SlideShare a Scribd company logo

A Successful IT Security Policy

Download as DOCX, PDF
John Intindolo
John Intindolo

This document discusses how to successfully implement an IT security policy. It begins by defining what an IT security policy is - a written, ever-changing document that explains how an organization will protect its IT assets. It then outlines the importance of such policies for protecting data and controlling access. The document also discusses challenges across the seven domains of IT (user, workstation, LAN, etc.) and how policies can address each domain. It notes some potential barriers to implementation like human factors but emphasizes that successful policies are created, assigned responsibilities, ensure compliance, and are continually maintained. The overall goal is for policies to safeguard organizational data and resources from both internal and external threats.

1 of 8
Running head: A SUCCESSFUL IT SECURITY POLICY 1 A Successful IT Security Policy April 19th 2014 ISSC481- Planning & Policy John Intindolo American Public University
A SUCCESSFUL IT SECURITY POLICY 2 Information Technology security policies are used to protect information that is processed by an organization. Without having the proper protections in place that information may become lost, altered, stolen, even stolen. The protection of organizational data is so vital to a business’s health, that without protection (through the use of IT security policies) the entire organization could crumble. So how does one successfully implement security policies? There is a process to successful implementation for information systems security professionals (positioned with the task of protecting an organization’s assets) that begins with understanding just exactly what IT security policies are. From there it is important to identify why IT security policies are of such importance, followed by the challenges within the seven domains of IT, issues that may arise with implementation, creating a policy, and last (but most certainly not least) would be maintaining the policy. Combined together these steps will showcase how to successfully implement an IT security policy for an organization. So what exactly are IT security policies? An IT security policy is an ever-changing, written document which explains the necessary requirements to protect an organization IT assets. The term ever-changing relates to the fact that an IT security policy is never finalized. Instead the document must be continuously updated to keep up with technology changes, as well as employee requirement changes when necessary. The policy essentially explains the culture of an organization. It lets everyone within the organization know, from the CEO down to the mailroom clerk, how organizational data is going to be secured. Furthermore, the security policies not only detail how the data is going to be secured, but they also fortify the organization’s proficiency to safeguard its information assets while at the same time giving secure access to employees as needed. What is the importance of IT security policies? IT security policies are important to an organization’s vitality because they enable data to remain secure at all times. So whether that data is in the form of backups or data that travels across the
A SUCCESSFUL IT SECURITY POLICY 3 organization’s network, one thing is certain, if security policies are implemented successfully then the data will always be safe. This is fine when speaking of external threats such as malware attacks on the Internet, but what about a disgruntled employee who has authorized access to important information? To safeguard against an insider threat policies are used by monitoring authorized personnel’s activities. This way if there is someone carrying out any form of transgression they can be discovered before the situation escalates further. Another important role that security policies play is with change. Not change in itself, but rather controlling how things are altered within the organization’s IT infrastructure. What are some policies that help to ensure the organization’s success? There are certain policies that enable the organization to not only be protected, but they also can help the company thrive. Every company wants to know the costs involved with any implementation, so if a policy is able to minimize costs or time it becomes a key component of the organization prospering. For example, risk assessments costs money that may be reduced by providing controls and procedures to manage the risk, which also enables change to be performed in a controlled manner (Johnson, 2010, p.16). Incident response is another policy which supports operational success, because an incident response plan will let everyone know their role in the event of an attack. This will avoid confusion and downtime which in turn saves the company money that could be allocated to different resources within the organization. Without having policies in place the organization would become chaotic. Flying by the seat of your pants is no way to run a successful organization, and that is exactly what is happening when an organization does not implement IT security policies. People begin to do things that they believe to be right, but making these type of decisions may cost the company money (if it is the wrong decision) or upset the organization’s customers (again if the wrong decision is made). Policies ensure that the
A SUCCESSFUL IT SECURITY POLICY 4 business is ran smoothly and provide a list of guidelines or a “connect the dots” setting for employees to follow. Again, if the policies are not followed chaos can occur. If there are no policies, then there is no uniform method for employees to follow. In the event of a network intrusion, an attacker could gain access to more IT resources and data than an organization that has an incident response plan implemented for instance. A typical IT infrastructure has seven domains which are as follows: User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, and System/Applications (“Fundamentals of,” 2012). There are policies for each domain of the seven listed that offer either a way to protect the domain or offer a way control change. In the User Domain there are several policies that can be used to handle the challenges associated with users. An example of this type of policy would be an acceptable use policy which defines what and how a user is able to use a company workstation. The workstation domain refers to the computers or even smartphones on the network. In this domain the controls within the workstation itself are defined. The important step here is to place access controls for the users to prevent an inadvertent download of malicious software. One security measure to take is to install a tool such as the TriGeo Security Information Manager (SIM). SIM provides a thorough view into network events and systems logs, integrates log management and event association with added features, like an onboard intrusion detection system and instant active response to possible threats or suspicious activity for example(“Security Information,” 2010). The LAN Domain refers to every piece of equipment that is used to make up the companies LAN. Limiting how and which computers are able to communicate with each other is a good way to prevent an intrusion on the network. This is known a segmenting a network which makes the various levels of trust obvious and “also facilitates identifying the variations in risk related to different classes of
A SUCCESSFUL IT SECURITY POLICY 5 computer systems and mitigating these risks through technical measures” (Malin, 2007, p.48). One such example is an Acceptable Internet Use Policy (AIUP). An AIUP is used to stop Internet misuse in the workplace including the following: accessing sites unrelated to work, email abuse, online chatting, gaming, and the overuse of the Internet otherwise known as cyberslacking (Siau, Nah, & Teng, 2002, p. 76). In the LAN-to-WAN Domain is where the organization connects it LAN to a WAN such as the Internet. This is dangerous because the Internet is available to anyone in the public and is unsecure. A properly designed demilitarized zone (DMZ) solves this issue as well as the issue of protecting internal resources from an internal attack when transmitting data between hosts on the network. In fact according to Shimonski, “Much of the risk of data loss, corruption, and breach actually exists inside the network perimeter” (2003, p. 25). Security policies provide a guideline on how the DMZ server is configured as well as when security patches will be updated. In a WAN Domain the challenge for businesses is to keep communication secure when connecting multiple office locations. The commonly used mitigation technique for this issue is the use of a virtual private network or VPN. As Johnson states, “By setting up network devices at both offices, you can create an encrypted tunnel through the Internet” (2010, p. 73). This works great for large businesses that have multiple locations, for sales people that are constantly on the road, or even for those who work from home. The Remote Access Domain has all of the issues of the User Domain with the additional requirement of remote authentication as well as dealing with network connectivity problems. Multi-factor authentication is a good mitigation for this as is using a VPN to encrypt the tunnel between the remote user’s workstation and the WAN. The System/Application Domain encompasses
A SUCCESSFUL IT SECURITY POLICY 6 all system and application software issues. Security policies will define a program that is intended to reduce the likelihood of data loss, whether that is accidental or malicious. So what stands in the way of implementing a successful IT security policy? There are several things that can hinder the success of a security policy’s implementation. One such way is the human element. If everyone within the organization is on board and happy then there will be no problem with the employees following the security policy. However, what if some employees are unmotivated? This could be for a variety of reasons, which is why it is important that company managers find a way to motivate the individuals that work beneath them. There are several ways to motivate people including performance enhanced bonuses (after all most people are motivated by money), pushing them to strive for success, or even something as simple as thanking them for their hard work and dedication. Sometimes just letting an employee know that you see their efforts and appreciate them can go a long way and motivate them to continue to perform at a high level. Another key issue is with accountability. If someone makes a mistake that causes a huge problem within the organization they must own up to that mistake and be held accountable for their actions. If there is no accountability for their actions then the security policy will not succeed. The next step in the process is to create the IT security policy. When a security policy is created it first must state its purpose and mission. This may include keeping the CIA principles of security intact. The next portion of the policy is the scope which thoroughly details the extent of the policy. At this point of the policy is where responsibilities are assigned to personnel in order for the policy to become implemented. Compliance with the policy explains in detail what the guidelines are for everyone to adhere to the policies of the security policy. It also should list the disciplinary actions that will ensue if an employee does not comply with the policy rules. Maintaining a security policy is a never-ending process
A SUCCESSFUL IT SECURITY POLICY 7 because it needs to change and be updated as the technology does. Additionally, policies need to change when the requirements of the employees change too. To summarize, IT security policies are vital to the health of an organization in that they protect the IT assets from both internal and external threats. Without the policy employees may not be aware of what is or is not acceptable, which could be a recipe for disaster. In order for a policy to be successful, there must be a process that the ISS team (designated to protect assets) follows and involves the following steps: an understanding of IT security policies, the importance of the policy, understanding the challenges within the seven domains of IT, implementation issues, creating a policy, and finally maintain the policy. Through this process of successful implementation an organization can sleep safe at night knowing that they are taking every measure possible to ensure the safety of their IT assets, and therefore the business itself.
A SUCCESSFUL IT SECURITY POLICY 8 References Fundamentals of information systems security [PowerPoint slides]. (2012). Retrieved from http://www.ccahs.net/Fundamentals.U1.pdf Johnson, Robert (2010). Security Policies and Implementation Issues, Jones & Bartlett. ISBN: 0763791326 Malin, A. (2007). Designing Networks that Enforce Information Security Policies. Information Systems Security, 16(1), 47-53. doi:10.1080/10658980601051490 Security Information Manager (SIM). (2010). SC Magazine: For IT Security Professionals (15476693), 21(8), 47. Shimonski, R. (2003).Building DMZs for Enterprise Networks. Rockland, MA: Syngress Publishing. Siau, K., Nah, F., & Teng, L. (2002). ACCEPTABLE INTERNET USE POLICY.Communications Of The ACM, 45(1), 75-79.

Recommended

McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_HillDennis Hill
 
develop security policy
develop security policydevelop security policy
develop security policyInfo-Tech Research Group
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemEnterprise Technology Management (ETM)
 
Role management
Role managementRole management
Role managementAbidullah Zarghoon
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policyeverestsky66
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 

Recommended

McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_HillDennis Hill
 
develop security policy
develop security policydevelop security policy
develop security policyInfo-Tech Research Group
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemEnterprise Technology Management (ETM)
 
Role management
Role managementRole management
Role managementAbidullah Zarghoon
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policyeverestsky66
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a SciencePankaj Rane
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Research Paper
Research PaperResearch Paper
Research PaperBrian Kasha
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy Dguest34b014
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBsGFI Software
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small BusinessValiant Technology
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)Ammad Marwat
 
Introduction to TCP
Introduction to TCPIntroduction to TCP
Introduction to TCPPradeep Kumar TS
 
Tcp
TcpTcp
TcpVarsha Kumar
 
TCPIP
TCPIPTCPIP
TCPIPFlavio Girella
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control anuragjagetiya
 

More Related Content

What's hot

Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a SciencePankaj Rane
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy Dguest34b014
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small BusinessValiant Technology
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 

What's hot (17)

Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Research Paper
Research PaperResearch Paper
Research Paper
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy D
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small Business
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 

Viewers also liked

An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)Ammad Marwat
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control anuragjagetiya
 
User datagram protocol
User datagram protocolUser datagram protocol
User datagram protocolMohd Arif
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)k33a
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control ProtocolPeter R. Egli
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
CRM literaure review
CRM literaure reviewCRM literaure review
CRM literaure reviewNicole Kelly
 
Research_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_IntindoloResearch_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_IntindoloJohn Intindolo
 
Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...
Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...
Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...Amro Elfeki
 
MGT 311 Final Exam 2015 version
MGT 311 Final Exam 2015 versionMGT 311 Final Exam 2015 version
MGT 311 Final Exam 2015 versionnikolettasauerborn
 
Project presentation
Project presentationProject presentation
Project presentationLeo Vincent
 

Viewers also liked (20)

An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)An overview of TCP (Transmission Control Protocol)
An overview of TCP (Transmission Control Protocol)
 
Introduction to TCP
Introduction to TCPIntroduction to TCP
Introduction to TCP
 
Tcp
TcpTcp
Tcp
 
TCPIP
TCPIPTCPIP
TCPIP
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control
 
Chapter 3 : User Datagram Protocol (UDP)
Chapter 3 : User Datagram Protocol (UDP)Chapter 3 : User Datagram Protocol (UDP)
Chapter 3 : User Datagram Protocol (UDP)
 
User datagram protocol
User datagram protocolUser datagram protocol
User datagram protocol
 
TCP Vs UDP
TCP Vs UDP TCP Vs UDP
TCP Vs UDP
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control Protocol
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram Protocol
 
TCP/IP – Transmission Control Protocol/ Internet Protocol
TCP/IP – Transmission Control Protocol/ Internet ProtocolTCP/IP – Transmission Control Protocol/ Internet Protocol
TCP/IP – Transmission Control Protocol/ Internet Protocol
 
Matek 2. osztály
Matek 2. osztályMatek 2. osztály
Matek 2. osztály
 
CRM literaure review
CRM literaure reviewCRM literaure review
CRM literaure review
 
Pisikologi
PisikologiPisikologi
Pisikologi
 
Course Summary Power Point
Course Summary Power PointCourse Summary Power Point
Course Summary Power Point
 
Research_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_IntindoloResearch_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_Intindolo
 
Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...
Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...
Modeling Subsurface Heterogeneity by Coupled Markov Chains: Directional Depen...
 
MGT 311 Final Exam 2015 version
MGT 311 Final Exam 2015 versionMGT 311 Final Exam 2015 version
MGT 311 Final Exam 2015 version
 
Project presentation
Project presentationProject presentation
Project presentation
 

Similar to A Successful IT Security Policy

1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docxvickeryr87
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxrtodd599
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxjeffsrosalyn
 
DIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docxDIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docxcuddietheresa
 
7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!Caroline Johnson
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Information security governance framework
Information security governance frameworkInformation security governance framework
Information security governance frameworkMing-Chang (Bright) Wu
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
 
How to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptxHow to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptxSingle Point of Contact
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
SafeguardsintheworkplaceAdam Richards
 
How to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsHow to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsIT-Toolkits.org
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 

Similar to A Successful IT Security Policy (20)

Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdf
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
 
DIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docxDIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docx
 
7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!
 
Ai in compliance
Ai in compliance Ai in compliance
Ai in compliance
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?
 
Information security governance framework
Information security governance frameworkInformation security governance framework
Information security governance framework
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
 
How to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptxHow to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptx
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
Safeguardsintheworkplace
 
How to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsHow to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkits
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 

More from John Intindolo

Power_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_IntindoloPower_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_IntindoloJohn Intindolo
 
ISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_IntindoloISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_IntindoloJohn Intindolo
 
ISSC456_Final_J_Intindolo
ISSC456_Final_J_IntindoloISSC456_Final_J_Intindolo
ISSC456_Final_J_IntindoloJohn Intindolo
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloJohn Intindolo
 
ISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_IntindoloISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_IntindoloJohn Intindolo
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloJohn Intindolo
 
Attack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_IntindoloAttack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_IntindoloJohn Intindolo
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloJohn Intindolo
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloJohn Intindolo
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloJohn Intindolo
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloJohn Intindolo
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloJohn Intindolo
 
ISSC490_Project_John_Intindolo
ISSC490_Project_John_IntindoloISSC490_Project_John_Intindolo
ISSC490_Project_John_IntindoloJohn Intindolo
 
Project_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_IntindoloProject_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_IntindoloJohn Intindolo
 

More from John Intindolo (15)

Power_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_IntindoloPower_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_Intindolo
 
ISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_IntindoloISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_Intindolo
 
ISSC456_Final_J_Intindolo
ISSC456_Final_J_IntindoloISSC456_Final_J_Intindolo
ISSC456_Final_J_Intindolo
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_Intindolo
 
ISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_IntindoloISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_Intindolo
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_Intindolo
 
Attack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_IntindoloAttack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_Intindolo
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_Intindolo
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_Intindolo
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_Intindolo
 
ISSC490_Project_John_Intindolo
ISSC490_Project_John_IntindoloISSC490_Project_John_Intindolo
ISSC490_Project_John_Intindolo
 
Project_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_IntindoloProject_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_Intindolo
 

A Successful IT Security Policy

  • 1. Running head: A SUCCESSFUL IT SECURITY POLICY 1 A Successful IT Security Policy April 19th 2014 ISSC481- Planning & Policy John Intindolo American Public University
  • 2. A SUCCESSFUL IT SECURITY POLICY 2 Information Technology security policies are used to protect information that is processed by an organization. Without having the proper protections in place that information may become lost, altered, stolen, even stolen. The protection of organizational data is so vital to a business’s health, that without protection (through the use of IT security policies) the entire organization could crumble. So how does one successfully implement security policies? There is a process to successful implementation for information systems security professionals (positioned with the task of protecting an organization’s assets) that begins with understanding just exactly what IT security policies are. From there it is important to identify why IT security policies are of such importance, followed by the challenges within the seven domains of IT, issues that may arise with implementation, creating a policy, and last (but most certainly not least) would be maintaining the policy. Combined together these steps will showcase how to successfully implement an IT security policy for an organization. So what exactly are IT security policies? An IT security policy is an ever-changing, written document which explains the necessary requirements to protect an organization IT assets. The term ever-changing relates to the fact that an IT security policy is never finalized. Instead the document must be continuously updated to keep up with technology changes, as well as employee requirement changes when necessary. The policy essentially explains the culture of an organization. It lets everyone within the organization know, from the CEO down to the mailroom clerk, how organizational data is going to be secured. Furthermore, the security policies not only detail how the data is going to be secured, but they also fortify the organization’s proficiency to safeguard its information assets while at the same time giving secure access to employees as needed. What is the importance of IT security policies? IT security policies are important to an organization’s vitality because they enable data to remain secure at all times. So whether that data is in the form of backups or data that travels across the
  • 3. A SUCCESSFUL IT SECURITY POLICY 3 organization’s network, one thing is certain, if security policies are implemented successfully then the data will always be safe. This is fine when speaking of external threats such as malware attacks on the Internet, but what about a disgruntled employee who has authorized access to important information? To safeguard against an insider threat policies are used by monitoring authorized personnel’s activities. This way if there is someone carrying out any form of transgression they can be discovered before the situation escalates further. Another important role that security policies play is with change. Not change in itself, but rather controlling how things are altered within the organization’s IT infrastructure. What are some policies that help to ensure the organization’s success? There are certain policies that enable the organization to not only be protected, but they also can help the company thrive. Every company wants to know the costs involved with any implementation, so if a policy is able to minimize costs or time it becomes a key component of the organization prospering. For example, risk assessments costs money that may be reduced by providing controls and procedures to manage the risk, which also enables change to be performed in a controlled manner (Johnson, 2010, p.16). Incident response is another policy which supports operational success, because an incident response plan will let everyone know their role in the event of an attack. This will avoid confusion and downtime which in turn saves the company money that could be allocated to different resources within the organization. Without having policies in place the organization would become chaotic. Flying by the seat of your pants is no way to run a successful organization, and that is exactly what is happening when an organization does not implement IT security policies. People begin to do things that they believe to be right, but making these type of decisions may cost the company money (if it is the wrong decision) or upset the organization’s customers (again if the wrong decision is made). Policies ensure that the
  • 4. A SUCCESSFUL IT SECURITY POLICY 4 business is ran smoothly and provide a list of guidelines or a “connect the dots” setting for employees to follow. Again, if the policies are not followed chaos can occur. If there are no policies, then there is no uniform method for employees to follow. In the event of a network intrusion, an attacker could gain access to more IT resources and data than an organization that has an incident response plan implemented for instance. A typical IT infrastructure has seven domains which are as follows: User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, and System/Applications (“Fundamentals of,” 2012). There are policies for each domain of the seven listed that offer either a way to protect the domain or offer a way control change. In the User Domain there are several policies that can be used to handle the challenges associated with users. An example of this type of policy would be an acceptable use policy which defines what and how a user is able to use a company workstation. The workstation domain refers to the computers or even smartphones on the network. In this domain the controls within the workstation itself are defined. The important step here is to place access controls for the users to prevent an inadvertent download of malicious software. One security measure to take is to install a tool such as the TriGeo Security Information Manager (SIM). SIM provides a thorough view into network events and systems logs, integrates log management and event association with added features, like an onboard intrusion detection system and instant active response to possible threats or suspicious activity for example(“Security Information,” 2010). The LAN Domain refers to every piece of equipment that is used to make up the companies LAN. Limiting how and which computers are able to communicate with each other is a good way to prevent an intrusion on the network. This is known a segmenting a network which makes the various levels of trust obvious and “also facilitates identifying the variations in risk related to different classes of
  • 5. A SUCCESSFUL IT SECURITY POLICY 5 computer systems and mitigating these risks through technical measures” (Malin, 2007, p.48). One such example is an Acceptable Internet Use Policy (AIUP). An AIUP is used to stop Internet misuse in the workplace including the following: accessing sites unrelated to work, email abuse, online chatting, gaming, and the overuse of the Internet otherwise known as cyberslacking (Siau, Nah, & Teng, 2002, p. 76). In the LAN-to-WAN Domain is where the organization connects it LAN to a WAN such as the Internet. This is dangerous because the Internet is available to anyone in the public and is unsecure. A properly designed demilitarized zone (DMZ) solves this issue as well as the issue of protecting internal resources from an internal attack when transmitting data between hosts on the network. In fact according to Shimonski, “Much of the risk of data loss, corruption, and breach actually exists inside the network perimeter” (2003, p. 25). Security policies provide a guideline on how the DMZ server is configured as well as when security patches will be updated. In a WAN Domain the challenge for businesses is to keep communication secure when connecting multiple office locations. The commonly used mitigation technique for this issue is the use of a virtual private network or VPN. As Johnson states, “By setting up network devices at both offices, you can create an encrypted tunnel through the Internet” (2010, p. 73). This works great for large businesses that have multiple locations, for sales people that are constantly on the road, or even for those who work from home. The Remote Access Domain has all of the issues of the User Domain with the additional requirement of remote authentication as well as dealing with network connectivity problems. Multi-factor authentication is a good mitigation for this as is using a VPN to encrypt the tunnel between the remote user’s workstation and the WAN. The System/Application Domain encompasses
  • 6. A SUCCESSFUL IT SECURITY POLICY 6 all system and application software issues. Security policies will define a program that is intended to reduce the likelihood of data loss, whether that is accidental or malicious. So what stands in the way of implementing a successful IT security policy? There are several things that can hinder the success of a security policy’s implementation. One such way is the human element. If everyone within the organization is on board and happy then there will be no problem with the employees following the security policy. However, what if some employees are unmotivated? This could be for a variety of reasons, which is why it is important that company managers find a way to motivate the individuals that work beneath them. There are several ways to motivate people including performance enhanced bonuses (after all most people are motivated by money), pushing them to strive for success, or even something as simple as thanking them for their hard work and dedication. Sometimes just letting an employee know that you see their efforts and appreciate them can go a long way and motivate them to continue to perform at a high level. Another key issue is with accountability. If someone makes a mistake that causes a huge problem within the organization they must own up to that mistake and be held accountable for their actions. If there is no accountability for their actions then the security policy will not succeed. The next step in the process is to create the IT security policy. When a security policy is created it first must state its purpose and mission. This may include keeping the CIA principles of security intact. The next portion of the policy is the scope which thoroughly details the extent of the policy. At this point of the policy is where responsibilities are assigned to personnel in order for the policy to become implemented. Compliance with the policy explains in detail what the guidelines are for everyone to adhere to the policies of the security policy. It also should list the disciplinary actions that will ensue if an employee does not comply with the policy rules. Maintaining a security policy is a never-ending process
  • 7. A SUCCESSFUL IT SECURITY POLICY 7 because it needs to change and be updated as the technology does. Additionally, policies need to change when the requirements of the employees change too. To summarize, IT security policies are vital to the health of an organization in that they protect the IT assets from both internal and external threats. Without the policy employees may not be aware of what is or is not acceptable, which could be a recipe for disaster. In order for a policy to be successful, there must be a process that the ISS team (designated to protect assets) follows and involves the following steps: an understanding of IT security policies, the importance of the policy, understanding the challenges within the seven domains of IT, implementation issues, creating a policy, and finally maintain the policy. Through this process of successful implementation an organization can sleep safe at night knowing that they are taking every measure possible to ensure the safety of their IT assets, and therefore the business itself.
  • 8. A SUCCESSFUL IT SECURITY POLICY 8 References Fundamentals of information systems security [PowerPoint slides]. (2012). Retrieved from http://www.ccahs.net/Fundamentals.U1.pdf Johnson, Robert (2010). Security Policies and Implementation Issues, Jones & Bartlett. ISBN: 0763791326 Malin, A. (2007). Designing Networks that Enforce Information Security Policies. Information Systems Security, 16(1), 47-53. doi:10.1080/10658980601051490 Security Information Manager (SIM). (2010). SC Magazine: For IT Security Professionals (15476693), 21(8), 47. Shimonski, R. (2003).Building DMZs for Enterprise Networks. Rockland, MA: Syngress Publishing. Siau, K., Nah, F., & Teng, L. (2002). ACCEPTABLE INTERNET USE POLICY.Communications Of The ACM, 45(1), 75-79.