Custom «Security Management» Essay Paper Sample

This handbook on security management contains the policies, guidelines, and procedures which every employee needs to read and understand. The use of this handbook on security policies is to offer relevant guidance and the main policies that need to be followed in the organization. The security of sensitive and confidential information is the duty of the security administrator whose mandate it to protest the interests of the company, and to ensure the formation of effective policies that are in utilization in the entire organization. The term policy refers to the rules, procedures and guidelines for any security system. These policies can only make sense if they are clearly in writing and availed to all employees and existing affiliates. The policies also act as a strong statement of the organization’s seriousness on security issues.

With the advancement in technology, the organization needs to frequently review its security policies depending on its technological needs. Security policies are of use as guidelines for the protections of business information and systems from both internal sources and external threats. The policies need to adjust to the rising interests of the company. The expertise responsible for policy creation must be aware and concerned with the changing trends in technology that are affecting security issues and personnel in the organization. The system users learn about the various company policies through awareness trainings and programs. Such trainings entail the details of the relevant policies as well as how the policies affect the business operations, together with the employees, external affiliates, and the customers.

Factors to be considered in developing security policies

The first aspect to consider is the issue of vulnerability, threats and environments. Prior knowledge of potential harm to the system is essential in creating the baseline of the security guidelines and measures. Threats come up from various sources, such as the data, errors in the operating system and installed software as well as user or administrator errors. They can also occur from attackers with intentions to harm the system, or from unintentional users. Risk assessments need to be carried out to identify the different threats, their sources, and how to prevent attacks by this threat or destroy them. This is an essential component to consider when establishing security policies in an organization. Network systems in an enterprise environment can face threats thus security measures need to be established as per the specifications of that environment. Security systems need to categorize their security objectives to include, integrity, confidentiality, and availability of the security policies. Each of these objectives deals with a different part of protecting information. The information present in an organization determines the strength of the security system. However, it is of highly recommendation that all the information in a company gets a proper form of protection, with varying levels on the basis of the value or importance of the information. Security controls fall into two levels i.e. resolving of the existing security weaknesses within a system, and offering the required functionalities to each user. Another factor to consider in forming policies is the use of several security measures or security layers such as host based firewall, network based firewall, or patching of the operating system. The essence of this principle is to ensure availability of options in case of attacks by threats when one layer of protection fails.

Main Body and Policies

1. Network Architecture and Security Considerations

The use of network architecture is to deal with the key security areas of interest for the company. It provides a framework in understanding the considerations for the design and processes in improving the security of the company. Security considerations provide the integrity, confidentiality and service availability. Security services offer protective roles, for example, auditing, monitoring, and evaluation, as well as incident responses and forensics. Such services have served as the objectives security programs for information technology for many years. The security policies and standards govern the design of the system and its run time. These standards should guide operating systems, and be backed up by practical recyclable services. They are not determining goals but need to have a back up of a governance model that guides their use, and can be deployed, built, and operate systems based on their intentions.

Security architecture comprises of a framework that is strategic and provides for the development and staff operations. For example, a given project for software development may not be able to address a case to buy an XML Security Gateway for improving the security of web services. When the architects come in, they are able to identify the projects that can leverage such a reusable service. The process of network architecture is iterative and provides unity in technical, business, and security domains. It involves four phases, which include architectural risk analysis, security design and architecture, operation and monitoring, and implementation.

The proposed guidelines for running network architecture begins with the development of an appropriate architecture, then ensuring that the company can manage and mitigate the possible risks to their system operations and information. The different departments should learn the importance of deploying physical controls, and evaluate the costs of additional power backup systems required for smooth and uninterrupted operations. Finally, the company should review the statutory requirements for the privacy and retention with other legal advisors. 

2. Wireless Security

A wireless network is capable of transmitting information that is sensitive information with the lack of adequate protection. This usually occurs when the wireless network does not have a proper configuration, thus risking exposure to other wireless devices in proximity. It is, therefore, necessary to secure the wireless networks so as to ensure protection of their remote access communications. The procedures and policies that can be of use in securing wireless networks include protecting communications by the use of a strong encryption. This can be accomplished through purchasing product security certifications, which define several sets of the security requirement for the devices of wireless networks. A key can also be selected, for example, WPA or WEP. That contains a series of characters used for restricting access to the wireless network. Those who do not have the key cannot access the wireless network, thus; making it necessary to have the key complex to ensure that other people cannot figure it out. Another guideline would be to allow access only for particular wireless network cards or access of devices to utilize the wireless network. A default service set identifier (SSID) can also be changed to allow devices and people to distinguish the network they are using from other wireless networks. A device can accidentally join the wrong network if the SSID has not undergone changes, and  there are other networks nearby with the same SSID.

3. Remote Access Security

There are several ways of providing remote access to computer resources such as VPN (virtual private network), remote system control, and individual application access. The use of remote access for computing resources is normally available for users within the organization. This goes together with the identification of usernames and passwords. Teleworkers using remote access are usually required to frequently authenticate the use of the different components of remote access. They can be given a hardware token, which contains a code or password that has to be keyed to the computer for it to be authenticated. For long sessions of remote access, the teleworkers can repeat the authentication process periodically, thus assisting the organization if an individual has the authorization to use the remote access. This technology can automatically encrypt its own communication lines, and this prevents internet attackers from hacking into and tampering the communication within the organization.

4. Laptop and Removable Media Security

Currently, there are many threats posed to laptops and removable devices by people who have different intentions. This can lead to disruptions, mischief, identity theft and other forms of fraud. One of the threats against these devices is malware, which normally gains entry into a device with the goal of compromising the company's integrity, availability of information, and privacy in the device. These malware threats include worms, viruses, malicious codes, root kits, Trojan horse, and spyware. Devices can be infected through web sites, emails, downloads, file sharing, instant messaging and other software. One of the security guidelines that can be used for laptops and removable devices is the use of physical security controls. For example, ensuring that laptops have physical security through the use of cable locks, when used in locations where people can get physical access to the devices. Another measure can be to encrypt files and hard drives stored in laptops and removable devices such as flash disks and CDs. This prevents outsiders from accessing the information contained in the files. Information stored in these devices can also be backed up as a security measure in case anything happens to the device, and there is no loss of information. Users within the organization need to back up all their data either through a centralized system or through local backups, and verify that the backups are complete and valid. Information that is not necessary or required should also be deleted or destroyed. Certain methods of remote access normally perform cleanup of basic information, for example, cleared caches of web browsers containing sensitive information, or advanced clean up using a utility like a disc scrub-scrubbing program that removes all traces of the information contained in a device.

5. Vulnerability and Penetration Testing

Vulnerability testing helps an administrator to identify the vulnerabilities, and ensure the current security measures are in place. Penetration testing is, however, less frequently used, maybe as a section of the overall testing of the network in the organization. Vulnerability scanners are of use in identifying the vulnerabilities in the host such as, missing patches, software versions that are out of date, and system upgrades. They are usually effective in detecting known vulnerabilities than the ones that are esoteric as it is quite difficult to incorporate all the vulnerabilities in one scanning product. An organization needs to perform such scanning or testing, in order to validate the server software or the operating system, and the antivirus programs are up to date on the software versions, and security patches. This scanning is extremely beneficial in ensuring that these vulnerabilities are dealt with before adversaries exploit them. Other vulnerabilities can be gotten rid of by security protection, which automatically downloads then installs the new versions of the applications. Security protection can also prevent attacks in case it is impossible to eliminate the vulnerabilities.

Penetration testing is normally recommended for critical and complex servers in implementing protection measures for the systems by using the techniques and tools commonly developed and used by the attackers. It is an invaluable technique. However, it is labor intensive and requires a considerable investment in expertise in minimizing the targeted risks to the system. The benefits of penetration testing include verification of existence of vulnerabilities and ascertain that they are not purely theoretical, provide the necessary measures to solve security issues, and allow testing of the network with similar tools as the system attackers.

6. Physical Security

Computer resources and users sessions should always be protected from unauthorized physical access. For instance, if a computer is left unattended in a public place, anyone can pretend to be the user and access information contained in the PC. One can access an organization’s information or data that are sensitive, manage emails and chat messages on behalf of the user’s account, or even perform online shopping. Most operating systems allow the PC user to lock the sessions they are using currently by a key combination or use of passwords. Some PCs also automatically activate screensavers after the computer has been idle for a while, or even on-demand manual activation. However, PC users should know that the mentioned security measures only offer short term or temporary protection as some computer hackers can devise ways of accessing data to a PC.

7. Guidelines for Reviewing and Changing Policies

The main aim of installing a security system is to protect the valuable resources of an organization. Putting up effective security policies assists the organization in supporting the overall mission of an organization. Security guidelines come in handy in managing information and eliminating the possibility of destroying or losing the company’s assets. The management should take into consideration the level of risk they can handle, as well as the cost implications. In a situation where information management exceeds the boundaries of a company, the management must consider the general security levels on these outside systems. They should get assurance of the quality of security services offered by these external systems. Cost evaluation should also be done to ascertain the benefits and possible losses of the security policies, depending on the needs of the organization. The security standard should be proportional to the value of the systems set up, as well as the probability or extent of potential damage. In addition, a meaningful security system can put of system hackers and reduce the occurrence and incidences of worms and viruses. Other factors that need to be considered in reviewing policies are legal concerns, quality assurance, management of the system, and internal controls.

Section 2: Policies

8. Acceptable Use Policy

a) Policy statement

The Acceptable Use Policy is not in itself supposed to put in place the restrictions that are against the organization’s integrity, trust, and culture. It serves to protect the company together with all its employees from malicious damages from outsiders who have the motivation to cause such harm. The company’s operating systems, software, equipment, browsers, network accounts and other systems are meant to serve the objectives of the company, and ensure smooth operations. This policy will ensure effective security of the company including all the information or data, and should be used by all users in conducting their daily activities.

b) Purpose and objectives

The purpose of this policy is to ensure the correct use of the company’s computer equipment. The outlined rules and regulations are of importance in protecting the company together with all its employees against possible harm from viruses, legal concerns, and compromise or loss of the network systems and services. This policy applies to all the company’s equipment, employees, and to all affiliates.

c) Standards

The network users need to know the ownership of the data that they generate as solely belonging to the organization. The company is, therefore, indebted to ensure confidentiality of data and information in the network systems. The users must be able to judge soundly in terms of maintaining privacy and personal use. Such sensitive information includes corporate strategies, trade secrets, information on competitors, and other research data. Unauthorized access to such sensitive details should be security priority to the organization. Authorized users should secure their passwords and accounts while using PCs and laptops. User disclaimer should be well indicated in any postings to the press. Extreme care should also be exercised when dealing with mail attachments from malicious sources.

d) Procedures and guidelines

Classification needs to be done on the information in the network systems as to whether they are confidential or not according to the sensitivity of such information and the guidelines set to manage data. The employees must not violate the intellectual property rights, as well as other regulations directed towards the company’s products and equipment. All the materials generated in the line of duty are the property of the company and cannot be duplicated in another form unless a license to do so is made available (Vacca, 2009). Guidelines should also be set managing information sharing within the organization. Illegal export of technical information and software can be considered as a violation of the company laws. The users must also restrict themselves not to introduce malicious programs into the server or network. The employees also need to respect the properties or assets of the company and not use them in obtaining or transmitting information that leads to hostility or sexual harassment at work. The employees are also expected to respect information or data being managed by their colleagues. Users are not allowed to cause disruption, network sniffing, and unauthorized access to data, forged routing, malicious damages, and logging into other accounts. Employees are also supposed to adhere to the rules governing email and communication activities by ceasing to transfer unsolicited messages to recipient who did not request such information, forging information, intentional harassment over the internet, or unnecessary posting of company’s information.

9. Password Policy

a) Policy statement

Passwords are a fundamental measure in executing an organization’s network security. Passwords ensure restricted and authorized access to the information of the company, which can be lost if not protected by passwords or through poorly selected passwords.

b) Purpose and objectives

The main use of the password policy is to ensure strong measures in forming, protecting and, changing passwords. The objective of this study is to ensure all employees are responsible for their own accounts including the access codes and information they are responsible for within the system.

c) Standards

Different passwords should be formed for separate accounts by the same user, and also for accounts with different access needs. Passwords should be treated as personal, confidential, and sensitive items and should not be shared, even with colleagues, including secretaries and administrators. These passwords should not even be shared online via email, chat, written down, or through other forms of electronic communication. Any hint that can reveal a password details should not be given out, and should not be revealed on other security forms or questionnaires. Another useful measure to protect passwords should be to avoid using the feature of remembering password. Application developers can also contribute to ample standards in exercising password protection. This can be through individual authentication of user accounts, not storing passwords in a reversible format. Role management can also be put into place so that a given user can take over the responsibilities of another user without accessing his or her password.

d) Procedures and guidelines

The passwords created for the various systems must be frequently changed depending on an individual’s priorities and must all be included in the company’s database. The privileges given to the user accounts within the system should have a unique password from the rest of the accounts managed by the same user. In selecting passwords, the user must make sure that they are long enough, have mixed case letters, mix with punctuation marks and digits, do not reflect personal details, or dictionary words. The password can contain more than ten alphanumeric characters plus other peculiar characters. Weak passwords usually contain less than fifteen characters, a dictionary word, and common words such as names of family, friends, pets, birthdays, addresses; number patterns spelled backwards or proceeded by a digit. The network program, workstation program, or the network server can intercept passwords. This can be solved by installation of an effective operating system, and physically securing the workstation. Physical access can also be established with security features and monitored closely, as well as ensuring that all unattended sessions are logged off.

10. Incident Response Policy

a) Policy statement

This policy provides an insight to all the activities that are in relation to the network security, information technology equipment, technology, and telecommunication services.

b) Purpose and objectives

The main use of the incident response policy is to prepare a protocol to guide and direct responses related to system securities in the organization including the information, equipments and networks. This policy is applicable to all employees and external affiliates who have access to the company’s information, store, and process or transmit such data.

c) Standards

Incidents can be put in different categories on the basis of the importance of resources, or the effects of the incidents which have potential, and are current. A combination of these two factors determines business effect of the incident, such as interference with data on a user account leading to productivity loss. Compromising with the network server amounts to substantial revenue loss, service access, productivity, as well as the low reputation and release of confidential and sensitive information. Incident cases are usually reported before twenty-four hours elapses after the occurrence of the incident. This is followed by written reports as per the company’s regulations. The report should contain the affected systems, their description in terms of operating system, hardware and software, affected information, incident description and resolution status, point of contact, damage assessment, and the actions taken against the offenders or measures to rectify the affected systems. After addressing and resolving the incident, the security administrator writes follow up report.

d) Procedures and guidelines

Security incidents and malicious events should be reported to the security administrator by the affected employee or from any other witnesses. Evaluation of the incident is done to determine its criticality and effect to the organization. Appropriate action is taken on the perpetrator to end his or her privileges including access to the network system. The affected codes and systems are quarantined’ from the overall network until damage assessment is done and resolved. Monitoring is also done on the dissemination of information or release of information related to the security incident. The security administrator is responsible for managing information dissemination of the reported incident by enforcing the necessary measures in rectifying the incident to avoid future incidents, such as system disruptions or defacement through the internet. Minor events such as malware infection of user computers or workstations are not followed up thoroughly, for example, by report writing. Each department in the organization must ensure that the employees in that department are aware of the policy and its location. Employees should also be keen on any changes made to the existing policy or the creation of new policies depending on their respective duties.

11. User Awareness and Training Policy

a) Policy statement

User awareness training aims at empowering employees on different policies of the organization. The awareness programs and training focuses on maintaining the network systems, educate employees on password issues, internet and email access policies, and the overall responsibilities of the users in exercising security measures within the organization.

b) Purpose and objectives

The importance of this policy is to put into place the security awareness and training programs for all employees including the management. This policy targets everyone who has an access to the company’s information, especially the sensitive data.

c) Standards

The awareness and training programs must ensure all employees understand the set policies and procedures. They go through training on reporting, identification, and prevention of security incidents. They become aware of how to deal with upcoming threats such as viruses. Anti-virus software is also run on all PCs utilizing the internet, and the employees trained on how to update the antivirus software spot check for any infection, and report on new viruses discovered daily. Use of software is also tackled as well as reminders on verbal updates, notices, emails and paychecks. The management also sets up policies that deal with the main activities of users from monitoring access codes, malicious software, and management of passwords. 

d) Procedures and guidelines

After the awareness and training process, the employees become responsible for learning and putting into practice the procedures and guidelines of the security policies. They get the chance to ask for explanations and clarification on issues not well understood, as well as to query the people in charge in case they are not able to get and use a part of the policies. The management including the tutors has to ensure that all employees undergo the necessary training depending on their departmental interests and needs. These trainings are mandatory as per the company’s regulations, and are a vital way of ensuring the smooth running of the company. The security administrator ensures understanding of the policies and procedures; attending of all the ongoing awareness programs and training; that all employees are familiar with the installation, use and troubleshooting guides for the antivirus software, and are able to run updates for the software. The procedures for this policy require that all the newly hired employees complete the mandatory training before elapsing of their first 60 days. The department of human resource needs to notify the relevant department on arrival of new staff so that they can be scheduled for the awareness and training before commencing duty. It is the requirement that every employee needs to read and understand all the instructions and information before implementing any of the security measures (Bautts & Dawson, 2005).

Conclusion

In the current times, there is an alarming increase and change in technology, thus; all the systems in a given company must ensure that they catch up the rising trends without becoming obsolete. The achievement of this objective can be through creating policies with the necessary procedures and guidelines that fit the company’s interest at that time, and are flexible to adjust to the necessary changes. These forms a link between the guidelines puts in place, and the growth and subsequent success of the company. The last policy on awareness and training helps to strengthen this link by educating the employees on the required tools for dealing with threats and potential harm. This training runs concurrently with the protection of the employees’ and the company’s privacy. After the security administrator complets to draft the policies and procedures of the organization, they may need to present it for review by the management and relevant commissions before implementation, or having the brand as a working handbook.