape of an advanced stage document, as a document that explains how to organize the instant messaging system to make sure it obeys the acceptable use policy can be in the shape of a job support or strategy document. Moreover, manager as well as end users are probable to be paying attention the previous, as administrative employees are more probable to utilize the latter (Danchev, 2010; Mscpaonline, 2010). BASIC SECURITY PROGRAM In scenario of University of Wales, Newport, City Center Campus’s information security policy document we will present the basic security program for new policy application. It is assessed in case of this new policy application that information security is a University concern. The basic aim is to recognize, review and take steps to keep away from or ease risk to our organization’s information assets. In this scenario, governance is a necessary part for the long-term policy by means of value to the security policies and risk management plan. In addition, governance needs managerial administration participation, endorsement, and continuing support. It as well necessitates an organizational arrangement that offers a suitable place to notify and advise executive, university and information technology administration on security concerns and satisfactory risk levels (SAS70Checklists, 2010). In a successful attempt to implement and properly uphold a robust information security roles at university of Wales, Newport, City Center Campus we need to be familiar with the significance of: Recognizing the information security necessities as well as the need to setup policy and objectives for information security application and operating controls to run information security risks in the circumstance of general University issues and security concerns: (SAS70Checklists, 2010) Makes sure all the clients of information assets are responsive of their jobs in protecting university’s possessions; Reviewing and monitoring the efficiency and performance of information security strategy and controls Continual development foundational on measurement, assessment as well as transforms that affect risk. Figure 2- Information Security Policy Application Procedure, Source: http://www.ruskwig.com/docs/iso-27002/Information%20Security%20Policy.pdf ACTION PLANS In this section I will present the fundamental action plan for University of Wales, Newport, City Center Campus. I have outlined below some of the main action plans: (Mscpaonline, 2010) Recognize practically predictable internal and outside threats that could consequence in illegal revelation, mistreatment, change, or devastation of customer data and information or information systems For University of Wales, Newport, City Center Campus we need to assess the probability as well as potential harm to university data and information as well as threats, taking into consideration the understanding of client information Assess the adequacy of obtainable strategies, measures, customer information systems, as well as additional safeguards prepared to control such kind of information security risks. BASIC SECURITY THREAT In this section I will present the basic threats related to University of Wales, Newport, City Center Campus’s new project related for instance, the insider or outsider security attacks. This section will address the basic security and privacy threats for university those can be faced in future. I have outlined below some of the important threats regarding University of Wales, Newport, City Center Campus’s information and data: Figure 3: Information Security Threats Severity, Source: http://www.securelist.com/en/analysis/204791935/Internal_IT_Threats_in_Europe_2006 Malwar There are lots of techniques to install malware on University of Wales, Newport, City Center Campus University arrangements comprising utilization of client-side software security threats and vulnerabilities. A browser turns out to be a top goal intended for vulnerabilities. Malicious insiders threats Any person inside the university can damage the data and information through illegal access. In case of \ University of Wales, Newport, City Center Campus there is no means to get rid of the danger of malicious insiders totally however by means of high-quality security strategies as well as followed actions, the events could be a division of what they are nowadays (Danchev, 2010). Broken vulnerabilities Threats University of Wales, Newport, City Center Campus’s vulnerability builds-up is at the heart of hacking as well as data breaches. Viruses, worms, malware, and a host of other attack categories frequently depend upon vulnerability develop to infect, spread as well as carry out the events cyber criminals desired (Danchev, 2010). Careless employees In case of University of Wales, Newport, City Center Campus’s careless as well as untrained staff will carry on to be an extremely serious danger to University (Danchev, 2010). Mobile devices based Threats In case of University of Wales, Newport, City Center Campus University corporate arrangement mobile devices have turned out to be a plague for University data and information security experts. There are worms as well as other malware that particularly target these devices like that the iPhone worm that would illegally steal university or students personal information plus join these devices in a bot-net (Danchev, 2010). Social networking Threats In case of University of Wales, Newport, City Center Campus University social networking websites like that MySpace, Facebook, Twitter as well as others have issues regarding identity thieves. There is as well a personal security matters (Danchev, 2010). INFORMATION TECHNOLOGY SECURITY ELEMENTS For the sake of information system and university data and information security policy development at University of Wales, Newport, City Center Campus University we need to build up some security elements that we will offer in case of cyber security and privacy management. The privacy and security policy elements of a high-quality security policy comprise: (Washington University, 2011) Access Confidentiality and Privacy Authentication Information technology system and network maintenance policy Accountability Availability SECURITY CATEGORIES In case of University of Wales, Newport, City Center Campus for the sake of definition of the security policy we will define the security categories regarding enhanced security and privacy management. In this scenario these security categories will address the following main areas of the corporate: Computer System and Applications Security Here we will require following types of security management methods: (Washington University, 2011) Physical security Operational security Procedural security Network security RISK RESPONSE AND MANAGEMENT Here we will require following main IT security management tools and techniques: (Washington University, 2011) Security firewalls Secure verification Dial-in security Management Encryption Training workers Virus inspection software Implementing standardized mechanisms Safe storage, back-up as well as retrieval of data Physical security management Installing burglar alarm Physically secure or lock CONCLUSION Information security policies and strategies are based on a set of guidelines and rules that promote standardized response to some information security issue that can be come across, as a result permitting a team of IT experts to instantly recognize what is being performed in some situation. This information security policy document has presented a deep idea of university’s new project and security management. Here I have outlined some of the important security issues along with their management mechanism. I hope that this report will offer a deep insight into the University of Wales, Newport, City Center Campus’s information security policy document. REFERENCES Abu Dhabi Government , 2011. Information Security Programme. [Online] Available at: http://adsic.abudhabi.ae/Sites/ADSIC/Navigation/EN/Projects/information-security.html [Accessed 01 September 2011]. Danchev, D., 2010. Building and Implementing a Successful Information Security Policy. [Online] Available at: http://www.windowsecurity.com/pages/security-policy.pdf [Accessed 20 December 2011]. Diver, S., 2006. Information Security Policy - A Development Guide for Large and Small Companies. [Online] Available at: http://www.sans.org/reading_room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies_1331 [Accessed 21 December 2011]. Elemental Cyber Security, Inc., 2011. Elemental Security and Information Security Policy. [Online] Available at: http://www.elementalsecurity.com/glossary/information-security-policy.php [Accessed 20 December 2011]. Levya, M., Powellb, P. & Galliersa, R., 1999. Assessing information systems strategy development frameworks in SMEs. [Online] Available at: http://elmu.umm.ac.id/file.php/1/jurnal/I/Information%20and%20Management/Authorlist%20F/1837.pdf [Accessed 22 December 2011]. Mscpaonline, 2010. Sample Written Information Security Plan. [Online] Available at: http://www.mscpaonline.org/pdf/wisp.pdf [Accessed 21 December 2011]. Ruskwig, 2011. Information Security Policy. [Online] Available at: http://www.ruskwig.com/docs/security_policy.pdf [Accessed 02 September 2011]. SAS70Checklists, 2010. Information Security Plan Template. [Online] Available at: http://www.sas70checklists.com/information-security-plan-template [Accessed 20 December 2011]. Washington University, 2011. Information Security Policy. [Online] Available at: http://wustl.edu/policies/infosecurity.html [Accessed 21 December 2011]. Read More