The Information And Security Technology

Published Date: 02 Nov 2017

[Author]

[Institution]

Over the past decades, information and security technology (IST) has helped transform the global economy and enable private organizations and governments to attain extraordinary gains in efficiency, productivity and alliance. Organizations of all sizes now participate more efficiently in these global markets. Governments are also using technical advancements to operate more competently and deliver services more successfully to its citizens. The rapid movement of personal information over the Internet has played an important role in this revolution by supporting intelligent data analysis, product sales and services. (Microsoft, Feb 2009)

Organizations be it consumer or governmental are calling for more operative strategies, methods and expertise to protect and manage the personal information assigned to administrations. These administrations powered by organizations should balance their desire to improve the flow, value and significance of this information with the bond to safeguard it from forfeiture, embezzlement and abuse. Meanwhile, protecting users’ confidentiality and keeping their information protected have become more difficult. Extensively exposed security, data ruptures, rising consumer concern about identity theft and the privacy of personal information are corroding public trust in the Internet and threatening to diminish the World Wide Web. (Microsoft, Feb 2009)

The Information Security Policy (ISP) is one of many resources a business must protect. The electronic automation of data has massively changed the threats resulting in a need to further construe and improve the ISP for the automated information system (AIS) milieu. There are many characteristics to a technical security policy (TSP) or an ISP. Regions such as the cataloging of the information, liability, facts & figures, modification, assessment, and diffusion of controls must all be addressed for the fair policy to be complete. This essay shall focus mainly on the information distribution/control aspects of the policy that are which accesses the information within the company’s system and manage its consequences of such access. In addition, the policies would also focus on the ISP-related aspects. Other implementations of these policies are the possibility of thorough personnel and physical security. (Abrams, 2006)

Acquisition assessments are conducted to ensure that a company being acquired does not pose a security risk to corporate networks, internal systems, and confidential/sensitive information. Our job is to provide these personnel to serve as active members of the implementation team throughout the security implementation process. The IT department’s role is to detect and evaluate information security threat, develop a counter attack plan with the affected areas of risk, and work with the team to implement solutions for any identified security risks, prior to allowing connectivity to GDI’s networks. (Institute, 2006)

Security for GDI is the responsibility of all departments that are sharing the space for their data center. The management team comprises of ITS Senior Operators, the ITS Operations Manager and the ITS Facility Manager are responsible for the administration of these policies. Following are the general requirements, policies and procedures that administer the access to such sensitive area. It is important that all employees of GDI follow these policies and procedures. (Keisler, March 27. 2007)

A Data Center is a restricted area requiring greater level of control than normal organizational areas. Authorized personals are specifically sanctioned to enter this area. Access rights will only be granted to persons who have a genuine business requirement to be in the data center. Any queries regarding the policies & procedures should be addressed to the ITS management team. There are four access levels to the GDI Data Center - Governing Access, Accompanied Access, Un-Accompanied Access and Security System and Keys.

1 Governing Access: is given to those people who have permitted access authority into the Data Center. Governing Access is granted to the core tech staff whose job duties entail that they have access to the area. These persons also have the power to grant temporary access to the Data Center and empower others to enter or leave the Data Center. Individuals with Governing Access to the Data Center are normally granted access via a code or a cardkey which will be placed on GDI’s Information technology security operations authorized access list. These individuals must also wear their supplied GDI ITS identification cards at all times. Any individual receiving Governing Access must go through a formal background scrutiny. (Keisler, March 27. 2007)

2 Accompanied Access: is closely monitored and access given to only those people who have a genuine business requirement for occasional access to the Data Center. Occasional access is generally defined as access essential for less than 15 days per year. Individuals with Accompanied Access will not be issued keys or granted admission via code or cardkey. A person with Accompanied access to the area must not allow under any circumstance any other individual to enter or leave the data center. (Keisler, March 27. 2007)

3 Un-Accompanied Access: is granted to only those persons who does not qualify for Governing Access but has a genuine business motive for un-supervised admittance to the GDI Data Center. Persons with Un-Accompanied Access to the GDI Data Center would be granted access to the area via a code or a cardkey and to be placed on the GDI ITS Operations Authorized Access List. Un-Accompanied Access personnel’s cannot allow others to be allowed un-official access to the GDI Data Center. Un-accompanied access persons can only grant accompanied access to characters that were related to the grantor’s trade in the Data Center. The grantor is also answerable for these persons and must guide them in the Data Center at all times. All doors to the center must keep on being locked at all times and may only be provisionally opened for times not to surpass that are marginally necessary in order to: Allow formally approved and logged entrance and exit of authorized persons. Permit the broadcast of equipment supplies directly administered by a person with Governing Access to the area, Prop open a door to the Data Center only if it is very much necessary in order to increase the flow of air into the GDI Data Center in case on an air conditioning failure. In this case, staff personnel with Governing access must be present for supervision and follow procedures.

4 Security System and Keys: are the policies of the ITS management team who need to issue access keys to the GDI data center for monotonous access purposes. Requirements for exclusions to this policy will be considered on a flexible basis. If the management team issues a key to a discrete, the specific may not share, lend or fake the key. Only those granted governing access could request the issued keys. An access control system provides the standard instrument for control of admittance to the GDI Data Center. These instruments would be employed at the GDI Data Center doors. Under any circumstances may make any discrete attempt to evade the access control system to gain access for them or document access for another individual. Individuals are not to share their codes or cardkey’s. (Keisler, March 27. 2007)

Even though some preliminary recommendations for instant execution will be made below to address some of the most acute and crucial needs, each GDI unit must be involved in the process of analysing its IT security systems, and design how each critical system, procedure, and data foundation will be secure; the organization will ensure that its business operations could continue in the absence of those schemes, developments, and data; and how the failed modules would be restored to full operation. (Seghal, 2010)

Basic general steps are defined below; these will probably include resources, contribution, and planning not only from IT, but from the entire organizational office, functions, and components which depend on ITS services and amenities (Myers, 2006). These policies apply to all members of the organization, individuals having access to the GDI information or technology resources. GDI’s technology surroundings are a communal and incomplete open resource focus to both malicious and unintentional abuse. Computing organizations and other particular devices have the latent to introduce security threats, especially when they are devoted to a communications network. To alleviate risk standards for managing secure data, workstations, servers and network devices. (Salido, 2009)

Each device must be registered upon first use, and re-registered at the frequency then in effect for the user type. To register a device, a user must provide the unique network media access control (MAC) hardware identifier assigned to the device by its manufacturer, a valid GDI network User Name, and password. In order to ensure reliable network operation, all devices must be configured to accept the assigned Internet Protocol (IP) numeric address, GDI-generated identifying name, and other network parameters which are automatically assigned each time a network connection is proven. The practice of perpetual network identifiers is restricted to GDI managed or approved devices.

Sensitive organization information is likely to be present on storage media associated with obsolete or surplus equipment intended for disposal. Organization owned technology equipment must therefore be disposed of by its asset management contractor.

Computers infected with viruses or malicious code can jeopardize information technology security by polluting, detrimental, and destroying data. For that reason, anti-virus software must be installed and operating with the most current list of virus definitions. The organization should possess licensed anti-virus software for GDI’s staff member using the network.

All personal computers must use firewall software configured according to GDI guidelines. Software installed on any GDI computer system must be legally licensed. GDI department heads are responsible for ensuring that no software license usage in their department exceeds purchased levels and arranging for additional licensed copies when needed to support instructional or administrative activities. All currently available security patches must be installed for operating systems and application software. Software with security patches are not routinely made available should not be used on the GDI network.

All computers connected to the GDI network are required to undergo an automated evaluation to determine if certain software settings and applications are correctly installed and operative. As a result of this assessment, users may be required to install new software or reconfigure existing software before unlimited network access is granted. Access to Internet resources needed to accomplish any required upgrades will be permitted.

When employees are working from other locations and remotely connecting to systems on the GDI network, an encrypted communication channel must be used in order to protect the confidentiality of User Names, passwords, and university records comprising personal, private, or legitimately protected information. This is also necessary when using the on-site wireless network.

Sensitive personal information must be stored within GDI’s systems using an approved method of encryption to help secure the data in the event of unauthorized access. This requirement is especially important when information is stored on portable devices.

Networking facilities including wiring closets, data centers and computer rooms, must have respectable physical security. Awareness should be taken of the pertinent sections of the organizations planning policy but the following has precise significance to networking equipment. Data centers facilities that support perilous business events must be sufficiently protected. IT based equipment must be substantially protected from security threats and environmental vulnerabilities and must be secured to decrease the risks of destruction, intrusion and un-authorized admittance. The following measures are the considered possibilities where there should be no palpable signs classifying the occurrence of network equipment. Hazardous or flammable materials should not be stored within apparatus rooms. Suitable safety equipment should be installed, such as heat and smoke detectors. Any fire extinguishing kit must be of the correct type. Doors should be locked when un-attended. Outer defense should be measured if there are windows. Appropriate security controls should be exercised, to ensure that only sanctioned personnel are allowed admission. Cables carrying statistics or supporting IT services also required protection from interruption or damage. Cabling within GDI structures should be protected, by using channel or by avoiding ways through public areas, and cables between office blocks should be underground wherever possible. Where cables form part of loop contemplation should be known to using separate routes in order to decrease loss in the event of damage.

Wireless networks also need security from un-authorized access. The following security measures can be applied to reduce these risks:

Wireless antennas should be situated so that they are out of physical range, and can be sustained only by authorized personnel.

Power and network links to the wireless units should be passably protected.

Wireless terrestrial power levels should be condensed to stop the signal being broadcast past selected areas, while still providing coverage.

Firewall should also be used to decrease the risk of the wireless network being used for un-authorized commitments.

IT equipment should be properly maintained to safeguard its continued obtainability and reliability, book keeping of all faults or suspected faults should be kept note, and repairing should only be performed by authorized employees. IT equipment assisting critical trade operations should be well protected by an un-interruptible power supply (UPS) and this UPS gear should be frequently tested in agreement with the manufacturer’s endorsements. (Roch, 2005)

It is vital that all features of information technology security, including privacy, privacy and techniques relating to system admittance, be merged into formal employee orientation procedures and taken to existing GDI members on a consistent basis (Roch, 2005).

These policies are introduced to GDI during new employee orientations. GDI shall hold semi-annual meetings with departmental technical partners at which existing and incomplete security matters and new possible risks are discussed and extenuation policies are shared. GDI shall also host security web sites covering resources on information system security. Personnel’s whose duties bring contact with private or subtle information should be obligatory to provide written pledge of their aim to obey with the organizations security policies and attend an awareness and training program annually and obtain periodic security updates as required (Myers, 2006).