Security Plan - Knowledge and Information Security
Contents
CONTENTS 4
EXECUTIVE SUMMARY 6
RESPONSIBLE PERSONNEL 7
CHIEF SECURITY OFFICER 7
ELECTRONIC SECURITY MANAGER 7
PHYSICAL SECURITY MANAGER 7
RISK MANAGEMENT OFFICER 7
ASSESSMENT OF RISK 8
PHYSICAL 8
ELECTRONIC 9
DATA ACCESS SECURITY 10
GENERAL SECURITY 10
USER AUTHORISATION 10
USER AUTHENTICATION 11
SECURE DATABASE 11
PHYSICAL FILES 11
ELECTRONIC INTRUDER DETERRENCE – VIRUSES AND MALWARE 12
SOCIAL ENGINEERING 12
FILE SHARING 12
WIRELESS NETWORKS 13
STAFF VETTING AND SEPARATION PROCEDURES 13
GENERAL STATEMENT 13
STAFF SCREENING 13
SEPARATION PROCEDURES 13
PERSONNEL SECURITY 14
GENERAL STATEMENT 14
PASSIVE MONITORING 14
POSITIVE MONITORING 14
PHYSICAL SECURITY 15
GENERAL STATEMENT 15
AUTHORITY FOR ACCESS 15
ACCESS CRITERIA 15
INTRUSION DETECTION SYSTEMS 16
EQUIPMENT SECURITY 16
MONITORING SERVICES 17
SECURITY BREACH NOTIFICATION 17
INCIDENT RESPONSE 17
CHANGE IN CULTURE 17
INCIDENT TRACKING 17
INCIDENT RESPONSE TEAM 18
DISASTER RECOVERY 18
GENERAL STATEMENT 18
BACKUP FILES 18
SECURITY AWARENESS TRAINING 19
GENERAL STATEMENT 19
INITIAL 19
PERIODICAL 19
CONTENT 19
General 19
Specific 20
GENERAL SECURITY AWARENESS TRAINING 20
CONCLUSION AND RECOMMENDATIONS 22
BIBLIOGRAPHY 23 Executive Summary
Given the extent of, and the nature of the organisation, the effective operation of the information technology systems is vital to the continuation of business. However, a corporation of 600 staff poses unique security challenges, many of which are satisfied with the implementation of an operational training program completed by all staff.
This plan was developed, in part, to address issues identified in the security audit of 2007. Some of the issues raised have been addressed through the implementation of the Technical Systems and Information Technology Security Policy presented independently of this plan. Other issues of concern include incident response, disaster recovery, and business continuity. General
CONTENTS 4
EXECUTIVE SUMMARY 6
RESPONSIBLE PERSONNEL 7
CHIEF SECURITY OFFICER 7
ELECTRONIC SECURITY MANAGER 7
PHYSICAL SECURITY MANAGER 7
RISK MANAGEMENT OFFICER 7
ASSESSMENT OF RISK 8
PHYSICAL 8
ELECTRONIC 9
DATA ACCESS SECURITY 10
GENERAL SECURITY 10
USER AUTHORISATION 10
USER AUTHENTICATION 11
SECURE DATABASE 11
PHYSICAL FILES 11
ELECTRONIC INTRUDER DETERRENCE – VIRUSES AND MALWARE 12
SOCIAL ENGINEERING 12
FILE SHARING 12
WIRELESS NETWORKS 13
STAFF VETTING AND SEPARATION PROCEDURES 13
GENERAL STATEMENT 13
STAFF SCREENING 13
SEPARATION PROCEDURES 13
PERSONNEL SECURITY 14
GENERAL STATEMENT 14
PASSIVE MONITORING 14
POSITIVE MONITORING 14
PHYSICAL SECURITY 15
GENERAL STATEMENT 15
AUTHORITY FOR ACCESS 15
ACCESS CRITERIA 15
INTRUSION DETECTION SYSTEMS 16
EQUIPMENT SECURITY 16
MONITORING SERVICES 17
SECURITY BREACH NOTIFICATION 17
INCIDENT RESPONSE 17
CHANGE IN CULTURE 17
INCIDENT TRACKING 17
INCIDENT RESPONSE TEAM 18
DISASTER RECOVERY 18
GENERAL STATEMENT 18
BACKUP FILES 18
SECURITY AWARENESS TRAINING 19
GENERAL STATEMENT 19
INITIAL 19
PERIODICAL 19
CONTENT 19
General 19
Specific 20
GENERAL SECURITY AWARENESS TRAINING 20
CONCLUSION AND RECOMMENDATIONS 22
BIBLIOGRAPHY 23 Executive Summary
Given the extent of, and the nature of the organisation, the effective operation of the information technology systems is vital to the continuation of business. However, a corporation of 600 staff poses unique security challenges, many of which are satisfied with the implementation of an operational training program completed by all staff.
This plan was developed, in part, to address issues identified in the security audit of 2007. Some of the issues raised have been addressed through the implementation of the Technical Systems and Information Technology Security Policy presented independently of this plan. Other issues of concern include incident response, disaster recovery, and business continuity. General
Bibliography: Hagen, J., Rong, C., and Sivertsen, T., “Protection against Unauthorised Access and Computer Crime in Norwegian Enterprises”, Journal of Computer Security, vol. 16:3, 2008, pp. 341-366. Irvine, C. and Thompson, M., Expressing an Information Security Policy within a Security Simulation Game, (U.S. Naval Postgraduate School: 2005). Maley, G., “Enterprise Security Infrastructure”, IEEE Proceedings of WET ICE, 1080-1383, 1996. Mazzariello, C., Multiple Classifier Systems for Network Security: From Data Collection to Attack Detection, Ph. D. Thesis – Supervisor: Prof. Cordella, L. Nov. 2007. Solms, R., “Information Security Management: Guidelines to Management of Information Technology Security”, Information Management and Computer Security, vol. 6:5, 1998, pp.221-223. Solms, R., “Information Security Management: Why standards are Important”, Information Management and Computer Security, vol. 7:1, 1999, pp. 50-57. Volonino, L. and Robinson, S., Principles of Information Security: Protecting Computers from Hackers and Lawyers, (Readcon, New Jersey: 2005). Wagner, A. and Brooke, C., “Wasting Time: The Mission Impossible with Respect to Technology-Oriented Security Approaches”, The Electronic Journal of Business Research Methods, vol. 5:2, 2007, pp. 117-124.