The purpose of this security plan is to elicit the potential threats to an organisation physical and electronic information holdings. Organisations in general are starting to take information security more sincerely due to the proliferation of mobile services, VPN connections, terrorism and natural disasters. We must however acknowledge that this very technology advancement is regarded as efficient but is also leading to a higher level of security risks. These risks must be mitigated to ensure the confidentiality, integrity, and availability of information assets. (The SANS Institute. 2007)
The security team would like to report the following threats to the organisations physical and electronic information holdings discovered during an in-depth analysis of the current security structure within the organisation. Physical Threats
Physical security is generally overlooked on an information security plan. The presence of a guard at the entrance of a building, magnetic access cards and identity badges provides an illusion that their information assets are physically secure. (The SANS Institute. 2007) A report from Justin Kallhoff explains that the highest priority of physical security is human safety and in the event of an incident, the priority should be to ensure all human beings are safe prior to initiating other incident responses. (Justin Kallhoff.2007)
The below tabular representation briefly describes some of the threats to an organisations information asset.
Security ThreatSecurity Threat Description
Humans BehaviourIf someone accidentally unplugs or turns off the wrong device, a hacker/cracker executes an exploit and unexpectedly crashes a server, an employee steals a device. The most common threat is users in an organisation especially contractors including cleaning staff. Obvious ThreatsFires, floods, and natural disasters are obvious threats to physical security; however, every company is vulnerable to these kinds threats Magnetic Access CardsMost building access cards are controlled by the building administration department which might not be linked to the business in any way. Regardless of the fact we need to ensure our server rooms are full equipped with alarm systems and a separate access systems which is preconfigured and managed by internal IT support. This will reduce the risk of un-authorised personal accessing server the physical Identification BadgesIdentification badges can provide assurance and restrict social engineering however, we need to secure the source where the ID badges are created and ensure there are effective controls and authorisations put in place. PasswordsUn-authorised access is normally encountered when employees share passwords or negligently leave them easily exposed. Password policies will be implemented to ensure user is aware of corporate expectations with reference to passwords. Laptop Computers, Mobile Phones & PDA’sLaptops and smart phones that have sensitive data; for example, corporate e-mail should be pre-configured with encryption and strong authentication mechanisms to prevent data from being exploited to unauthorised users. USB Mass Storage DrivesUSB devices that hold gigabytes of data in a form factor equivalent to the size of single human finger are widely available and distributed this causes a threat to organisations as data can be stolen or malicious code uploaded to the private network simply because by using the USB most of the logical controls like firewalls have been bypassed. Access PermissionsThe need to ensure that access privileges of current employees are administered in accordance with the requirements of their positions. It is a great threat to an organisation if the incorrect access is assigned especially with reference to sensitive information such as payroll and human resource data. User Account TerminationsUser Access Accounts need to be terminated when a person leaves. The company is at a higher threat if...