Cyber Security Policy Essay Example

employees is not a technological problem but rather a human problem. While having policies in place is beneficial for a business, the effectiveness of a policy depends on how well it is followed by management and staff (Gilhooly 2002, p 2). If employees become discontented with the security policy, they may try to bypass it. Therefore, employee compliance plays a crucial role in shaping security policies, and achieving 100% compliance is essential to ensure their effective implementation.

The security policy structure of Firion Corporation must address the human aspect of security. The process of developing the policy should involve and gain support from top leadership in order for it to be effective. The structure of the policy should be designed in a manner that enables end users to understand the rationale behind each policy, as well as comprehend the detrimental effects on both the corporation and employees if not adhered to by everyone. Additionally, the policy should encompass ongoing education and a marketing campaign to enhance and sustain compliance at an acceptable level.

The policy should not unreasonably impede or frustrate an employee’s job performance. If this occurs, individuals will seek ways to bypass the security policy. The policy must incorporate a set of measurable metrics to determine successful adherence and identify areas for enhancement. Firion is concerned about cyber crime and cyber warfare. Cyber crime is classified as a criminal activity carried out using electronic media or other means to manipulate the operation of computers or computer systems (Cyber Crime Branch, 2010).

Cyber Warfare and cyber crime have similarities in their methods, but Cyber Warfare typically involves a national government with specific targets. It can be more

intricate and utilizes the resources and expertise of a nation. Conversely, cyber crime is a significant concern due to the challenge of identifying and prosecuting criminals, particularly with the widespread computer usage among the general population. Previously, it was uncommon for teenagers to engage in these crimes; however, as they grow up with computers and acquire skills, their generation is becoming increasingly involved in cyber crime.

Various forms of criminals, such as teenagers, adults, and terrorist groups, can now utilize computers to carry out anonymous criminal activities. In the modern era, businesses store valuable data on computers and financial transactions predominantly occur online. As a result, physical presence in a particular location is no longer necessary for criminals to engage in illicit actions. Cyber criminals encompass individuals dissatisfied with their employment, competitors in the business realm, proficient hackers, politically motivated activists, or even relatives of employees.

We, at Firion, acknowledge that anyone can be a victim of cyber crimes, but those who are inexperienced, desperate, or greedy are the most vulnerable. Therefore, we make diligent efforts to promptly identify any issues. Criminals can either operate individually or seek assistance online to carry out their unlawful activities. They often use the internet as a platform to collaborate with other criminals and exchange techniques for future crimes. The cyber crimes we strive to safeguard against at Firion encompass denial of service, spyware, hacking, virus dissemination, fraud, phishing, spoofing, and extortion (Ciampa, 2010).

Despite our efforts, we found vulnerabilities resulting from certain employee actions that were recently identified by Firion. The discovery was made when one of our lead engineers violated company policies by downloading unlicensed freeware onto company computers. Since

the trustworthiness of the software is uncertain, we do not permit such vulnerabilities on computers connected to our network due to the potential presence of malicious codes or viruses. Thankfully, this vulnerability was noticed during a routine audit and promptly resolved.

We are also contemplating modifying administrator privileges to prevent the user from downloading software without authorization. Additional findings revealed the sharing of company information and work email addresses on public websites. This type of work-related information can make individuals susceptible to highly believable phishing attacks. Fortunately, we detected this issue and subsequently offered extra training to the individuals involved, as well as made them aware of the possible repercussions. Currently, there is an ongoing investigation into a concerning incident involving a product development manager.

Our internal security controls have detected a potential incident of corporate espionage. The investigation will proceed, but initial findings suggest that unauthorized transmission of information to an external party has occurred. Specific measures at Firion have been strengthened to safeguard our crucial assets, and this security tool has been utilized to identify confidential words or phrases associated with proprietary information. Our most stringent safeguards are in place to protect highly targeted critical assets, which would have a significant detrimental effect if breached.

Firion faces the same concerns as any large company, but with added vulnerability due to supplying products and services utilized by defense forces. Their waste disposal jackets and safety applications support US and Allied defense forces, while also serving commercial customers. While we prioritize customer support, the defense sector's involvement raises additional concerns that require careful consideration. Rest assured, we are dedicated to maintaining confidentiality regarding the specific equipment details and

collaborate closely with each government.

The information that could be used against our defense customers, if compromised, includes the timing, amount, or type of equipment being procured. We collaborate with other partners in the defense industrial base to enhance our understanding of potential vulnerabilities. Although it may appear insignificant, consolidating information from different government vendors has the potential to create a national security incident. Firion is currently assessing its present policies and will suggest enhancements based on these recent incidents and discoveries.

With the turnover of employees and the evolving threat landscape, it is crucial for Firion to regularly update its cyber security policy and conduct awareness activities for its employees. At Firion, we safeguard against cyber crimes and cyber warfare by implementing strategies and utilizing tools to protect our IT enterprise, including computers, networks, personal devices, wireless connections, and other areas. However, the increasing number and complexity of attacks pose challenges for Firion. Training and readiness of our security professionals are difficult to maintain, making the entire staff our greatest vulnerability.

To maintain security, ongoing training and awareness initiatives are necessary along with the implementation of appropriate security controls to segment parts of the critical network. The main challenge is finding a balance between empowering staff to prioritize security decisions and implementing access restrictions. Strict controls may result in staff members feeling disconnected from decision-making, leading to reduced vigilance. On the other hand, lenient controls increase the likelihood of intentional or unintentional security breaches.

Cyber Crime Trends Our current business environment is becoming more volatile and uncertain. The tense political climate and instability in the economy are causing a lot of anxiety. According to the SANS Institute (2001),

the ways in which organized crime and terrorists adapt to the internet can provide insight into the future motivations of cyber criminals. These groups can take advantage of the international nature of the internet, operating with minimal risk and increased anonymity, which could lead to bigger rewards. To address this, increased collaboration is necessary within our industry as well as with the government.

The danger has evolved from individual hackers in cyberspace to include the support and resources of nations and organized crime groups, making it more difficult to anticipate, attribute, and protect against future motives. Laws and regulations play a crucial role in determining company security policies, yet there are numerous challenges in enforcing these laws against cyber criminals. The ability to commit cyber crimes across borders and the absence of international guidelines are major factors contributing to the enforcement difficulties faced by law enforcement agencies.

The computer age has introduced a new type of traditional crimes, aided by technology. However, gathering evidence for prosecuting these crimes presents significant challenges. One major obstacle is the ability to conceal IP addresses, making it difficult to trace the culprits. Moreover, many companies lack the necessary expertise to preserve digital evidence, worsening the problem. In certain situations, companies may not even be aware they have been targeted or choose not to report incidents, resulting in a substantial number of unreported crimes. Even if a crime is reported correctly, relying on our legal system can encounter issues such as jurisdiction and sentencing. Additionally, locating the cyber criminals themselves can be an intimidating endeavor.

It is crucial that our security officers are alert to meet these challenges. They should be well-versed in

the law, incident reporting, and evidence protection. Our policies should assert our right to monitor work-related systems and communications, as well as assist law enforcement when necessary and lawful. To comply with federal laws and effectively respond to incidents, we employ different privacy protection laws, regulations, and practices.

The Electronic Communications Privacy Act (ECPA) is a US Law that safeguards electronic communication and establishes the criteria for search warrants. The ECPA includes provisions to protect information stored or in transit without obtaining the required warrant or court order. The Stored Communications Act (SCA), which is a part of the ECPA, specifically deals with the voluntary and compelled disclosure of wire and electronic communications as well as transactional records retained by internet service providers (ISPs) that are third parties (18 U.

S. C. §§ 2701 to 2712, 1986 state the penalties for accessing information without authorization. The Safe Harbor Framework, created by the US Department of Commerce and the European Commission, seeks to protect privacy and has a dispute resolution process. Numerous major companies are self-certifying according to these standards to show their dedication to privacy abroad (TRUSTe, 2011). Liability and taking responsibility are important aspects.

Companies and individuals are increasingly being held accountable for any harm caused by a lack of cyber protection. Firion requires its security officers to be knowledgeable about the evolving laws and regulations related to information security. It is important for a security professional to understand the boundaries of consumer privacy and when law enforcement agencies are authorized to utilize their tools to combat cyber crimes. Being familiar with these laws and regulations before an incident occurs will ensure that our actions remain lawful.

Security Policies

With the growing dependence on electronic transactions, it is crucial for individuals, businesses, and organizations to have reliable security measures in place to safeguard their information. Unethical transactions can have negative effects on data integrity, employee morale, and stakeholder confidence (UMUC_CSEC620_Week6_ICS-1, page 6). Firion's cyber security experts must be capable of identifying weaknesses in IT practices and processes that could potentially be exploited, posing a threat to productivity and compromising the organization's integrity (UMUC_CSEC620_Week6_ICS-1, page 6).

Protecting company information is crucial for Firion. The initial measure that Firion needs to implement is the development of a security policy. This policy will serve as a formal set of regulations that all individuals with access to Firion's technology and information assets must comply with. Essentially, this policy will outline how Firion intends to utilize and safeguard its computer and network resources (De Laet; Schauwers p. 23). Furthermore, the security policy will establish a benchmark for the existing security posture of Firion and provide the framework for the implementation of security measures.

The sponsors of the security policy at Firion will be identified, along with the topics that will be covered. The policy will outline what is permitted and not permitted regarding the use of Firion's information systems, as stated in the acceptable use policy. It will establish the ethical and appropriate use of Firion's Internet access capabilities. Guidelines for how users should utilize Firion's data infrastructure will also be defined. Additionally, the policy will specify the procedures utilized by Firion in the event of an accident. This includes computer server logs.

Firion's IT department has identified several vulnerabilities in the server logs dating back six months. These include a

user customizing their desktop backgrounds and screen savers, another user downloading unlicensed freeware, someone blogging about Firion's best practices in a public forum, an individual posting messages in different newsgroups using their office email address, and a user emailing product development-related keywords to an external email ID. These unlicensed software downloads put Firion's network at risk of malware attacks and other threats.

To ensure that Firion employees understand the importance of obtaining approval prior to downloading publicly available software, it is necessary to convey this information. It is crucial to address any potential copyright violations that may arise from unlicensed downloads in the policy. Although blogs provide an effective platform for sharing ideas and thoughts, there is always a risk of confidential information being leaked. To mitigate such conflicts, it is advisable to establish explicit policies regarding the ethical disclosure of company information in public forums. The following policies specifically address these concerns: Setting Backgrounds and Screen Savers Policy.

Using backgrounds and screen savers that are threatening, discriminatory (based on language that can be viewed as harassing others based on race, creed, color, age, sex, physical handicap, sexual orientation, or otherwise), defamatory, slanderous, obscene or harassing behaviors are prohibited. It is crucial to show respect towards the rights of others and consider the possibility of intellectual property infringement when utilizing different electronic communications systems. Although software labeled as "free," "public domain," or "public use" may be free for personal usage, it might not be suitable for corporate purposes.

It is essential to obtain proper approval when downloading software from the Internet to avoid violating copyright or licensing requirements. Always seek approval from your manager or the Legal Department

before using any publicly available software package. Also, refrain from copying company-owned software without permission or removing intellectual property notices owned by others.

The Company's Information Systems Acceptable Use Policy states that the provided information systems are mainly for Company-related use, with limited personal use permitted.

Personal use should be limited and not disrupt work or occur during working hours. Personal messages must not be sent to groups or other employees, except in appropriate forums such as designated Usenet news groups. Permission from the Information Assurance Department is necessary for Company-wide dissemination of personal messages.

Email users have obligations. Email can be accessed by anyone along its delivery route, just like a postcard. Users should exercise caution when sharing sensitive, confidential, or proprietary information with individuals who have access to the local area network.

Customers and partners connected to the local area network can receive appropriate information. However, it is important to note that sensitive, confidential, or proprietary information cannot be sent over the Internet without a digital signature and encryption. Users of the Company's email service must follow the Ten Commandments of Email:

1. Demonstrate respect in verbal communications.
2. Check spelling, grammar, and message content before sending.
3. Do not forward chain letters; report them to the IA Division.
4. Avoid sending unsolicited mass emails (spam).
5. Avoid sending hateful, harassing, or threatening messages to fellow users.
6. Avoid supporting illegal or unethical activities through email.
7. Remember that email is like a postcard and should not transmit sensitive information without encryption.
8. Avoid broadcasting email messages outside your assigned email group.
9. Minimize personal email usage.
10. Avoid clicking on external website links in company emails.

If you receive email of this nature, notify the IA division. Employee Ethics The IT team also found employee

requests in the same six month period that may be ethics violations. These requests included allowing access to Yahoo Groups during work hours for employees to forward non-work-related emails to specific colleagues, enabling the use of the USB port on an office computer for file copying and remote work, and downloading a trial version of Photo Alter software on an employee's system.

Using Yahoo Groups during work hours poses a security risk as it exposes the company’s network to malware, infections, and potential loss of sensitive data. Furthermore, if the site is not under Firion's control, any unethical employee behavior cannot be monitored or controlled. Portable storage devices are highly susceptible to theft, loss, or unauthorized access. To prevent the loss of sensitive data, it is advisable for Firion to disable USB ports on all desktop computers. It is important to refrain from using trial software in product development without approval from the security manager, as unauthorized software use can potentially violate copyright and licensing requirements.

The Company provides information systems to its users for company related business purposes. Limited personal use is allowed, as long as it does not occur during charged time or interfere with job performance. Personal messages should not be sent to groups of people or other employees, except in appropriate forums such as designated Usenet news groups.

Permission for company-wide broadcasting of personal messages must be obtained from your manager. Software License Policy: All software installed, ran, or used for development on Firion’s equipment must be licensed with a proof of purchase available for audit verification. Data Transfer Policy: Equipment and data will not be taken off site without formal signed approval. Data

that is moved off site will use approved storage devices and the files are encrypted. Employment Hire Practices Policy: Sam Baker is interested in offering Nina Patel a job working for Firion’s IT group. Nina is a Senior Network Engineer.

Before offering Nina employment at Firion, Sam must verify her professional references and educational background qualifications as listed on her resume. According to the Reference Checks Policy, post interview reference checks are necessary before recommending any candidate for appointment. These checks involve conducting a structured phone interview with at least two of the candidate's nominated references. While this may result in same-day offers not always being possible, it ultimately upholds the integrity and quality of the candidates and the recruitment process. Ideally, the candidate should include their most recent supervisor as a reference. In cases where this is not possible, an explanation should be included in the reference report. Those who refer a candidate must have had close working relationships with the person and be able to provide knowledgeable comments on their recent work performance. Furthermore, applicants must give prior permission for their references to be contacted, which should be obtained or confirmed during the interview if the names of references were provided in the application.

Candidates who have not listed their current or recent supervisor as a reference should be requested to do so, or explain why such a reference is unavailable. If necessary, the deputy manager should consult with the recruitment team to find a suitable alternative. The deputy manager of recruitment is responsible for conducting reference checks, but other members of the recruitment team may handle this task in certain circumstances. To ensure confidentiality

under legislation, reference takers should ask the referee to confirm that their reference is given in confidence. Additionally, the questions from the pro forma should be read aloud and answered by the referee to maintain confidentiality and reliability. The references sought must be related to the job, and reference takers should verify the information provided by candidates during interviews and on their resumes.

Referees should be asked to confirm and provide details about the important accomplishments mentioned in the candidate's resume or discussed during the interview. These details should include the level of success, significance, difficulty, and individual's contribution to the outcome. Contribution can involve various factors such as their role in a project, leadership skills, research ability, or project management skills. It is crucial to conduct reference checks consistently and fairly. As part of the selection techniques training program, reference takers will receive training on how to interview referees.

All reference check information should be documented using the provided form from Human Resources. The completed report, along with the deputy manager report, should be submitted. Each reference check requires its own form. There will be 7 references who will be asked to rank certain criteria on a scale. This is to address the weaknesses in the reference checking process. If complete reference information is not obtainable, Firion may reconsider hiring the candidate. Proceeding with hiring without this information poses an unacceptable risk.

The Need to Know Policy at Firion is important. Nina, who has been with the company for six months, has impressed everyone with her intelligence, ability to manage multiple projects, and the amount of time she has dedicated to her work. However, Sam has concerns.

One of Nina's colleagues noticed her browsing through documents that she should not have access to. Additionally, Nina has been given access to secure areas and systems that are not always necessary for her job. Furthermore, she disabled some ports on the company's firewall without informing her IT team members in order to test the strength of the Intrusion Prevention System.

The Fusion policies that will help prevent future incidents are as follows:

• Least Privilege Policy: Only individuals who require access to specific information are given such access. Least privilege aims to protect data by providing users with the minimum level of access necessary to perform their job effectively.
• Separation of Duties Policy: The company experienced an insider attack due to an employee with administrator-level access to the servers and backup server.

The text discusses the concept of separation of duties, which involves dividing responsibilities to prevent one person from having excessive power over a system. It provides an example of assigning one system administrator to maintain the active server and another to handle data backups. Additionally, it mentions the need for a security awareness program following an incident involving Nina Patel. In order to ensure compliance with company security policies, Firion must implement this program to educate and guide all individuals working with corporate information or computer systems.

The primary objective of the security awareness program is to promote employees' adoption of protective behavior and attitudes towards safeguarding the organization's information assets. To effectively motivate employees, it is essential to emphasize the advantages for both the company and individual employees when they participate. Additionally, it is important for employees to recognize that by implementing necessary precautions to protect information

or information systems, they are indirectly safeguarding their own personal information too, as the company possesses certain confidential data about each employee.

A comprehensive security training program requires significant support. It is crucial that the training effort encompasses all individuals with access to sensitive information or corporate computer systems. Furthermore, it must be an ongoing process that consistently evolves to address new threats and vulnerabilities. The following references provide valuable insights into security management: Baddin, Jacob. Security Log Management. Rockland, 2006. Cole, Eric. Network Security Bible, 2nd Edition. Indianapolis: Wiley Publishing, 2009. Cyber Crime Branch. Cyber Crime Awareness. Mumbia: Mumbia Policies, 2010. Gilhooly, Roger. The social approaches to enforcing information security. " SANS Reading Room. December 11, 2002. http://www.sans.org/reading_room/whitepapers/policyissues/social-approaches-enforcing-information-security_1102. Gret, De Laet, and Gert Schauwers. Network Security Fundamentals. Indianapolis, IN: Cisco Press, 2004. Marty, Raffael. Applied Security Visualization. Upper Saddle River, NJ: Addison-Wesley, 2008. Sans Institute. A survival Guide for Security Professionals. Bethesda: Sans Institute, 2001. Sungress, Ciampa. Security.