Case Studied In The Management Of Information

Published Date: 02 Nov 2017

In our company, we also have midsized organization and tried to review the role CAs. In this paper, there are two sections. The first one is Policy Introduction including document information, audience, purpose, and scope. Moreover, the second one is Policy Criteria including objectives, compliances, responsibilities, implementation, and controls. So, I review this document as CIO of company.

The term information security is related to the following basic concepts:

· Confidentiality:

The asset of information is not made available or revealed to unauthorized entities, individuals, or processes.

· Integrity:

The asset of safeguarding is the accuracy and completeness of assets.

· Availability:

The asset of being is accessible and usable upon demand by an authorized entity.

Audience

The our company backup Policy applies to all individuals within the enterprise that

is responsible and the installation and support of data sources, individuals charged with Information Resources Security and data owners. Moreover, the all of employees must follow by this policy strictly.

Purpose

The purpose of our policy is to establish the rules for the backup and storage of information. This policy defines the technical controls and security configurations users and Information Technology (IT) administrators are required to implement in order to ensure the integrity and availability of the data environment at Company Name, hereinafter, referred to as the practice. It serves as a central policy document with which all employees and contractors must be familiar, and defines actions and prohibitions that all users must follow. The policy provides IT managers within the Practice with policies and guidelines concerning the acceptable use of technology equipment, e-mail, Internet connections, voice-mail, facsimile, future technology resources and information processing.

The policy requirements and restrictions defined in this document shall apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms. This policy must be adhered to by all Practice employees or temporary workers at all locations and by contractors working with the Practice as subcontractors.

Scope

The scope of information security includes the protection of the confidentiality,

integrity and availability of information. This policy and all standards apply to all protected information.

Section 2 : Policy criteria

Objectives

Our company intends to review security policy and provide a historical perspective of

CAs. We review including an analysis of the major business processes, operating functions, organizational units and information systems (and major risks associated) and a thorough evaluation of the configuration and design of the existing network and systems infrastructure and main servers development of a security strategy encompassing security organization, security policy definition and security management process including recommendations on the methodology to be used for maintaining the security policy in a dynamically changing environment.

Security architecture design including gap analysis based upon the results of the current state assessment and contrasted to the defined future state with a migration plan to meet policy requirements and further development of the organizational and technical security measures identified in the previous phase, including risk assessment of proposed policy and solution. We are now in the process of negotiating the project implementation plan, resources required as well as task start / end dates. The suggested solution will have to offer a security policy and a security architecture, which will evolve according to the growing IT requirements of the company.

Compliances

Owners or managers of computer, network, or applications systems, as well as users

of these systems, have the responsibility to report any apparent violations of law, and Network Technology Services or Computing and Communications whenever such violations come to their attention.

Owners and managers of department computing, network, and applications systems shall make available to management and users of the systems guidelines for reporting security violations. These guidelines will provide specific guidance on what, when, where, to whom, and within what timeframe the violation should be reported and a copy will be filed with Network Technology Services or Computing and Communications.

Responsibilities

The company's Information Security Policy that, "Individuals who are authorized to access Institutional Data shall adhere to the appropriate Roles and Responsibilities, as defined in documentation approved by the ESCC and maintained by the Information Security Office." These roles and responsibilities are defined as follows.

Implementation

Resource Requirements

To fully implement the Internet Data Center security model, you need to have an in-depth knowledge of Microsoft® Windows® 2000, Active Directory, and registry configuration. It is imperative that the IT professionals who implement security have a thorough understanding of networking technologies and devices (such as firewalls, routers,

switches, protocols, and ports). Security Monitoring Policy

- Automated tools will provide real time notification of detected wrong doing and vulnerability exploitation. Where possible a security baseline will be developed and the tools will report exceptions. These tools will be deployed to monitor:

•Internet traffic

•Electronic mail traffic

•LAN traffic, protocols, and device inventory

•Operating system security parameters

•Operating System Vulnerabilities

-The following files will be checked for signs of wrongdoing and vulnerability

exploitation at a frequency determined by risk:

•Automated intrusion detection system logs

•Firewall logs

•User account logs

•Network scanning logs

•System error logs

•Application logs

•Data backup and recovery logs

•Help desk trouble tickets

•Telephone activity–Call Detail Reports

•Network printer and fax logs

-The following checks will be performed at least annually by assigned individuals:

Password strength

•Expired or Unauthorized user accounts

•Unauthorized network devices

•Unauthorized personal web servers

•Unsecured sharing of devices

•Unauthorized modem use

•Operating System and Software Licenses

•Unauthorized data reception and/or transmission

-Any security issues discovered will be reported to the Information Security Officer

(ISO) for follow-up investigation.

-The ISO is responsible for returning the IR to a preset level of security control

Controls

A thorough analysis of all information networks and systems will be

conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection.

From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.

Based on the periodic assessment, measures will be implemented that reduce

the impact of the threats by reducing the amount and scope of the vulnerabilities.

Awareness

The security awareness focus for users may include:

•educating users on the creation of good passwords

•do’s and don’ts for maintaining workstations

•informing users of email and Internet access policies

•employee responsibility for computer security

•reporting procedures

•emergency procedures

The focus for security awareness for system administrators may include:

•training on how to configure systems securely

•education on user account management policies

•secure remote access for support of systems Security awareness must also reach

the business or non-technical user.Security awareness training for business users may emphasize:

•how to identify social engineering tactics

•how establishing and enforcing security policies can impact the "bottom line"

(limiting system downtime, protecting business critical information, etc.)

•public relations impact of DoS attacks, viruses, etc., and how security standards can help limit this risk

•increase in productivity generated by using standard, locked down systems to

minimize user downtime

Incident response

a.Initial Reporting

. Internal.Physical security incidents involving PII (e.g., theft of a timekeeper’s

paper records, OTI file folders, etc.) shall be reported immediately (orally or via e-mail) to

the appropriate Security Officer (see Commission Order 80,Security), as well as the ART.

External.

All physical security incidents involving PII shall be reported to US-CERT, if applicable.

b. Escalation

The appropriate Security Officer, in consultation with the ART, shall

determine if a physical security incident should be reported to outside authorities (e.g., local

police).

c. Mitigation and Containment.

The relevant Program Manager shall take immediate steps to eliminate the method of access utilized during the breach and any related vulnerabilities.

d. Investigation.

The appropriate Security Officer and Program Manager shall serve as the focal points for collection of evidence, along with any outside authorities who may be involved at this point.

e. Eradication and Restoration.

The extent of the breach must be determined. The Program Manager shall work with staff to restore the information if possible (through other records, etc.). Security protocols shall be reviewed and amended to ensure the loss of the PII cannot occur again.

f. Information Dissemination.

Any public release of information concerning a physical security incident involving PII shall be coordinated by the appropriate Security Officer and relevant Program Manager through the ART, and ultimately through the Chairman. Information on incidents that could affect employees, regulated entities or the public should be made available, with care taken to reduce exposure of sensitive information. Other staff should not provide public comment about ongoing activities or disseminate incident information. Notice to those affected by t

he breach should be provided in a timely manner via e-mail or mailed notice, but without compounding the harm from the initial incident through premature announcement based on incomplete facts. The appropriate Security Officer, in conjunction with the relevant Program Manager, shall provide information to the OIG if a security incident indicates possible misconduct or criminal activities. Information available from the President’s Identity Theft Task Force April 2007 Report, Combating Identity Theft – A Strategic Plan, may be of assistance in disseminating information, preparing for follow-on inquiries and preparing counterpart entities that may receive a surge in inquiries. www.idtheft.gov/reports/StrategicPlan.pdf. See also section 5.f. above.

g. Ongoing Reporting.

After the initial report is filed, a subsequent report shall be filed by the appropriate

Security Officer and relevant Program Manager to the ART, to include an incident description, reports of those with direct knowledge of the event, incident resolution status, damage assessment, and corrective actions taken or proposed. A follow-up report shall be submitted upon resolution of the incident.