Type: Informative Essays
Sample donated: Gilbert Pope
Last updated: September 22, 2019
Throughout this case study we are going to explore securitypolicies. We will analyse what a security policy is and the need fororganisations to have this policy in operation whilst explaining the basicguidelines that need to be given to an employee. Additionally we will exploreexamples for these needs in industry and email servers and the risk ofsensitive emails. We have will also critical analyse the Harvard and UCLsecurity policies to suggest improvements.
1. What is a security policy and why does anorganization need a security policy? Security Policy is a policy which sets out rules andprocedures for each individual within an organisation who accesses resources.It is a written unique document which an organisation follows to protect,manage and distribution of data. It also states measures and guidelines foreach individual that have access to delicate information. The purpose of thesecurity policy is to inform employees of their responsibilities in relation tosecurity.
It takes into consideration applications, equipment, systems,processes and storage. This provides a basis for defining and regulation ofmanagement systems. This policy is continually updated within the organisationand considered as a “living document” as it is never finished and iscontinually expanding. Each organisation has its own unique policy to meettheir employees requirements.There are three main objectives which security policies involve.
These include Confidentiality, Integrity and Availability. Confidentialityassures that private information is not disclosed to unauthorized personnel.Integrity ensures that the data can only be modified by authorized personnel.Availability ensures the system is available to all authorized personnel andthat the system works efficiently.There are several reasons why organisations require asecurity policy. This is to address threats and the main goal is how toimplement strategies on those threats and how an organisation can recover fromany potential threats .
It also determines access rights who has access to thefinances and who does not for example. Additionally it provides a roadmap toemployees of what to do and when to actually do it. For example if you changeyour password and you cannot use the previous password used. This is used toprevent easy access to organisations system and decreases the risk for dataloss. A security breach could potentially pose a financial risk toan organisation. This is important to have this policy in place to haveprotection of personal information and computer malware. This is extremelyimportant to keep data secure and allow no information to have unauthorizedaccess.
Overall having a security policy in place allows employees to beupdated on the guidelines within the company quickly. 2. Come up with an example of yourown of an issue, which could be caused by missing security policies?One of thebiggest threats to network security is caused by using USB devices. An issuethat could occur from having no physical security policy is the security ofdata. USB devices should be disabled for external devices that have not beenauthorised for use in the company workplace.
If there is no policy enforced toprevent this, it means that users have access to data which could betransferred outside of the company. This could have potential to be a hugesecurity breach, as any data that a user has access to can be transferred offthe network and could then be sold or used in a malicious way against thecompany.If a USBdevice can be used in an organisation, then there is also the risk of usersbeing able to upload files onto the network. If a user has access to do so,they may put an installation file on the network for example, and run it toinstall software.
This has the potential to infect the system with a virus ormalware, which could then spread across the whole network and effect the use ofother important applications.Thisproblem can be combatted by implementing a security policy, by creating a grouppolicy setting which prevents USB devices from being used on machines. Thegroup policy settings should not disable the use of USB ports, as then otherdevices like mouse and keyboards could not be used. The policy should preventdevice drivers from being installed on the machine and in turn rendering USBpens useless. If anadministrator needs to use a USB pen on a machine for support or maintenancepurposes, the device drivers will install. The administrator then needs touninstall the drivers for the USB pen whenever they are finished, otherwise theuser of the laptop will still have the drivers installed and could use a USBpen of the same type in the future. This process should be outlined in thesecurity policies in order to keep the network secure.Asdiscussed above, there is a security risk associated with using USB devices ona network and it is generally more secure to not use them.
If a company,however, insists on using USB devices then there are certain policies thatshould be implemented to maximise security. USBs should only be used if theyare provided by an IT team within a company and they should be tracked so thatthey know which users have a USB pen and their purpose for using one. Anotherpolicy that should be put in place, that would be used to deal with an employeewho has previously been using a USB pen and has left the company. The ex-employeestill has access to valuable data on the USB. All USB drives should be able tobe remotely terminated to prevent data from being misused or mistreated.3. What are the basic things thatneed to be explained to every employee about a security policy? At what pointin their employment? Why? (List at least 4 things). There is basicinformation which needs to be explained to employees within the SecurityPolicy.
These include having a strong password. Employees need to haveinformation regarding password security, this includes having uppercase andlowercase characters, numbers and symbols. This is becoming a larger problemand employees will need to change their password regularly.
This minimisesthreats from cybercriminals. This also includes how to store a password safelyand how frequent to change the password on the system. Company can impose arule such as logging out of there system when they leave their computer or theymay add time locking to the computers.
This information should be provided toemployees as often people generally tend to use the same password or similarpassword for their log in. Additionallyemployees should be made aware of security breach procedures. Each member of staff have a responsibility toreport a network security breach. For example a suspicious email, pops ups andattachments or modification of data that looks unfamiliar. This should bereported to the network administrator or technician so that they caninvestigate and prevent the issue from expanding and erase the threat from theorganisation.
Furthermore,employees must be made aware what to do in response to a security threat. Thiswill need to be addressed so that employees are aware if an incident occurs anda list of the procedures will be required. This basicinformation should be given at the beginning of employment. Employees will needto be made aware of this policy and practices before beginning any work withinthe organisation. To do this they will need to understand the value of keepingconfidential information safe and also be aware of the risks and how to make itgood judgements online. Mobiledevices and laptops are often used to access unauthorized data. This can oftenhappen when transporting to and from work.
Alternatively USB/portable storagedevices can also cause issues for security within an organisation. The USBdevice would need to be malware free. If devices are stolen or misplaced theymust be reported to the appropriate team within the company as this can oftenbe an easy access point for hackers.4. Your organisation has an e-mailserver that processes sensitive emails from senior management and importantclients. What should be included in the security policy for the email server?When it comes to a security policy for an emailserver which processes sensitive emails which includes important client’sinformation, we will be dealing with a specific type of security policy. Thisis categorise as a “Functional, Issue – Specific Policy” which addresses areasof particular security concern which includes the technical area of the use ofemail.
The different aspects of an email security policies and it can be brokendown into four basic steps. These four steps can be listed under “General EmailPolicy / Email Usage Policy”, “Automatically Forwarded Email”, “Email SecurityPolicy” and “Email Retention Policy” however it can further split into moresteps as there are a lot of areas to cover.We have the “Scope of the policy”. This defineswho the policy applies to. In our given scenario this will include employee,trainees and other individual involved with the organisation (the importantclients). The scope may include the organisation’s email system in its entiretyincluding desktop and web-based email applications, server-side applications,email relays and every associated hardware. It can also cover all electronicmail from the server as well as any external email accounts accessed from thecompany network as we are dealing with important clients in the given scenario.
A “General Email Policy” can also be called”Email Usage Policy” or “Appropriate use of email services” is designed toprotect the organisation’s reputation from inappropriate use of email servicesamong the employees, trainees and management members within the organisationand to ensure none of the users are sending illegal materials through the emailsystem. This policy covers what is an acceptable use of email within theworkplace. Offensive comments would be against most organisation’s email usage policyand these comments can include race, gender, disabilities, sexual orientation,religious beliefs, political belief or national origin. This should also coveremail contents which incites criminal activity or other form of commercialactivity which may damage the organisation. Users should not be transmitting orforwarding emails that have no informational purposes.
The policy should alsomention the fact that no other users must not knowingly allow anyone else tosend emails using their own accounts as the user himself will be deemed liablefor any email activity from their account although this part can be consideredas part of the “Privacy and Security section””Automatically forwarded email” is needed as itallows management to properly explain the rules and consequences of forwardingsensitive data to other employees as we are dealing with sensitive emails fromsenior management and important clients we need to ensure that all employeeunderstands what is considered sensitive information and follow the best courseof action to ensure email security and confidentiality. We will have to outlinethe consequences if an employee breaks this policy.When creating an email security policy, it isalways recommended to have a policy which relates to phishing emails.
Thispolicy can help to highlight on how to report and forward phishing and otherdangerous/risky emails to the security team. We can also list employeeexpectations. We can make sure everyone is safe and on the same page by settingclear routes of communication.Policy should have a section on viruses and othermalware to ensure that reasonable steps are taken to prevent the propagation ofcomputer viruses or other malware by email.
E.g. systems must be using theup-to-date anti-malware software.The “Email Retention Policy” will identify andexplain to the employees on what information needs to be kept for it willspecify for how long.The security policy must clearly outlinepenalties for improper use of email services as with the scenario given, theconsequences should range from disciplinary action, civil action or evencriminal prosecution depending on what breach or misuse of the system has beendone.
Lastly there shall be a section outlining messageprivacy and security whether it can or cannot guarantee that all electroniccommunications will be private. Employees should be aware that all emails couldbe forwarded, intercepted or even stored by others. Users must make sure theytake the following steps to ensure that the risk of interception or breaches ofconfidentiality are at a minimum. Thesteps can include the user to never divulge their password to anyone and notknowingly allow anyone else to send email from their own account.5. Read the UCL and Harvard university security policies 1, 2.Compare and critique the policies suggesting improvements/updates, asappropriate. At a glancethe Harvard policy is more user friendly as it is laid out in sections.
We can findthe security policy which is broken down into numerous categories. It clearlyoutlined what it expects of users, devices and physical records. This policyclearly explains each guideline, for example no shared passwords and explainsthis below the heading. This is easy foremployees to understand and adapt to the policy so that they can followguidelines much better as they will understand due to the standard levelwritten English used. However, in UCL security policy it is quite timeconsuming to go through. It would be extremely intimidating for new employeesor any employee to go through each policy as it has a higher level of English whichcould be quite time consuming to read through when beginning an employment withan organisation. A possibleimprovement for UCL Policy could possibly be to document the information into amore manageable sections, similar to the Harvard policy.
This will meanemployees will adapt a more meaningful approach to the policy. UCL is much moreprofessionally worded and it could enforce employees to abide by this. UCL hasduplicate information that appears in the Main Policy PDF and it alsoduplicates again in the Supporting Policy categories.
This could be a suggestedimprovement so that users are not reading over similar data repeatedly as thisis not user friendly. It is also important to note that the Data ProtectionPolicy and the Guidelines and Forms are password protected this results in thepublic not being able to access this policy. This is extremely valuable as itmeans that not everyone has an incite into the UCL security system.
This will potentiallysave the UCL system from potential threats. Furthermore, a possible improvementfor the Harvard Security Policy could be to improve by having hyperlinks to anyof the sections of the security policy. On occasions this policy can be quitevague for example “U16: All usershandling credit or debit card transactions must comply with University CashManagement requirements.
1″ This means the user will not have to findthe university cash management requirements and search through the policy tofind this. This could have been explained in more detail to the user. By reading through and comparing both of thesecurity policies for UCL and Harvard, we can see that they are different withregards to content. The Harvard security policies includes policies defined bydifferent levels e.g. the most critical is ‘Level 5 – information would causesevere harm to individuals or the University if disclosed.’ Reading the Harvardpolicies from the landing page, the user can clearly see which policies aremore severe than others, meaning these are more critical for the university asit could cause great problems if they are not followed.
The UCL provides a listof policies, with no particular breakdown of risk associated at each level.This could be improved by laying the policies out in the same structure asHarvard in order to make it more understandable which policies are moreimportant. Although the Harvard policiesare easier to navigate, the UCL policies are more informative as they includedetailed explanations about each section within a policy. There seems to bemore steps put in place to ensure that policies are followed strictly. Anexample of this is Virus and Malware Protection, Harvard states in their policy”SA10: Servers must be running applicable malware detection software withup-to-date signature files.” Whereas UCL states “All reasonable stepsmust be taken to prevent the propagation of computer viruses or other malwareby email. Incoming and outgoing email must be routed via mail servers(including any such services operated by third parties on behalf of UCL) whichmust run adequate malware detection software. Systems must run up-to-dateanti-malware software where available; the operating system must also bepatched regularly”.
This description is much more insightful. Inconclusion, both policies explore many factors of security with both strengthsand weaknesses. However, Harvard is extremely more approachable and realistic foran employee to read thoroughly.