1. What is a security policy and why does an organization need asecurity policy? Moya Feehan”A security policy is a written documentidentifying the rules and procedures for all users accessing the organisationsservers and resources 1.” Security policies may vary from business tobusiness depending on how each values their information and their perspectiveson risk tolerance. The document is often described as a living document that iscontinually adapted with the evolving organisations and it’srequirements.
Security policies essential in any organisation,as they establish rules for what the user should and should not do, defineconsequences of violation, establish stance on security to minimise risk forthe organisation and they ensure proper compliance with regulations. Securitypolicies benefit companies as they risk data loss or leakage, protectsorganisation from hackers, and protects the property of the company fromunauthorised access. 2. Come up with an example of your own of an issue, which could becaused by missing security policies? Joseph SallySecuritypolicies are put in place in order to protect a system and its data. Ifpolicies are missing or if a policy is compromised then many issues can arise.For example in a computer network all equipment and devices connected to thenetwork must be secure both physically and digitally.
Data stored on the systemmust maintain its integrity and specific data must require authorisation to beaccessed, therefore passwords must be put in place with the purpose ofregulating and monitoring access to the system. Without the use of passwordsany user could access the system and possibly see personal or confidential datastored on the system and without a way to easily distinguish a user’s level ofaccess they may also be able to edit or destroy the stored data. Passwords mustbe regularly changed and multiple unsuccessful login attempts should lock auser from the system, both of these policies will help reduce unauthorisedaccess to the system. Datatransmissions to and from the system must also be protected. Therefore thetransmissions must be encrypted to prevent people from viewing the transmissionand potentially intercepting confidential data. Anysoftware used in the system must be written securely to avoid users breakinginto the system.
The software used must avoid leaving any backdoors which wouldallow users to sneak past any security precautions and accessing parts of thesystem or data that they should not be allowed to see. The programmer codingthe system must be cautious when using third party software as if that softwareis not thoroughly checked and tested as it may contain malicious code. Thismalware could potentially leak data from the system and/or damage the systemitself. Hardwarein the system must also be secure and kept in good condition. Policies must beput in place encourage this.
Important system hardware for example the systemsdata servers must be kept in a safe and secure location. This location mayrequire some sort of password or identification to access. This helps preventsomeone doing physical damage to the system or potentially stealing someequipment. The equipment must also be kept safe from various otherenvironmental threats such as temperature, dust and radiation as these all cancause damage to the equipment. To mitigate some of these damages the equipmentmust be regularly maintained. Allpeople with access to confidential information with regards to or stored on thesystem must be trained in protecting such information.
These people must knownever to talk about any of this confidential information with someone withoutthe authorised access to said information. All users must protect and not sharetheir passwords to the system as this may lead to other users without thecorrect authorisation to access the system. Also all users must protectportable devices connected to the system as once again if the user was to losetheir device it may lead to someone access the system without permission. 3. Whatare the basic things that need to be explained to every employee about asecurity policy? At what point in their employment? Why? (List at least 4things). (For example, how to handle delicate information) Catherine McAvoy”Everyone in a company needs to understand the importance ofthe role they play in maintaining security 1.” Thepurpose of a security policy is to ensure that there are measures in place toprotect the information within an organisation. Therefore the security policiesshould be explained to all employees whether they are part time or full time atthe start of their employment with sufficient training given.
Follow uptraining should be given at regular intervals such as monthly meetings orawareness posters to keep the security policies fresh in the employee’s mind. Asan organisation you want to protect and adhere to the Information Securityobjectives and these need to influence the security policies as seen in 2.These are:Confidentiality – Only users authorized to viewinformation should be able to access it. The organization should also ensureemployees can control the information collected and stored about them and whatinformation can be disclosed to certain individuals. Integrity – Assures that information and programsare not to be corrupted or modified and only changed in an authorized manner.System integrity ensures that the system will only perform its intendedfunction and be insulated from deliberate or unauthorized manipulation.
Availability – Ensures the system and information isavailable for authorized individuals when they need it. Thereforethere are basic things that need to be explained to every employee. Thefirst objective is how to handle sensitive information. This means thatconfidential data is not made available or disclosed to unauthorizedindividuals, protecting the Confidentiality security objective 3. Firstlywhen training employees, they should be made aware of how important dataconfidentiality is and then provide training such as how to destroy documentsthrough use of confidential waste bins or lockable document storagecabinets. Failure to protect sensitiveinformation might result in loss of client information which would have a negativeeffect on the organisation’s reputation.Theemployees should be trained in how to properly maintain their ID, password etc.
They should follow good password practices and change them routinely. Thereshould be no sharing of the employee’s user ID and password and the employee’sshould be made aware that it is their responsibility to safeguard their ownaccount. The organisation should also have clear guidelines of what employeescan install and download onto their work computers. This will allow theircomputers to be less vulnerable to attack. Employeesshould know how to respond to potential security incidents. They should beeducated on how to spot and report phishing and how to check if there issuspicious links in emails or webpages. There should also be training in whatmalware is and how to spot malware in order to have a quick response if theysuspect their device has been infected 4.Lastlyemployees should be trained on how to properly use the corporate email systemwithin the organisation.
This includes how to use the organisation’s spamfilters preventing unwanted, harmful emails. Employees should also beinstructed they are not allowed to use their work emails for harassment, chainletters or any other non-business use.Theorganization should write security policies with business input and checksecurity policies regularly to see if they are still relevant and up to date.They should also ensure that the correct tools are in place to fulfil thepolicy guidelines. 4. Your organisation has an e-mail server thatprocesses sensitive emails from senior management and important clients. Whatshould be included in the security policy for the email server? Moya FeehanA mail server in simple terms, can be seen asthe computerised equivalent of your everyday mailman.
Every email sent, passesthrough a series of mail servers along its way to its intended recipient. When sent, the message looks like it instantly is sent and received, howeverunknown to a lot of users, there is actually a complex series of transfers thattake place. Emails are used in everyday life and is often the primary form ofcommunication within an organisation. The misuse of this electronic server cancause many legal, security and privacy risks.
So understanding the appropriateuse of emails is very important for users. Email legal, security and riskpolicies put in place by companies are to make users aware of what isacceptable and unacceptable, when using the specific email system. Looking at the policy created by SANS Institutefor the Internet community, it is a basic template for email policies that canbe used freely by any company. There are numerous email policies found here,however the main security related ones are as followed.
“Company email accountshould be used primarily for company business related purposes; personalcommunication is permitted on a limited basis, but non-company related commercialuses are prohibited 1.” This will prevent the spread of viruses throughpersonal email accounts into the company system, as well as keep all thedocuments from a company secure and within that system only. “All company datacontained within an email message or an attachment must be secured according tothe Data Protection Standard 1.” Like the previous policy, this will help preventagainst viruses spreading as the data contained will have been checked andsecured.
As well as these policies that may protect against viruses and keepyour data secure, you should also include a virus scanning policy in the offchance viruses get in through normal messages. The policy should read “TheCompany will scan every email message that passes through its server to checkfor computer viruses, worms or other executable items that could pose a threatto the security of the network. Infected email should not deliver to the user.
Administrators will have procedures in place for handling infected emailmessages 2.” Finally you should also include an encryption policy so thatmessages intercepted, are still secure in that they cannot be read unless youknow the encrypted code. A policy for this could read “Information sent tousers outside of the company will be encrypted prior to its transmission. Theuse of encryption will be consistent with the company’s encryption policies2.
“Other policies such as chain mail or spam,forging emails and giving out passwords would also be included. The data issensitive and specific clients can’t afford to be receiving numerous irrelevantemails clogging up their inbox and possibly making them miss important messages.Passwords must also not be shared in case the emails are hacked.Securing your email server in today’s modern daysociety is very important, as users become more complacent and assume thecomputer will be safe without adding your own encryption, or being aware ofspam mail (viruses). In the case of sensitive data within an organisation allusers must be made fully aware of the working policies and try to follow it ona daily basis.
5. Read the UCL and Harvard university securitypolicies 1, 2. Compare and critique the policies suggestingimprovements/updates, as appropriate.Catherine McAvoyInformationis an important asset to UCL and Harvard University therefore security policiesare vital to protect against threats which may result in financial loss,reputational damage or exposure to liability for the university. As a result, bothsecurity policies “formally define a policy creation and policy maintenancepractice 1” by creating and distributing their security policies throughwritten documentation. UCLclearly define 7 security objectives that have to be adhered to. These are outlined at the start of the policydocument along with information regarding who the policies apply too and whyinformation security needs to be outlined within the document. SimilarlyHarvard University outline 15 policy statements in order to protect”information that is critical to teaching, research, and the University’s manyvaried activities, our business operation, and the communities we support,including students, faculty, staff members, and the public 2.
” In bothsecurity policies, the purpose of why the policy has been created is stated atthe start. In UCL’s document there is context included in Section 1 about whyand how the information is used in the University. In contrast, it is harder tofind the policy statements outlined from Harvard University and it only gives ageneral introduction compared to UCL which is more detailed. HarvardUniversity is an organisational security policy which has been issued by seniormanagement 1.
It sets out high level authority and describes dataclassification levels in range of breach of security and level of impact.Within each level, it gives the data types and how to comply with each of thedata type’s security requirements. For some data types it outlines what theusers, devices, servers and paper/physical records have to do in order to becompliant. Onthe other hand, UCL have created a system-specific security policy. The policyobjectives address particular security concerns for example “ensure thatinformation is disposed of in an appropriately secure manner when it is nolonger relevant or required 3.” TheInformation Security Policy from Harvard University does not follow anysecurity governance whereas UCL is approved by a governing body (InformationServices Governance Committee) throughout the policy. UCL outlines roles andresponsibilities, breaches in security and how procedures are dealt with theappropriate Head of Department or governing body. Therefore to improve thestandard of the Information Security Policy within Harvard, Security governanceshould be implemented to effectively coordinate the security activities in theUniversity.
Moreovera good security policy “should survive for two or three years 1” and itshould be reviewed and approved at least annually. In UCL there is a RevisionHistory document and the document is reviewed regularly up until 17thof June 2016. However Harvard have no Revision History details noted and it isunclear if the information is up to date. An improvement of the policy could beto keep a history of changes to the security policy to ensure that it is keptup to date and relevant and users are confident in this. Bothpolicies are not too specific in their security objectives.
The statements areshort and concise and easy to understand. Harvard’s policy statements arehigh-level and there are clear with simplistic instructions on how to comply witheach policy whereas the UCL security policy document has technical terms and userswithout a technical background might find it hard to follow. However as the UCL document is more technical,supporting reference documentation is included outlining terms that have beenused in the document which is particularly useful for non-technical users. Agood security policy “must be written technology-independent 1” therefore UCLshould review the language used in the security policy document to make it morehigh level for non-technical users, reducing the need for the supportingdocumentation. Harvardhave documentation to explain the data classifications which is necessary asthe requirements are grouped by the data classification levels however it does not include any related documentation onunderlying methods and technologies. The security policies Harvard haveoutlined also do not make any reference to any legislations or laws in placefor protecting information whereas UCL have “worked in compliance with legislationand UCL policies, and by adherence to approved procedures and codes of practice3” including all the supporting policies such as UCL Computing Regulationsand UCL Data Protection Policy.
This allows users to understand the importanceof protecting the information and how detrimental it could be if security wasjeopardized. Therefore, it would be beneficial if Harvard used supportingdocumentation which might be helpful to users in understanding why certainrequirements are necessary in the University. Bothsecurity policies use “forceful, directive wording 1.” Strong directive wordscommunicate the requirements efficiently whereas weak directive words such asshould, may or can suggest an option of not following the policies 4. UCL usethese words throughout the security policy document whereas Harvard use themless frequently. Thus, an improvement of Harvard documentation could be to usestronger directives to ensure the user knows importance of the requirement beingenforced.
Lastlya good policy “develops sanctions for non-compliance 4” which outlies andenables actions when policies are not followed. UCL states what should happenin a breach of security as well as ‘Policy Awareness and DisciplinaryProcedure’ that outlines to users when there is a violation of security. On theother hand, Harvard makes no reference to procedures or actions when policiesare not followed therefore to improve the policy, sanction outlines should beput in the documentation. Overall,both policies differ in terms of structure and details.
UCL use astraightforward approach summarising the main objectives, who is responsiblefor security measures and details on what to do in case of a security breach.Alternatively Harvard focus on the different levels of security and outlinesdifferent data types the users may have. From this they outline the procedureson how to comply with their security policies and the instructions are clearand easy to follow. References1 M.
Rouse “Security Policy” May, 2007.Online Available: http://searchsecurity.techtarget.com/definition/security-policyAccessed Jan.
16, 2018.1 W.Deutsch “Security PoliciesEvery Company Should Have” Dec, 10, 2017.
Online Available: https://www.thebalance.com/effective-security-policies-394492Accessed Jan. 23, 2018.
2 M.Sanghavi.”Training Your Employees on Information Security Awareness” Dec, 11, 2015.
Online. Available: https://www.symantec.com/connect/blogs/training-your-employees-information-security-awarenessAccessed Jan. 19, 2018.3 Dr.
S.Scott-Hayward. ClassLecture, Topic: “Introduction to Network Security – Part 2” School ofElectronics, Electrical Engineering and Computer Science, Queens UniversityBelfast NI Jan. 12, 2018.4 Rapid 7, “Security AwarenessTraining” Rapid 7 Online.Available: https://www.rapid7.com/fundamentals/security-awareness-training/Accessed Jan.
20, 2018.1 Sans Policy Team, Consensus Policy Resource Community. SansInstitute, 2013 E-Book. Available: https://www.sans.org/security-resources/policies/general/pdf/email-policyAccessed Jan. 18, 2018.
2 Anon, “Email Security Policies,” Help Net Security, 2012 Online.Available: https://www.helpnetsecurity.com/dl/reviews/157870264X.pdf AccessedJan. 19, 2018.
1 Dr.S.Scott-Hayward. Class Lecture,Topic: “Network Security Administration – Part 1” School of Electronics,Electrical Engineering and Computer Science, Queens University Belfast NI Jan.16, 2018.
2 Harvard University, “InformationSecurity Policy” Harvard UniversityOnline. Available: https://policy.security.harvard.
edu/ Accessed: Jan. 18,2018. 3 London’s Global University, “UCLInformation Security Policy”, UCL Online.Available: https://www.ucl.ac.uk/informationsecurity/policy Accessed: Jan. 18,2018.
4 Harold F. Tipton and Steven HernandezCISSP, Official (ISC)2 Guide to the CISSPCBK, Second Edition. California, USA. 2010.