Information Security Policy Essay Example

will remain inaccessible to the public. Therefore, the focus should be on employee authentication and verification through a data log that keeps records of their activity on the company's VPN. Additionally, a firewall can be employed to prevent unintentional access to harmful websites by employees.The policy I intend to use will aid in the backup and recovery process by potentially utilizing cloud storage or a central data storage center. While secure logins are currently in place for access control, a comprehensive review of the entire system is necessary to ensure that only authorized personnel can access sensitive areas. In Week Three, a Disaster Recovery Plan (DRP) is due for your chosen scenario. This DRP will outline the essential elements to be implemented in the event of a disaster, as well as the plan for testing the DRP. The Risk Assessment section of the plan will identify critical business processes that must be protected, such as Payroll, Human Resource Data, POS backup media, and Web Servers along with their services. Internal risks, such as unauthorized access by employees or non-employees who have access to individual store computer systems, applications, or server locations, pose potential threats. External and environmental risks include fire, floods, power outages, hardware and software failures, storms, and other natural disasters. In most cases, establishing an alternative site (hot or cold) is the appropriate approach for mitigating the majority of disasters.The Bloom design group believes that a warm site facility would be the best option for them in terms of cost and effectiveness in a disaster. Warm sites require more effort than hot sites but are less labor-intensive and more likely to be effective

compared to cold-site facilities. It is also recommended to have a backup and retention site for the main servers and web services.

In the disaster recovery test plan, there are three testing methods to consider. The first is a walk-through, which allows key personnel to come together and create an action plan for emergencies. Considering the dispersed nature of the Bloom Design group, video conferencing and traveling might be required.

The second method is simulations, which are considered the most effective. Simulating an actual emergency helps people get used to operating under pressure and reveals their strengths and weaknesses in disaster recovery.

The third method is using checklists, a passive type of testing that can be implemented on a weekly or monthly basis depending on the company's needs. This helps detect problems before they become major issues.Parallel testing is not suitable for Bloom Design group's security policy because they are updating their security parameters and do not have a similar system already in place. Another effective method of testing the system in case of emergency is full interruption testing. However, to minimize inconvenience to customers, this should be done during off hours. In Week Five, a Physical Security Policy needs to be outlined. Morrow and Breathiest (2006) highlight the importance of physically securing computer hardware to protect logical systems. The policy should describe the measures for securing facilities and information systems. Controls needed for each category may include physical controls, technical controls, and environmental or life-safety controls.The security measures for building facilities at Bloom Design Group's office locations in Los Angeles and New York include the use of employee badges that function as electronic keys

for access. These badges will work in conjunction with an access control system that limits entry and exit through one main entrance. There will also be an employee entrance that can be accessed with an electronic badge. The security offices will be equipped with biometric scanners due to the sensitive equipment inside. Other rooms and facilities of a sensitive nature will require employees to use electronic badges with a photo and name. Isolated delivery and loading areas will have electronic key card access, and a CATV system will record activity onto a DVD. Additionally, a CATV camera located on the driver's door in the loading area will allow the person responsible for deliveries to observe the outside environment before opening the door.

In terms of information system security, pre-employment screening and mandatory vacation time will be implemented as part of the workplace protection policy to prevent individuals from concealing illegal activities while performing their duties.I would implement privileged entity controls to grant operators and system administrators special access to computing resources. Additionally, for unused ports, I would employ security equipment that requires a special key for removal to prevent unauthorized access into the network. Unused cabling would be securely stored in a restricted storage room only accessible to authorized personnel. If the necessary equipment is unavailable, the unused port should be removed.

Given the importance of network/server equipment for business operations, I would install biometric locks and scanners on rooms housing such equipment. Moreover, these rooms would have environmental controls like air conditioners and dehumidifiers to ensure optimum performance.

For equipment maintenance, considering the distributed nature of the equipment across a large region, remote communication connections

would be utilized for troubleshooting purposes. More severe maintenance needs would be addressed by a centrally located facility specializing in assessing and repairing malfunctioning equipment.

To enhance the security of laptops and roaming equipment, all devices would be equipped with GAPS tracking and encryption software to safeguard against unauthorized access.The equipment itself would be stored in a secure storage room with tightly controlled access.5.

Access Control Policy Due in Week Seven: Outline the Access Control Policy.Describe how access control methodologies work to secure information systems 5.1 .Authentication Authentication credentials permit the system to verify one's identification credential.Authenticating yourself to a system tells it the information you have established to prove that you are who you say you are.Most often, this is a simple password that you set up when you receive the privilege to access a system.You may receive an assigned password initially with the requirement that you must reset it to something more personal?something that only you can remember.

However, passwords are the easiest type of authentication to beat.Free and widely available programs are available on the Internet to break the security afforded by passwords on most of the commonly used systems.With two or three factors to authenticate, an information owner can gain confidence that users who access their systems are indeed authorized to access their systems.This is accomplished by adding more controls and/or devices to the password authentication process.Biometric scanning uses unique human characteristics to identify whether the person trying to gain access is authorized to enter or not.

One common approach to managing IDs and passwords is utilizing a password or PIN vault. These programs securely

store IDs and passwords and are safeguarded by a master password that unlocks the vault when necessary.

For Bloom Design Group, the chosen access control strategy is discretionary access control. This approach is favored in the corporate environment and allows multiple authorized users to have system access simultaneously.

The principle of least privilege is the primary strategy for ensuring confidentiality. Its objective is to provide individuals with the minimum access required to perform their job. Privilege is determined by the need-to-know principle, which dictates authority for transactions or resource access (such as systems or data). The corporate head of IT operations serves as the information owner for Bloom Design Group.

In systems that employ mandatory access control (MAC), access to information is granted based on subjects, objects, and labels. MAC, also known as nondiscriminatory access control, is a concept implemented by the system itself.The Bloom Design Group may not be the optimal choice for this scenario, considering its expansive coverage. MAC, on the other hand, is more suitable for military or governmental systems. Role-based access control (RBAC) groups users based on their shared access requirements. By assigning roles to groups of users with similar job functions and resource access needs, such as designers, office personnel, and customer service associates, RBAC allows for easy allocation of access. Remote Access Dial-In User Service (RADIUS) is a client/server protocol that enables remote access users to authenticate and authorize their access to a central server. RADIUS facilitates centralized policy management and aids in tracking usage for billing and network statistics. Virtual private networks (VPNs) are commonly used by remote users to securely access corporate networks. A user connects to

the Internet via their internet service provider (ISP) and establishes a connection to the protected network through a RADIUS server, creating a private tunnel that prevents unauthorized access or data modification.The Network Security Policy Due in Week Nine will outline the policies for security services in network access and network security control devices to protect against attacks on the network protocols. The Data Network Overview discusses the use of a WAN due to the large geographic distances between Bloom Design Group offices. A WAN covers a larger area than a LANA and can span the nation or globe using satellites.

The Network Security Services section includes Authentication, which restricts access to documents through a surname and password or browser credentials. Bloom Design Group employees will need to enter a user ID and password for restricted documents and sites. Access Control is another service that restricts access based on factors other than identity. For Bloom Design Group, this includes electronic badges for physical locations and biometric scanners for more sensitive areas like server rooms.

Data Confidentiality is another service that protects data against unauthorized disclosure. It has two components: content confidentiality and message flow confidentiality.Bloom Design Group will encrypt all messages transmitted and received through company offices to prevent unauthorized viewing of sensitive company documents (6.2.4).

Data integrity is essential to protect data from accidental or malicious modification during transfer, storage, or operations. Only the Head of the IT department and anyone deemed necessary by them will be authorized to make changes or modifications (6.2.5).

Nonresidential services guarantee that the sender cannot deny sending a message and the receiver cannot deny receiving it. Bloom Design Group may not

require this service, but modifications can be made if necessary (6.2.6).

Logging and monitoring services allow IS specialists to observe system activity through various tools such as operating system logs, server records, application log errors, warnings, and network observation. Although not necessary for the entire Bloom Design Group, it will be utilized for programs related to servers due to sensitive business content (6.3).Unified andText:

Outline the roles of different network security control devices and how they are used to protect a company's network from malicious activity. Describe each type of firewall system and its purpose in network protection. Consider the applicability of the firewall system to the company's network configuration in the selected scenario.

The most common Internet firewall system is a packet-filtering router that acts as a barrier between the private network and the Internet. This router performs routing functions and uses packet-filtering rules to allow or block traffic.

Another firewall system is a screened host, which combines a packet-filtering router and a bastion host. This system offers higher security levels by implementing both Network-Layer security (packet-filtering) and Application-Layer security (proxy services). An intruder would need to breach two systems before compromising the private network. This option is suitable for Bloom Design Group in terms of its needs and cost, as it does not require advanced firewall protection like governmental or military organizations.The Screened-Subnet firewall system incorporates two packet-filtering routers and a bastion host. This system provides a high level of security by implementing both Network-Layer and Application-Layer security measures and establishing a demilitarized zone (DMZ) network.