Security Business Plan of a Company - Essay Example

Security Business Plan. (First sur no qualifications like Dr. College Position in organisation Place of author Abstract There are the problems of physical network security to be addressed and other forms of attack or difficulties protecting the networks. To ensure all areas are covered this is a continuity business plan for the guidance of all personnel who are to be involved whether in the IT group or simply working with the database on a daily basis as a user. How the attacks and difficulties are prevented, the research for this included studying examples and teaching materials found on the web as well as personal notes, etc. How these problems are regulated or thought of by company managers or external agencies, such as for personal privacy for users, while watching for abuse of the systems. Stated by Savage (2007). Keywords: hacking, abuse, users, threats, mistakes, access, security. Hacking Abuse by Users External threats Corruption Mistakes by accredited users. Business Continuity Plan THIS IS TO BE FOLLOWED BY ALL PERSONNEL Scope of Plan: The plan is to restore database systems within 2 hours, and other systems within a week of any disaster that stops any function and equipment supporting the systems or functions in the company. The first assessment of the risk to applications that support the company systems is critical. The critical category will identify any application which has high priority and has to be restored within two hours something like an attack disabling a function. In particular, each of the systems must be evaluated and placed in one of the two categories of risk, as described below: A. Critical (Database applications) B. Essential (network security, power) Functions in Critical are those that are important to the work of the whole company. There are other department as well that are also essential for the company or group they support. The systems must be based on an assessment of the loss and how it will hit the various departments using it and how it will be in costs of that loss and to recover the data. See the IT Departmental Team Plan on more in depth information on the risks and how best to assess them at senior management level. Stated by MIT (1995). The Business Team for Continuity (BTC) It consists of senior managers from each main department that useing the applications identified above; their role is to ensure the personnel can function during a critical outage, in particular that there is a recovery plan to cover Critical and Emergency states. To this end there must be an alternative system in place, which is up and running at all times. To be in charge of the BTC is the Director of Security who will have the final decision making controls for the team. Applications and Their Recovery To report to the Business Continuity Team (BTC), within two hours once access is allowed to the company premises, any application that has been compromised during the outage or attack, then give any advice to the BTC about the best way forward if there is a problem with hardware or for users. Hardware procedures are in the "Maintenance Handbook" maintained by the Facilities department and cover as many eventualities as can be covered. It will be the first set of procedures covered especially if there is a difference in the stated objectives between the BTC and the handbook. IT and facilities are then responsible for putting the recovery into motion. Stated by MIT (1995). Threats to the Company Systems Physical Security Threats to Applications To ensure these are covered there is a listing of possible threats and how to counter them in the following sections. Security issues are many, security of the hardware and network is very important. Technical equipment such as servers and routers must be locked in cabinets in a locked technical room. Ensure their are ports disabled if not required and working ports are have encrypted passwords strong enough not to be broken. Access is by staff with proper security clearance given by the Security Directors office only. Any contractor is to be accompanied at all times. Any other disasters or threats to hardware from: A. Electrical power. B. Environment. C. Maintenance Answers are: A. Electrical: Installation of UPS with an emergency generator on stand by with remote alarms and monitoring in security and IT departments. B. Environmental: A correct environment with good temperature, humidity and airflows should give a good environment again recording and monitoring is needed. C. Maintenance: Spare parts to be kept for all crucial hardware, in fact spare units, which are fully operational and only need setting up and connecting must be kept with only permitted staff and contractors able to install these. It is recommended that some of the most crucial equipment is kept in storage elsewhere in case of disaster. This equipment must be checked and recorded as working every three months. Network Attacks Threats to be Countered Threats from individuals called hackers exploit any network or applications weaknesses using some very sophisticated ways to break into networks. They could get into our companies system to for information, fraud, or to destroy or alter records. To stop attacks of this type. A plan is in place that has to be followed, but not blindly as hackers are always trying to find new and clever ways into a system, stay alert. Stated by Savage (2007). Countermeasures Methods to stop the attacks are: 1. Inexperienced individuals using easily available hacking tools, such as shell scripts cracking password these people can cause major disruptions if only by accident. Stated by Orbit Computer Solutions (2009 – 2011). To stop such an attack ensure a decent firewall is up and running after any downtime of the system or applications. The firewall must be updated every day. The firewall must be in place if during or after an attack it is disabled get it back online ASAP, and ensure its access control policies (ACP) are running properly, these can be set up within the network or at the access points to the internet or cloud. Anti-virus programs must be in the network. They need to cover any type of attack against the company systems, such as viral infections. During recovery from a disaster ensure the anti-virus system is online and updated after any problems, it must be updated every day. 2. User attacks, sadly a small number of users for any of a variety of reasons will attack the system from within. As they are authorised it is very difficult to stop. Most users only enter certain areas of a system for their own work. The expertise for getting into the application is not usually with such staff, but it is best to allow some will be expert and it is certain that some employees will want to access data they are not privileged too either; because of some need of their own or because of something external such as a friend needs the data for some purpose. 3. Company Phones and PDA’s. Users may have company owned or privately owned PDA’s or smart phones, if so these must be kept with a password both to get into the phone or PDA and then another set of passwords to get into the company account. These must be changed every month. In the case of a critical or emergency state then the phones and PDA’s are to be checked by security ASAP for corruption or any attack on them. As these can be lost easily they must have a code number and physical identification. In case of loss the user must report first to the police and get the phone or PDA disabled. Laptops are to be kept locked away when not in use and cared for by a user, if lost report to the police, then contact security and IT ASAP. To Ensure Safety of System Policies to be followed: User accounts, passwords and mailboxes, are to be changed for all. To this end a hard copy list of all current employees and their permissions is to be kept. Audits are to be done every month and after a critical or emergency problem. Staff must be accounted for, do not unlock an account before talking to the user and after a serious attack check with their manager before allowing them to work on the system applications. Transfer accounts, including passwords, between the different platforms as users move around. Create or manage accounts on the platforms. Stated by Spam (2009). References MIT Continuity Plan (1995) Business Continuity Plan. From: http://web.mit.edu/security/www/pubplan.htm Orbit-Computer-Solutions.Com. (2009 – 2011). Network Security http://www.orbit-computer-solutions.com/Network-Security.php Savage Marie, (May 22nd 2007) Information Security magazine, Database authentication, encryption getting priority in some businesses. From: http://searchsecurity.techtarget.com/news/1255955/Database-authentication-encryption-getting-priority-in-some-businesses Spam Laws. (2009) Why data security is of paramount importance. From: http://www.spamlaws.com/data-security-importance.html Read More