StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information Security Policy for AMERCO Car Leasing Company - Term Paper Example

Cite this document
Summary
The paper "Information Security Policy for AMERCO Car Leasing Company" states Information security policy must be detailed to cover all aspects that may involve threats to the company. Human risks are one of the prime factors that cannot be prevented but can be counter with awareness and training…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER92.5% of users find it useful
Information Security Policy for AMERCO Car Leasing Company
Read Text Preview

Extract of sample "Information Security Policy for AMERCO Car Leasing Company"

of the of the 14 December Introduction AMERCO Car Leasing is an E-commerce based company with its head officein Bathesda office and three local pick up points located in DC metro area. Primary business is associated with car leasing for personal and business use. AMERCO Car Leasing Company wants to draft an information security policy we will use a phased approach that will use a basic policy framework that will address key policies followed with the development of more policies. Likewise, the phased approach will also revise the existing policies that are already in place. In the current scenario there is no policy in place, as the company is new. One key element for a policy development process is the process maturity level. For instance, a newly derived comprehensive and complex security policy cannot be successful because organizations need time for compliance. Common pitfalls for compliance are different organization cultures, lack of management buy-in, insufficient resources and many other factors. For a newly inaugurated car leasing company, the initial step would be to publish a policy that includes bulleted points i.e. in the form of checklists. Afterwards, when the processes are matured, more policies can be developed with comprehensive and detailed requirements along with documentations for Standard operating procedures (SOP). Moreover, providing awareness of the newly developed policy will also need time to mature and align with different departmental policies already in place. To gain management buy in for any newly develop policy, it must be operational as early as possible so that changes can be made and customized in alignment with the corporate business requirements. As the policy development process can be triggered at various stages, regulations are vital motivators that are one of the key reasons for developing or modifying a policy. Moreover, any security breach resulting in a poor incident response plans and procedures can also be a factor to review or create a new incident response policy and incident response plan. The ‘top-down’ approach that will consult policy making from best practices and regulations will make only the presence of an non-natural policy with no results, as it will not be effective in the real world scenario. On the other hand, ‘bottom-up’ approach that will take inputs from the network administrator or Information Technology specialist will be too specific and according to the local practices that will not address issues in the current operational environment of a corporate organization. Recommendations will be to find a balance and combination between these two approaches. --------------------------------------- Information Security Policy Document (ISPD) for AMERCO Car Leasing Company The information security policy is drafted from one of the templates from SANS that claims on their website to be the most trusted and the largest source for information security research in the world that focuses on certification, research and training. Moreover, many authors refer to SANS information security policy templates to facilitate organizations for an initial step of fundamental and basic requirements that are stated in these templates. However, in some cases these policy templates only require a change in the name of organization only. In spite, the focus needs to be on aligning business objectives to the policy, as it is considered to be one of the vital controls that govern from top to bottom (Chen, Ramamurthy, and Wen 157-188). 1. Purpose This policy demonstrates requirements for protecting or securing information for AMERCO Car Leasing company information and information that is classified and categorized as confidential cannot be conceded or breached and the services related to production and third party service providers security is safeguarded from the operations of the information security and AMERCO Car Leasing company. 2. Scope This policy is applicable to employees and third parties who have access to head office in Bathesda office and three local pick up points located in DC metro area. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentations. 3. Policy 3.1. Ownership Responsibilities 3.1.1. The first factor that must be addressed is the ownership criteria. AMERCO Car Leasing Company is responsible for recruiting or assigning a chief information security manager for a point of contact for communication and an alternate point of contact in case of unavailability of the primary point of contact. Employees who are assigned as the owners of the company must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Managers of the company must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to company operations. In case of any lack of mismanagement, legal action is applicable against the employee. 3.1.2. Moreover, company managers are also liable for the vital factor that is the security of AMERCO Car Leasing Company and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding AMERCO Car Leasing Company from security weaknesses and vulnerabilities. 3.1.3. Company managers are also liable for aligning security policies of the AMERCO Car Leasing Company in compliance with security policies of local pick up points located in DC metro area. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy, Information System policy, backup and recovery policy, media handling and disposal policy, network access control policy, third part service delivery management policy. 3.1.4. The Chief information security manager is the owner of AMERCO Car Leasing Company, and is responsible for granting and approving access to employees requiring remote access for information located on critical servers or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, the chief information security manager will also ensure effective procedures for terminating unwanted access to the company resources. 3.1.5. The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the network or network appliance / equipment / device. They are also responsible for safeguarding the remote channels from the public web server located in the DMZ. 3.1.6. The network support staff or administration must be entitled to have full rights for interrupting network connections of the company that may impose impact or security risk on processes, functions and operation on the production network 3.1.7. The network support and administration staff must maintain and record all the IP addresses that are operational in the AMERCO Car Leasing Company and any database associated with routing information from these IP addresses. 3.1.8. Any personnel requires external connection to or from the company must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection. 3.1.9. User passwords must meet the requirements of the access management or password policy of AMERCO Car Leasing Company password policy. Moreover, any inactive account must be deleted within 2 days from the access list of the company and any device that involves critical and sensitive information of AMERCO Car Leasing Company, passwords of group based accounts from the group membership modules must be modified within 24 hours. 3.1.10. AMERCO Car Leasing Company will not facilitate other business partner services apart from network and data transmission, storage, modification, monitoring and protection. All the other university departments will be facilitated by their respective support functions. 3.1.11. In case of non-compliance, Chief information security management must consider business justifications and allow waivers accordingly. 3.2. Universal Configuration Necessities 3.2.1. The network traffic between the public web server of AMERCO Car Leasing Company and the other networks such as financial and banking transactions will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the company will be prohibited. 3.2.2. In order to configure or modify any configuration settings on the firewall must be reviewed and approved by the information security personnel. 3.2.3. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the company, as they can trigger information security risks and disrupt the AMERCO Car Leasing Company network or any other network that may be operational. 3.2.4. Right to audit for all inbound and outbound activities of the company is applicable to the information security personnel anytime. 3.2.5. For ensuring physical access, every employee or student must identify themselves via physical security controls before entering in the company is mandatory. 3.2.6. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device must be according to the information security policy. 3.2.7. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 3.3. Enforcement If any violation of this policy is found, the matter maybe subjected to disciplinary action including termination of employment. 4. Revision History Version 1.0 Conclusion A good information security policy must demonstrate a general security mandate and intent of the management. Information security policy must be detailed to cover all the aspects that may involve risks and threats to the organization. Moreover, human risks are one of the prime factors that cannot be prevented but can be counter with awareness and training. In the creation of an initial draft of the ISPD document, we have created a comprehensive information security policy for AMERCO Car Leasing Company to address internal logical threats, external logical threats, human threats and physical threats. Likewise, we have also made secure remote access to the critical servers. Every policy must be different for every organization and every department. There is a requirement of addressing risks that may gave opportunities to threats to utilize vulnerabilities and gain access to critical servers, in this case, the database which may include financial and banking transactions. Work Cited Chen, Yan, K. Ramamurthy, and Kuang-Wei Wen. "Organizations' Information Security Policy Compliance: Stick Or Carrot Approach?" Journal of Management Information Systems 29.3 (2012): 157-88. Print. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Security Policy Description Term Paper Example | Topics and Well Written Essays - 1750 words”, n.d.)
Security Policy Description Term Paper Example | Topics and Well Written Essays - 1750 words. Retrieved from https://studentshare.org/information-technology/1497600-security-policy-description
(Security Policy Description Term Paper Example | Topics and Well Written Essays - 1750 Words)
Security Policy Description Term Paper Example | Topics and Well Written Essays - 1750 Words. https://studentshare.org/information-technology/1497600-security-policy-description.
“Security Policy Description Term Paper Example | Topics and Well Written Essays - 1750 Words”, n.d. https://studentshare.org/information-technology/1497600-security-policy-description.
  • Cited: 0 times

CHECK THESE SAMPLES OF Information Security Policy for AMERCO Car Leasing Company

Information Security Issues

With the existing systems, advice is available to help data owners meet their responsibility in complying with the information security policy.... hellip; As the technology enhanced it brought in some technological issues such as information security Risk.... The management of information security Risks and to implement various methodologies to mitigate the security risks is a growing challenge in the filed of Information technology.... ecurity Management and ResponsibilitiesData OwnerEach Line Department of the company, with its own computing facilities will appoint a senior member of the staff as Data Owner....
11 Pages (2750 words) Essay

Community Oriented Policing and Gags in America

It has been successful in ensuring that crime within the communities is contained, as well as reduction of fear among the people, mainly because they feel protected due to the fact that they are close to the security personnel (Katz and Webb 2006 p 96).... However, the practice is still new in the security system and therefore... It involves consultations within the community in local meetings whereby police acquire information from the community that is essential in prioritization of policing activities....
10 Pages (2500 words) Research Paper

Black water private military company

Private military companies (PMCs), also known as private security or military companies are those privately owned companies that provide both security and military security services.... They are combatants that have generally been referred to as mercenaries but the present-day… te military companies refer to their members as private military contractors, private security contractors, or just security contractors while they call themselves as private security providers, private military firms, military service providers, or private military Such private military firms refer to their line of business as The Circuit or private military industry in an effort of avoiding the stigma of being associated with mercenaries often....
12 Pages (3000 words) Essay

Workplace Policy Project

The company provides banking, investments, insurance and commerce and consumer through approximately 9000 stores and 12000 ATMS, the internet and other channels. The… In so doing, the company involves the various stakeholders in their decision making processes.... International Privacy Policies exist for customers outside the United States which are dependent on the laws of the country that govern their relationship with Wells Fargo This policy describes how the company utilizes and protects the customers' information....
5 Pages (1250 words) Research Paper

Successful Security Management

Perception of risk at various levels Since security is a mission to protect the people, property and the business, an integrated approach in policy making is essential for successful security management.... The statement ‘Successful security management in any organizational context must be driven by an agenda to enhance the financial viability of the organization' is based on the fact that risk is all pervasive and therefore,… Risk is not completely unavoidable in a business organization and security planning is essential to create secure environment....
11 Pages (2750 words) Research Paper

US Company Expanding to Italy

The paper “US company Expanding to Italy” looks at foreign businesses, which are exploited through regulations, practices, and laws that are usually protective of the local businesses.... Other laws include the Fair Labor Standards Act, Equal Opportunity Employment, Employee Retirement Income security Act and many other laws that regulate employees' welfare.... The Employee Retirement Income security Act (ERISA) seeks to make sure that every employee receives retirement benefits according to her own choice (Cihon & Castagneria, 2013)....
9 Pages (2250 words) Assignment

Data Mart Company Information Security Policy

The paper "Data Mart Company information security policy " describes that DM Company will not install filters meant to regulate access to emails, chat rooms, instant messaging and websites basing on contents alone unless the content in question is illegal like the child pornography sites.... As per The National Institute of Standards and Publication, the management should define three categories of security policies namely system-specific security policy, issue-specific security policy and enterprise information security policy....
21 Pages (5250 words) Case Study

The Importance of Information Security

This research paper "The Importance of information security" discusses the problem of privacy in our everyday life.... hellip; The evolution of information security setup is triggered by the threats that are commonly faced by organizations.... There is a huge list of threats that are faced by the present information security setup.... The phenomenon of safeguarding the information is referred to as information security.... efining information security is not an easy task, considering the rapidly transforming world of information technology....
14 Pages (3500 words) Research Paper
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us