Home / Research Paper / The Originality Verification Utility, Research Paper Example

The Originality Verification Utility, Research Paper Example

Pages: 8

Words: 2084

For ensuring adequate protection of assets on the network, technical controls play an important part. However, for managing these controls, we need administrative controls i.e. defined policies. If the risk management process has already been performed and the risks are identified, a business continuity plan needs to be developed. For the policies, we will develop an acceptable use policy and Information Security Policy. Likewise the information security policy will address organization wide security of all information related activities.

A research highlighted mishaps from concerned security administrators for installing default programs from a compact disc. These stored programs on a compact disc facilitates hackers to breach security by storing porn contents, configuring an illegal server, initiating attacks on other information assets and breaching server on the network. In order to eliminate all these threats and vulnerabilities, reviewing and learning the functionality of threats is essential. This will certainly reduce the probability of security incident in organizations (Compromise Recovery and Incident Handling. 2003). One more research was conducted related to a Proposed Integrated Framework for Coordinating Computer Security Incident Response Team. Conventionally, computer security incident response teams (CSIRT) are responsive for viruses, hacking and unauthorized access of employees. The CSIRT is defined as “Computer security incident response team (CSIRT) is a term used by the CERT Coordination Center (CERT/ CC) to describe a service organization that responds to computer security incidents” (Computer security incident response team.2007). The research transformed these teams in to efficient tools that will maintain efficiency of business operations, compliance along with new regulations and homeland security. Those organization possessing incident response teams follows a systematic approach and steps to recover the system efficiently from any security breach or incident. Moreover, the existence of teams eliminates loss or information theft and service disruption. Furthermore, the information gained by detecting and resolving an incident, facilitates support teams to be more efficient for handling future incidents. Likewise, these teams are called security incident response teams (SIRT). They are triggered when a security breach shows its existence within the network of an organization. The incident response process incorporates an incident response team that classifies the incident as per the defined scale and respond to the incidents accordingly. Incident management can be addressed by following stages (Igli Tashi,):

Incident identification
Incident notification
Incident containment
Recovery or Restoration
Addressing Improvement areas

However, these teams conduct investigation of suspect workstations and servers. For instance, if a server is responding slowly, or a workstation is broadcasting messages, are examined for any possible security incidents. After specifying the incident that is related to security, the incident recovery steps are performed accordingly to assure adequate information collection and documentation. There are cases where security incidents also involves the contribution of law enforcement agencies, concerned managers, board of directors of an organization and security professionals to resolve and recover from security incidents. Incidents in the context of adverse events demonstrate a negative impact for organizations. Adverse events includes a system crash, flooding of network packets, unauthorized access of system privileges, viruses, malicious codes etc. incidents in the context of computer security are referred as a policy violation for computer security policies and standard security practices.

Security Policy

Scope

This policy is applicable to all information resources, systems that are internally connected, the organization, employees and third parties who have access to the organization. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentation (Barman, 2001).

Policy

Ownership

The first factor that must be addressed is the ownership criteria. The organization is responsible for recruiting or assigning an information security manager, a point of contact for communication and an alternate point of contact in case of unavailability of the primary point of contact. Employees who are assigned as the owners of the systems must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Information security manager must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to production operations. In case of any lack of mismanagement, legal action is applicable against the employee.

Moreover, Information security managers are also liable for the vital factor that is the security of the information resources of the organization and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding information security of the organization, from security weaknesses and vulnerabilities.

Information security managers are also liable for aligning security policies in compliance with the organization, security policies. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy.

The information security manager is of the organization is responsible for granting and approving access to employees requiring access for information or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, information security manager will also ensure effective procedures for terminating unwanted access to the resources.

The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the organization network or network appliance / equipment / device.

The network support staff or administration must be entitled to have full rights for interrupting network connections of the organization that may impose impact or security risk on processes, functions and operation on the production network

The network support and administration staff must maintain and record all the IP addresses that are operational in the organization, any database associated with routing information from these IP addresses.

Network access of the organization by departmental or external organizations to or from the network must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection.

User passwords must meet the requirements of the access management or password policy of the organization, password policy. Moreover, any inactive account must be deleted within 2 days from the access list and any device that involves critical and sensitive information of the organization, passwords of group based accounts from the group membership modules must be modified within 24 hours.

The customized network of the organization will not facilitate third party or outsourced organization apart from network and data transmission, storage, modification, monitoring and protection. All the other departments of the organization will be facilitated by their respective support functions.

In case of non-compliance, information security management must consider business justifications and allow waivers accordingly.

Acceptable Use Requirements

Any vulnerability detected in the Organization’s computer security must be reported to the adequate security staff. Vulnerabilities in computer systems are detected by unknown software or abnormal system behavior that may lead to accidental invasion of confidential information.

Misuse Reporting processes section can be used to report any policy violation by the staff that can be related to Intranet, Extranet, Internet, and Email procedures.
No user is allowed to access data, personal documents, emails and applications installed on the organization’s network without documented authorization.
All employees of the organization must not share their email passwords, Personal Identification Numbers, system passwords, server passwords with anyone.
No employee of the organization is entitled to make copies of licensed software that is purchased by the organization.
No employee of the organization is entitled to install any software on their systems without management approval.
No employee of the organization must involve in offensive contents or material that is used for transmitting, storing, harassing intentionally or that is not legal in terms of federal legislation.
No employee of the organization will involve in practices that may slow down the performance of the organization’s information resources, remove authorize access to organization’s information resources, gain approval for additional resource allocation.
No employee of the organization will install and execute software such as packet sniffers, password cracking software or tools to reveal system vulnerabilities of the organization, unless approved and authorized by the acting CISO of an enterprise.
Information resources of the organization are not entitled for gaining personal objectives, political movements, fund raising programs and every such activity that is prohibited by the federal legislation.
Employees must provide authorized access to researchers and the organization employees for accessing confidential information stored on the organization’s staff must not allow non-employees to access confidential records stored on the organization information resources.

Configuration Requirements

The network traffic between different departments and the other networks for instance, the organization network traffic, will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks of the organization will be prohibited.

In order to configure or modify any configuration settings on the firewall, it must be reviewed and approved by the information security personnel.

Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the premises of the organization, as they can trigger information security risks and disrupt the network operations, or any other network that may be operational.

Right to audit for all inbound and outbound activities of any department of the organization is applicable to the information security personnel anytime.

For ensuring physical access, every employee must identify themselves via physical security controls before entering in the premises of the organization.

Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device in the parameter of the organization, must be according to the open area security policy.

Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable.

Compliance with Legal Requirements

Associated and Applicable Legislation

To sidestep for any legal issues or security breaches, the organization will define, document and demonstrate compliance with all applicable statutory, regulatory and contractual requirements for each information system.

Owners of the systems must take advice from the information security officers for all issues related to Legal and security information.

Local regulations must be addressed that are applicable where data is handled, stored or protected. Likewise, legal officer of the organization will examine applicable laws and regulations of policies at different regions. The legal officer will consult chief information security officer for establishing required exceptions to policies and specific policies to different regions.

Intellectual Property Rights

(Ilvonen, 2009) All employees at the organization will conform to the legal requirements of intellectual property protection along with license agreements related to copyright software. The objectives of this policy is to make employees of the organization aware and to make them comply with copyrights, trademarks etc. Employees of the organization are accountable if they not use the organization’s intellectual property with guidelines and standard procedures.

In case of non-compliance, employee will face a disciplinary action, termination of employment and criminal or civil charges.

Intellectual Property Standards and Training

The Chief information security officer or any role acting in this category along with system owners will develop educational and training session.

Using Software from Outside Sources

Employees of the organization must not install or download pirated or unlicensed software on the organization systems. Employees will not download and install any software from the Internet without approval. If approval is granted, it be justified and must contribute to business objectives.

Enforcement

If any violation of this policy is found, the matter maybe subjected to disciplinary action that may also lead to termination of employment.

Revision History

Revision Version	Date
Version 1.0	March 1^st 2012
Version 2.0	October 31^st 2012

As mentioned earlier, information security policy and acceptable use policy is required. Each of these policies will incorporate scope, Ownership, Acceptable Use Requirements, Configuration Requirements, Compliance with Legal Requirements, Associated and Applicable Legislation, Intellectual Property Rights, Intellectual Property Standards and Training, Using Software from outside Sources, Enforcement and revision history. For policy violations, we have already discussed disciplinary actions stated in the information security and acceptable use policy. Moreover, a revision history is also mentioned illustrating the version and date. Generally, policy review must be addressed two times per year or depending on the nature of the policy.

Work Cited

Barman, S. (2001). Writing information security policies New Riders.

Computer security incident response team. (2007). Network Dictionary, , 116-116.

Compromise recovery and incident handling. (2003). Data Security Management, 26(5), 1-9.

Ilvonen, I. (2009). Information security policies in small finnish companies. Proceedings of the European Conference on Informations Warfare & Security, , 112-117.

Igli Tashi, S. G. H.Information security evaluation. A holistic approach PPUR Presses polytechniques.