Portfolio: IS Security Assessment 3

Security best practice & policies

Part 3 9/1/2015

By Conway Maurirere

“Which factors should a firm monitor as part of their security policy”

Factors an organization should consider as part of their security policies depend on many factors, including the size of the organization, the sensitivity of the business information they own and deal with in their organization, and the types of information and computing systems they use. For a large company, developing a single policy document that covers all types of users within the organization and addresses all the information security issues necessary could be impossible. A more effective concept is to develop a suite of policy documents that will cover all information security issues which can be targeted at specific groups within the string of users in the organization, making the policies a more efficient process for all within the organization.

Factors taken into account would include audience type and company business and size, in fact an inventory of the organization may prove useful in determining what are the factors and how they can be addressed, some will be, what kind of data does the organization have, this could include customer data such as account records, transaction and financial information, contact information, history, employee information like salary and income, bank information, email and important business information like marketing plans.

Another factor would be how all this information should be protected, there is a saying that goes “data is most at risk when it is on the move” (cyber security planning guide, p1, 2015) meaning if data were kept in a single place and never touched then that would be the perfect protection but businesses need to move information through their organization, it must be accessed, managed, used by customers and employees and shared, this exposes the information to many forms of danger such as abuse, tampering, wrongful manipulation, theft or corruption.

A just as important factor a firm should monitor as part of their security policy would be access or who has access to their information, for what purpose and under what circumstances. Information is accessed by specific groups and people; the marketing sector needs to access information about their organizations sensitive marketing information but they should not be allowed access to say customer’s private financial information, this is why its necessary to assign access rights to the organizations data and information, this means creating specific access rights to specific groups and people to information relevant to their circumstances and managing those access rights.

One other factor if the organizations life cycle has grown may be the maturity of the policy development process currently in place. An organization which currently has no information security policy or only a very basic one may initially use a different strategy to a company which already has a substantial policy framework in place, but wants to improve it and start to use policy for more complex purposes such as to track compliance with legislation. When starting out it is a good idea to use a phased approach, starting with a basic policy framework, hitting the major policies that are needed and then developing a larger number of policies, revising those that are already in place and adding to this through the development of accompanying guidelines and job aids documents and tool which will help support the policy (www.sans.org, 2015).

To protect an organizations data on the internet policies must be put in place to ensure the safety of that businesses information, the organization may manage their own servers or set policies to manage their information with third parties such as web hosting companies.

Finally, the organizations policies should abide by the governments legislations and laws, a security policy should fulfil many purposes. It should protect people and information, set the rules for expected behavior by users, system administrators, management, and security personnel, authorize security personnel to monitor, probe, and investigate and define and authorize the consequences of violating these polies.

“Which business processes are most likely to impact upon that policy”

Information security policies

This allows policies for best practice that can be followed by all employees. They minimize risk and ensure that any security incidents are effectively responded to. Information security policies can also employ staff to participate in the company’s efforts to protect its information assets, and the process of developing these policies can also help define these assets (www.sans.org, 2015).

Online security and access rights to users and employees

It's important to create a corporate policy on Internet and for device usage that makes rights and responsibilities clear to everyone. Employers should define their risks and security needs and measures should be put in place to ensure that these measures are abided by.

Set rules for acceptable use of email, instant messaging, social networks, blogging and Web surfing, as well as for downloading software and apps. Also, consider establishing an electronic code of conduct for employees to sign such as a login password that will keep track of the employee’s history for security purposes, if the need were to arise then information pertaining to that employee’s history can be easily accessed.

Policies must be in place to protect the organization from improper use of digital assets, the organizations digital policy and to set limits on employee privacy in the workplace, the fact that monitoring will occur as well as informing the organization, the customers and employees of the policies intentions ensures and requires their fully informed consent, this is to protect the organization from morale or legal issues, this monitoring is because the organization is obligated to maintain a compliant workplace.

IT security and encryption

Encryption is a security tool that an organization would employ to keep sensitive information confidential, there are two ways to encrypt data. Asymmetric PKI (public-key infrastructure) encryption, based on a pair of cryptographic keys, one is private and known only to the user, while the other is public and known to the receiving party. PKI provides privacy and confidentiality, access control, proof of document transmission, and document archiving and retrieval support, the other method of encrypting data is symmetric key protection, its faster than PKI but less secure, symmetric encryption uses the same key to both encrypt and decrypt messages. Symmetric technology works best when key distribution is restricted to a limited number of trusted individuals. Since symmetric encryption can be fairly easy to break, it's primarily used for safeguarding relatively unimportant information or material that only has to be protected for a short period of time (itsecurity.com, 2015).

IT security protects the organization from multiple forms of danger, these attacks and problems usually effect and can be identified and controlled through the monitoring and management or defense against these systems and circumstances,

Access Control, Email Security, Firewalls, Intrusion Detection Systems, Malware systems, software and management, Network Access Control, Vulnerability Scanning, Security Audit, Spyware systems, software and management, VPN Security.

“Discuss the impact of cloud computing on an organization’s security policy”

Cloud computing has ushered the beginning of a new model concerning security policies, especially for larger infrastructures. Security policies must now take into account the advantages and disadvantages Cloud has brought to the table like the advantages computer and storage resource sharing have on reduced cost. Such features would not only have a direct impact on an organizations budgeting agenda but also have an effect on how these new security policies would affect traditional security, trust and privacy policies. These policies may no longer be as feasible as they were pre cloud integration so may have to be revamped to fit the newer models, many of these systems are no longer adequate, so would need to be rethought to fit these new models.

When employing the services of the cloud to protect your data an organization should firstly categorize their information by importance then find the suitable cloud storage service provider for that level of information (pandasecurity.com, 2015).

For an organization to evaluate and manage the security of their cloud environment with the goal of mitigating risk and delivering appropriate support for that information, the organization should consider policies for the following,

1. Ensure effective governance, risk and compliance processes exist by establishing security and compliance policies.

2. Audit operational and business processes which hosts their applications and data to assess effectiveness in enforcing the organizations policies.

3. Manage people, roles and identities. The organization must ensure their provider has access processes to their data showing their environment is suitably managed.

4. Ensure proper protection of data and information, security considerations must be defined for cloud computing services.

5. Enforce privacy policies for laws and regulation relating to the storage and use of the organizations information for example requirements to tag the data appropriately.

6. Assess the security provisions for cloud applications means the organization must protect the business critical applications from threat.

7. Ensure cloud networks and connections are secure, allow legitimate traffic and protect from malicious traffic.

8. Evaluate security controls on physical infrastructure and facilities.

9. Manage security terms in the cloud service level agreement.

10. Understand the security requirements of the exit process e.g. Is it clear what legal and regulatory controls apply to the provider's (cloud-council.org, 2015).