Developing Security Policy - Essay Example

Developing Security Policy By Affiliation Table of Contents Introduction A policy is a ment of intent and uses to describe the rules that govern the operation of an organization. It outlines an appropriate course of actions that must be followed in order to comply with business rules and achieve the business goals. Additionally, a policy is a shortest link between an organizations "vision" and their daily operations. In addition, Policies classify the main activities and provide clues for decision makers to handle issues as they arise. Moreover, this is accomplished by listing a variety of alternatives that can be used to make proper decision in order to solve a problem (Olzak, 2010; Shelly et al., 2005; Laudon & Laudon, 1999). A security policy specifically is the imperative foundation on which a valuable and complete security program can be developed. This significant constituent of the overall security architecture is usually ignored. A security policy is the most important way in which management’s decision for security is converted into specific, measurable, and testable goals and objectives. It is essential to take a top down approach (defining the policy and then roles and responsibilities to enact it properly) based on a well-stated policy in order to make an effective security architecture. On the other hand, if there is an absence of a security policy guiding the decision makers, then decisions will be made on ad-hoc bases, by the individuals developing, installing, and maintaining computer systems, and this will result in a disparate and less than optimal security architecture being used or implemented (Weise & Martin, 2001). The structure of this report is as follows: next section describes the components necessary for developing and defining the policy then a policy is developed to govern the transaction management system of an organization. Components of Security policy The elements of an issue specific policy consist of purpose, objectives, scope, roles and responsibilities, general policy, and compliance (Olzak, 2010; Patrick, 2001). Purpose  It characterizes the challenge or issue that management is dealing with. It might include regulatory restrictions, security of highly significant data, or the appropriate utilization of certain technologies. Sometimes, it may be needed to describe terms. It is also vital that everyone involved in the policy, must understands its content. Moreover, the conditions must also be stated under which policy is applicable (Olzak, 2010; Patrick, 2001). Objectives  Objectives are usually specified within the scope definition and may take in actions and configurations forbidden or restricted. In addition, these are also normally defined outside a policy, conditions and organizational practices may necessitate placing certain standards and guidelines in this section. However, in this part we classify the outcomes that we use to expect from enforcing the policy (Olzak, 2010; Patrick, 2001). Scope  Scope specifies where, when, how, and to whom the policy applies. This clause should explain who (employees, departments, etc.) must comply with this policy. And what is not included in the scope of corresponding policy that is the personnel and items related to another policy (Olzak, 2010; Patrick, 2001). General policy The general policy should enclose statements, explaining, in general, why this policy is necessary for instance to guard organization’s assets from demolition or leakage of information, to make certain the confidentiality, availability and integrity of information. It should explain terms used throughout the policy, if necessary (Olzak, 2010; Patrick, 2001). Roles and Responsibilities  This clause must categorize the business units (departments) or persons accountable for the range of areas of implementation and enforcement of the policy. Organizational responsibilities are for persons like; Vice President responsible of e.g. Information Systems Security, Chief Information Officer, Chief Information Security Officer, etc. Functional responsibilities typically involve Managers, Chief Technology Officer, and the Information Systems Security Officer etc. It must also include roles and responsibilities for all levels of management and employees who are affected by the corresponding policy (Olzak, 2010; Patrick, 2001). Policy enforcement This section includes the details about how to enforce the defined policy it may involve detail about the technology that will be used to enforce the policy (Olzak, 2010; Patrick, 2001). Compliance  This section must clearly state the possible penalties of not complying with the standards and guidelines listed in policy. Usually penalties may consist of lost of the privilege to use the organization’s resources, to termination for deliberate ignorance of policy (Olzak, 2010; Patrick, 2001). Security policy for the given scenario A transaction management system is fundamentally about tracking the transactions across the diverse environment. And the data it supplies not merely discloses the flow of transactions, however it also displays business details for instance the customer involved or the financial value of an individual transaction. Additionally, it provides business managers the information they need to prioritize transaction handling and problem resolution according to business impact. Since information, whether it is about customers or business is an important and crucial part of transaction management system. So a proper operation of a transaction management system is also concerned with crucial security issues like confidentiality, integrity and availability of information. There are basically three broad categories of risks that must be taken into account when dealing with information security (Turban et al., 2005; Hutchinson & Sawyer, 2000). Loss of Confidentiality When information is copied, accessed or used by someone not allowed to do so. This is particularly true for the corporations that use to store personal information for their clients such as credit card companies, bank and loan companies, medical and insurance records (Williams, 2007; Pesante, 2008). Loss of integrity Integrity of the information is about the assurance that information is not changed from the intended form. In addition, it is about the consistency of information’s format. However, the hacking attacks can modify information in some unexpected ways. It is very critical for the systems involving transactions such as air traffic control, funds transfer and financial accounting (Williams, 2007; Pesante, 2008). Loss of availability This kind of threat is also very serious since information may not be accessible or readable when one might desperately need that. This can be very damaging in context of corporation in which the task of department corporation depends upon the information coming from some other department for instance supply chain system in which delivery of a specific product (task of shipping department) to a customer depends upon the information coming from billing department (Williams, 2007; Pesante, 2008; She & Thuraisingham, 2007; Vaidyanathan & Mautone, 2009). Following is the policy which must be developed and enforced when aforementioned issues create threats for information consistency and may affect the operation of the organization. Purpose Purpose of this policy is to describe the course of action against threats to the information consistency like loss of availability, loss of confidentiality and loss of integrity. This policy will specify the principles underlying the security measures required to protect the organization’s information resources and promote appropriate use of the transaction management system. Scope and Objectives This policy applies to some organization’s entities and workers, and all involved systems or devices all over organization such as employees, information security officer, information owner, custodian and end users. It may include systems as computer systems (laptops or desk tops), information storage devices and sources such as databases or magnetic disks etc. The objective of this policy is to provide a guard against the following issues: Loss of confidentiality of information. Loss of availability of information. Loss of integrity of information. General Policy Since the information concerned with organization’s transaction management system is highly crucial so policy statement about maintaining the confidentiality, integrity and availability of information must include the following: Information is easily reached and usable upon demand by an authorized person. Information is not made available to unauthorized persons or processes. Some mechanism such as antivirus and firewalls is employed for information protection so information has not been modified or damaged by unauthorized entity such as hackers. Internal information is planned for unrestricted use within organization, as it is related to internal operations of the organization, it must be available to the concerned departments and in case of partnership, this type of information can be distributed within the organization without advance permission from the information owner but it must follow the partnership contract clauses. Internal Information may include: personnel information bank, internal rules and regulations etc. Unauthorized leakage of restricted internal information to partners may be illegal due to legal or contractual provisions. Public Information can be released publicly by a designated authority within each entity of organization. Public Information may include marketing brochures and information about organization on its web page. Public information may be disclosed outside of organization because of no contractual obligations. Roles and Responsibilities Information Security Officer: This person will be in charge for dealing with information owners, custodians, and users to define, specify and implement the policies, procedures, and controls. It includes Making sure that security policy, procedures, and standards have been developed and are followed by concerned entities. Providing essential security measures for all systems and users (such as antivirus for computer security etc) as well as providing all users with planned privilege to access the information. Guiding system’s developers in the implementation of security controls for information on systems. Guiding custodian and user management with complete information about security controls affecting system users and system. Conducting training sessions for on-going employee security education. Information Owner: This person will responsible for the creation of that information. The owner of information has the responsibility for: Knowing about which information is under his responsibility. Making sure that suitable procedures are applied to care for the integrity, confidentiality, and availability of the information used or created within the corresponding department. Allowing access and handing over custodianship. Reporting without delay to the information security officer about the loss or misuse of organization’s information. Applying the remedial actions when problems are recognized. Following approval processes within the respective organizational unit for the acquisition, and implementation of any computer system or software to protect the information. Custodian: this person will be responsible for the processing and storage of the information it also includes the administration of controls as specified by the owner. Custodian is responsible for: Providing and suggesting all the safeguards for information protection. Controlling access to the information. Disclosing information that is authorized by the Information Owner or the Information Security Officer for using mechanisms that protect the privacy of the information. Maintaining suitable information security policies, measures, actions, procedures and standards in consultation with the information security officer. Carrying out employees educational activities approved by the ISO, where appropriate. Telling information owners about the loss or misuse of corporation’s information. Identifying and reacting to security threats, risks and carrying out suitable actions in consultation with information owner and information security officer. User: Any person authorized to retrieve, create, or update information. A user of information can: Access or use information only in with respect to their authorized job responsibilities. Adhere to information security policies and standards established by the information owner and custodian. User must keep their authentication details, passwords and tokens, confidential Notify immediately to the concerning party about the loss or misuse of corporation’s information. Policy enforcement Certain technologies and devices are used in order to keep the information in consistent format and managing the risk for loss of integrity, confidentiality and availability of information. Virus scanning software is permitted by the Information Security Officer that ensures all electronic files are correctly scanned for viruses. Moreover, users are not allowed to disable anti-virus software. Some authentication method needed to be implemented for instance, username and passwords, biometric identification, authentication tokens etc. To protect information and authorize access to information, encryption algorithms and digital signature must be employed. To avoid the misuse of technology user must keep their authentication details, passwords and tokens, confidential. All computer software employed by corporation’s employees is the property of corporation and must not be copied or hired for use at home (personal use) or any other location, unless it stated by the license agreement. The user must log off the system when leaving it so his account may not be used by another person. Compliance This policy applies to all users of the organization including: employees, information security officer, information owner, custodian and users. Failure to comply with the Policy may result in serious action including termination of job according to organizational policies and laws. So, employees must avoid: Trying to get the password that belongs to another person. Using another persons password. Illegal use of an authorized password to attack privacy by investigating information that is secured. Installing unlicensed software on organization’s computers. Conclusion Policy in any organization is of crucial importance because it defines the rules that govern the successful operation of the organization. This report describes a framework for defining policy for an organization which includes defining components that constitutes a policy including, purpose of specifying the policy, scope and objectives, general policy statements, roles and responsibilities of the people affected by the policy, technologies use to enforce the policy and consequences after the violation of policies. Next, we define a security policy to protect the information assets, which may flow through the transaction management system of an organization, against unauthorized access and external threats. Usually an information security officer, information owner, custodian, and users are involved in the enforcement of such policy. Several technologies can be used according to the policy to provide protection against aforementioned issues threatening the information’s consistency. These may include encryption algorithms, digital signatures, anti-virus software, and authentication codes like passwords or PIN code to protect information from external attacks and ensure the authorized access of information. But it’s the responsibility of the information security officer, who is actually the policy owner and enforcer, to monitor that policy is being enforced properly and must track for any violations. Any violations of policy by the employees may result in several penalties, even the termination of their job. Bibliography Hutchinson, S.E. & Sawyer, S.C., 2000. Computers, Communications, Information A users introduction, 7th Edition. New York: Irwin/McGraw-Hill. Laudon, K.C. & Laudon, J.P., 1999. Management Information Systems, Sixth Edition. New Jersey: Prentice Hall. Olzak, T., 2010. Security Basics - Components of Security Policies. [Online] Available at: http://www.brighthub.com/computing/smb-security/articles/2259.aspx [Accessed 30 July 2010]. Patrick, W.F., 2001. Creating an Information Systems Security Policy. GSEC Practical Assignment. SANS Institute. Pesante, L., 2008. Introduction to Information Security. [Online] Available at: http://www.us-cert.gov/reading_room/infosecuritybasics.pdf [Accessed 31 July 2010]. Shelly, Cashman & Vermaat, 2005. Discovering Computers 2005. Boston: Thomson Course Technology. She, W. & Thuraisingham, B., 2007. Security for Enterprise Resource Planning Systems. Information Systems Security, 16(3), pp.152-63. Turban, E., Leidner, D., McLean, E. & Wetherbe, J., 2005. Information Technology for Management: Transforming Organizations in the Digital Economy. New York: Wiley. Vaidyanathan, G. & Mautone, S., 2009. Security in dynamic web content management systems applications. Communications of the ACM, 52(12), pp.121-25. Weise, J. & Martin, C.R., 2001. Developing a Security Policy. Sun BluePrints™OnLine. Palo Alto, CA: Sun Microsystems, Inc. Sun Microsystems, Inc. Williams, R.H., 2007. Introduction to Information Security Concepts. [Online] (1.7.12.7) Available at: http://www.rhwiii.info/pdfs/Introduction%20to%20Information%20Security%20Concepts.pdf [Accessed 30 July 2010]. Read More