Security Plan – Knowledge and Information Security Essay Example

access to information repositories, such as unauthorized physical access to premises. During covert entry, data and information may be stolen or software may be installed on computers to enable future electronic attacks. Additionally, electronic surveillance of premises by third parties is another threat, which may involve wiretaps on telephones of key personnel or the placement of electronic audio-recording equipment in important areas like boardrooms or management offices. Outside entities may also employ access agents to gain entry into an organization and access its confidential information. Furthermore, these entities may recruit or manipulate staff members to obtain information for their benefit. Another potential threat is material damage caused by unforeseen events like fire, earthquakes, or other natural disasters, which can result in the destruction of physical documents and equipment.

• Portable devices used by staff for convenience may be lost or stolen.
• Lax password security allows anyone who finds or steals these devices to access the stored information.
• Electronic security aims to protect databases and networks from unauthorized access and potential harm. (Volonino ; Robinson, 2005)

An electronic security system is utilized to safeguard information from intangible threats such as viruses, bugs, malware, and other cyber threats. Viruses are the most dangerous and can have severe consequences for computer systems. A serious viral infection could lead to extensive financial losses for a country's economy. Moreover, a viral infection within a computer network may result in data corruption or complete loss of information.

According to the 2007 security audit, social engineering poses a significant risk to the organization's security. Social engineering involves manipulating individuals by appealing to their emotions or establishing

trust in order to make them perform certain actions or disclose confidential information. Key loggers, Trojan horses, and other forms of malware programs are employed to gather information about computer users for future targeted attacks.

The concern regarding unauthorized access into the organization's computer network persists due to inadequate IT security measures.

Hacking is the act of discovering weaknesses in a computer network's security and exploiting them to gain unauthorized access. Having weak passwords and insufficient anti-intrusion software can make hacking more likely. Organizations that heavily rely on information technology face the risk of Denial of Service (DoS) attacks, which prevent users from accessing the internet and can disrupt Local Area Networks (LANs), especially wireless networks. Wireless networks are particularly vulnerable because they provide physical network access. As a result, wireless systems struggle with both data security and DoS attacks.

Theft of Internet bandwidth is a tangible risk linked to wireless networks. 7)Excessive file sharing is also identified as a significant security risk. a)Users of networked computer systems often share files unrelated to work, which can lead to the spread of infections throughout the entire network. )Loss or corruption of data, resulting in information becoming inaccessible, can occur due to malicious or accidental causes. a)This can range from organized malicious attacks to something as simple as a power failure.

9) Both Data Access Security and General Security are concerned about the accidental unauthorized release of private or confidential information. According to Hagen et al. (2008), it is recommended that every computer within the organization's network is configured in such a way as to reasonably prevent unauthorized access.

User Authorization 1.1.

To ensure network security, all

staff members must undergo a security clearance process based on their position and job requirements. Additionally, all users are required to authenticate themselves before gaining access to the network.

1. 4. Each employee must have a unique username and password, which should be strong and securely stored. The password should be changed on a weekly basis. User authentication activities need to be logged, and the corresponding records must be retained for three years in a format that can link them to specific Internet Protocol (IP) addresses.

In order to easily identify the computer unit using peripheral devices, such as printers, on the network, it is necessary to track them. Furthermore, user authentication logs must have synchronized time stamps that are accurate to the nearest second and based on a reliable time reference.

The secure database must be securely stored in designated and restricted areas, with additional security measures implemented. It should be isolated from external access, forming its own separate network. To further enhance security, computer units connected to the secure servers should be situated in controlled-access areas that are physically separate and not linked to any external connections. These computer units should not have access to shared resources but rather be connected to peripheral units located nearby. Access to confidential information within the database must be limited based on the user's level of security clearance as determined by the system administrator.

Physical Files.

All physical documents should be classified for security and access purposes, just like the electronic database. It is essential to assign sequential numbers to each copy and page of the document. Additionally, a distribution list must be maintained to keep track of every copy. A

Register of Classified Documents is also maintained, requiring identifiable information and a signature for any released document. Certain documents require an authorization signature.

Every computer unit in the organizational network must have full protection systems against viruses, malware, and other computer threats. The security software systems installed on the computer units in the organizational network must be updated regularly. Private computer units connected to the organizational network are considered part of the network. An automated Intrusion Detection System is needed to identify potential security breaches on the organization's computer network.

Social Engineering (Workman, 2007) has been recognized as a significant threat to the organization. To prevent unauthorized individuals from accessing confidential information, all employees will receive comprehensive security awareness training. When interacting with customers, it is mandatory to verify their identity to ensure their authenticity. The organizational network should only be used for work-related activities. Sharing files within the organization should be restricted to prevent the transmission of viruses that may be contained in personal files. Additionally, the organization reserves the right to monitor outgoing staff emails and other forms of communication to safeguard against the disclosure of confidential information.

Wireless Networks (Woodward, 2005): It is crucial to ensure the security of wireless networks within the organization by implementing precautions to prevent unauthorized access. Users should encrypt their wireless transmissions whenever possible to safeguard network privacy and confidentiality.

Staff Vetting and Separation Procedures General Statement: Organizations handling sensitive and confidential information must conduct security checks on potential staff members. Termination procedures are also necessary to prevent exploitation by former employees (Solms, 1999).

Visitors: All visitors must receive prior notification and clearance from the CSO.

Visitors, maintenance personnel, and contractor personnel must

be accompanied by an authorized employee at all times and complete the Visitor Register.

Emergency personnel must be accompanied by an authorised employee whenever possible and must produce identification. The CSO should be notified promptly. Intrusion detection systems are required for both the main office building and the offsite information backup storage facility. These systems will consist of door alarms, cameras, and motion detectors in all areas. Sensitive and secure areas will have additional security measures, including backup intrusion detection systems and more flexibility in device placement.

4. 12. Adequate protection is required for roof cavities and other vulnerable areas to prevent infiltration.

Equipment Security 4. 13.

The organization must enforce a Clear Desk Policy, which requires employees to secure any sensitive document in a locked storage when they are away from their desk. Additionally, the organization must enforce a Clear Bin Policy, where any document containing personal or confidential information should not be disposed of in an open garbage bin but instead placed in a secured bin for future shredding. To prevent potential restoration of shredded documents, a crosscut shredder should be used for their destruction. All equipment should be marked with security labels and cataloged for easy identification in the future. Asset inventory should be conducted four times per year. Desktop computers and laptops should be locked and password protected, and the use of external media should only be allowed with explicit permission from the system administrator. The storage of physical documents should prioritize security.

All filing cabinets and safes must be lockable, security rated, and capable of withstanding unforeseen circumstances such as fire. Additionally, the organization has contracted State Security Services (SSS) to supply both onsite

and patrol security at the main office building and offsite information backup storage facility.

The State Security Services are in charge of performing security patrols and routine inspections of facilities, both physically and electronically. The contract with SSS for overseeing the organization's security will be assessed biennially. If there is a breach or suspicion of one, an extensive investigation must be conducted to reduce harm and identify the culprits (Maley, 1996).

In order to foster a cultural shift, it is crucial to establish an organizational culture that encourages the recognition and embrace of reporting security incidents. Furthermore, the implementation of an automated tracking system is imperative for documenting, analyzing, and logging any anomalies identified in the network.

Improving overall security is essential and can be achieved by incorporating insights gained from past events. This should be done in conjunction with the Intrusion Detection System for optimal efficiency. To identify and examine unauthorized network access, it is recommended to use file signature recording software like Tripwire or Aide. If an incident report occurs, a dedicated team will investigate and assess any resulting harm. Despite having strong security measures, there is always a chance that weaknesses may be exploited, leading to data corruption or loss. Thus, backup files are indispensable.

It is crucial to regularly back up files and store them off-site in order to protect the backup data and prevent any compromise. Additionally, it is equally important to regularly back up local data used for immediate work purposes to avoid losing significant work.

To prevent the loss of information, it is advisable to store physical documents at an off-site location. Additionally, it is essential to regularly test backup mechanisms to guarantee

the continual and effective storage of important information. Lack of security awareness among an organization's personnel is the primary cause of security issues in most cases.

To promote security awareness in the workplace, all staff members are required to complete routine security awareness training and refresher courses (Smith, 2006). Initially, all staff must undergo general security training applicable in any context. Additionally, relevant staff members must undergo specialized security training that aligns with their specific roles within the organization.

Periodical 7 states that during an employee's three-month orientation with the organization, they must participate in security training. Additionally, all staff members are required to review their training and take refresher courses in both general and specific security areas. Each staff member will receive training in various areas.

5. The need for access control in the organizational network.

7. Computer-borne threats like viruses and malware, and how to secure against them.

This also includes the risks of non-work-related file sharing among employees.

The importance of physical integrity awareness training, such as proper handling and disposal of confidential documents, shredding, etc., and maintaining password security, is crucial.

5. The risk of social engineering and other social information attacks and methods to reduce it.

6. Identifying potential security breaches and other security-related incidents and the necessary actions to address them.

The initial introductory course must be completed online and will be assessed.
7. Personnel must sign a security declaration form after completing the security training.

Follow-up courses will be conducted in a seminar-style setup where attendance will be recorded. Each officer of the organization mentioned in "Responsible Personnel" will establish specific guidelines for their respective departments.

General Security Awareness Training 8.1 - It is important to have access control over

the use of the organizational network because the integrity of the computer network is crucial.

If there is suspicion of network security compromise, the RMO must be immediately notified. It is essential that only the authorized user has access to a specific computer unit. This includes the risks associated with file sharing among employees, which is unrelated to work. It is crucial for all computer units on the network to have the latest security updates and patches. Computer-borne threats such as viruses and malware, as well as methods to protect against them, should be considered.

The antivirus software must be functioning on all computers in the organization in order to keep the network protected. To prevent potential infections from personal files, sharing them among staff members for personal use is prohibited.

The organization heavily deals with confidential documents and it is crucial to ensure their security by preventing unauthorized access. To achieve this, it is essential to provide physical integrity awareness training, especially in the handling of confidential documents, shredding, and other related tasks. Whenever a user is required to leave their workspace unattended, they must securely store any confidential documents to protect the information contained within. Additionally, private or confidential documents that are no longer needed should be appropriately stored and shredded to prevent unauthorized access before their destruction.

8.4.

Password security and ways of maintaining password security (PACE University).

The purpose of maintaining password security is to prevent unauthorized access to sensitive information stored on the company's computer network.

The user's password should not be written down or stored on any device that can be accessed by unauthorized individuals.

The password should be changed weekly to minimize potential damage if it

becomes compromised. It is important to always use a strong password, which is a combination of letters and numbers, not easily found in a dictionary, and at least eight characters long.
Considering the recent security audit, there are several areas that require upgrading to enhance the overall security of the organization, personnel, and equipment. The following additions to the security package are recommended for careful consideration: 1. Guardhouse at the entrance to the employee car park.

2. There are two extra CCTV cameras installed at the organization's car park.

3. The office building and the offsite information backup storage facility have glass break detectors in place.

Additional motion detectors are located on the roof of both buildings. Biometric identification is linked to personnel key cards for added security. It is hoped that this document has helped the reader understand the necessary steps to ensure the organization's electronic and physical information, personnel, and equipment are protected from unauthorized access. The security team believes that implementing this security plan and associated training program will maximize the organization's security.
Bibliography: Eguren, L.

Planning:

1. Towards a Model of Security Management”, Journal of Humanitarian Assistance, July 2000, www. jha. ac/articles/a060.pdf, accessed: 15 Aug. 08. Hagen, J. , Rong, C., and Sivertsen, T. , “Protection against Unauthorised Access and Computer Crime in Norwegian Enterprises”, Journal of Computer Security, vol. 16:3, 2008, pp. 341-366. Irvine, C.
2. and Thompson, M.

, Expressing an Information Security Policy within a Security Simulation Game, (U. S. Naval Postgraduate School: 2005).

and Deek, F.

94-99. Mazzariello, C. , Multiple Classifier Systems for Network Security: From Data Collection to Attack Detection, Ph. D.

Nov. 2007. PACE University, Your Guide to Password Security, PACE University, Division of Information Technology, http://www.pace. edu/emplibrary/PasswordFlyer101707. pdf, accessed: 15 Aug.

08. Smith, M.

• “The Importance of Employee Awareness to Information Security”, The Institution of Engineering and Technology Conference on Crime and Security, 13-14 June 2006.
• Solms, R., “Information Security Management: Guidelines to Management of Information Technology Security”, Information Management and Computer Security, vol. 6:5, 1998, pp.

221-223. Solms, R., "Information Security Management: Why standards are Important", Information Management and Computer Security, vol. 7:1, 1999, pp. 50-57. Volonino, L.

The book by Robinson and the article by Wagner and Brooke both discuss the topic of information security. The book is called "Principles of Information Security: Protecting Computers from Hackers and Lawyers" and was published in 2005 by Readcon in New Jersey. The article is titled "Wasting Time: The Mission Impossible with Respect to Technology-Oriented Security Approaches" and appears in The Electronic Journal of Business Research Methods, volume 5:2, 2007, pages are not mentioned in the text.

117-124. The author Woodward, A.