Topic: Security Policy Document Project for Global Finance Incorporated
General purpose: To inform the company management about the security threats resulting from weak security policies and necessary policy measures to protect the company from future threats.
Specific objective: To develop security policies that address specific threats that the company is facing at the moment and potential threats that may emerge as the company grows and diversifies.
Thesis: As technology advances and a company grow, security threats will continually increase, but this challenge can be countered by formulating effective security policies.
A. Security policies are the heart of the company`s security program because all security measures to be taken by the company in the long-run and in the short-run derive their guidelines from the policies in place.
B. Security threats are increasing with technological advancement where over 90 % of established companies report having been victimized by internet security breaches at a point in time (RSA Security, 2000).
C. Global Finance Inc. (GFI) has been the victim of cyber-attacks for the past years and has incurred significant lost in revenue amounting to $1, 700, 000 and the intangible customer confidence. Since the company had been featured in FORTUNE, it has been experiencing significant increase in traffic rate, which sources are unidentified until now. These events are strong indications that a new and improved security measure, such a real time security monitoring system, be implemented for GFI to prevent future attacks. In tandem with these new security system, is the creation of effective security policies.
D. The formulation of effective security policies is an important step towards establishing guidelines and security standards that enhance company`s capacity to access corporate information and other application programs.
E. The security policies which will be heretofore listed shall be disseminated to corresponding GFI personnel and employees, immediately after the CEO`s approval. The implementation and the monitoring of the said policies shall be under the direction of GFI`s executive committee and Computer Security Management, respectively.
II. Preview of main points
A. Guidelines for personal security are essential when developing, documenting, and successful implementation of security measures.
1. Personal security guidelines begin with awareness training on current and emerging Information technology (IT) threats and formulation of policies for security violation sanctions (Washington State Department of Information Technology, 2001).
a. Employees and personal that will have access to GFI`s information classified as confidential or higher shall be given access to such information after the awareness trainings.
b. The employees` knowledge about information technology threats and ways of avoiding or preventing them shall be inspected or checked through exams or oral interviews before and after awareness trainings (Defense and Public Security Technology Consulting Services, 2013)..
c. Employees need to pass the exams or interviews before they can be given access to the company`s information marked as confidential of higher (DPSTCS, 2013).
2. Contractor / employee separation and policies to regulate vendor contacts are essential in protecting the integrity of the company`s information system (WSDIT, 2001).
a. Only delegated employees, such as representatives, shall have direct contact with vendors (Frost & Sullivan, 2008).
b. Contact information of vendors shall only be provided to the delegated employees and vice versa (Frost and Sullivan, 2008).
B. Physical security guidelines help company management in preventing physical security breaches and other potential IT security threats.
1. Physical security guidelines include location and facility layout, facility access control, physical data storage, and off-site media storage (RSA Security, 2000).
a. Employees who will use company assets computers such as laptops outside company premises shall be first given special instructions on how to project such assets when used outside, such the used of special security cables and locks for laptops, and proper ways of viewing company information when in public places.
b. Employees shall only use dedicated physical storage devices for company related activities. Physical storage used by the company shall not be used for personal purposes and personal physical storage devices shall not be used for storing company information.
c. All off-site devises should have security passwords.
d. Facilities that perform similar and interrelated functions shall be placed in close proximity to facilitate transfer of information.
e. Facilities that perform different functions and are not interrelated shall use their respective servers. They shall be positioned with the utmost proximity as possible.
2. Remote computing (including personal digital assistance and portable data storage devices can be enhanced by policies that address suitable encryption solutions and system back-up media (WSDIT, 2001).
a. Remote access to GFI networks shall be controlled via one-time password authentication of via a private/public key system with a strong passphrase (DPSTCS, 2013).
b. Remote access shall be allowed only with the following bases: context-based access, which controls access of GFI network according to the context of the transaction. The access shall be allowed by assessing the time of the day, strength of user authentication, location of the user, etc. role-based access – access to GFI`s network shall be granted according to the company`s organizational structures and roles. That is, some parts of the network shall remain inaccessible to those users who have no right or jurisdiction over such parts of the network. For example, HR data shall not be accessible to the accounting staffs and the user based access – access to GFI networks shall be according to the identity of the user. This is slightly different from role-based user, as the information used in the assessment here is the personal identity of the user and not his or her role in the company organization (DPSTCS, 2013).
c. Encryption should follow federal government`s policies. Note that use of encryption technologies abroad is prohibited the United States Federal government.
d. Using propriety encryption algorithms shall not be allowed on all instances, except those allowed by the information department.
e. Employees who will use encryption should be made familiar with the host country`s existing encryption laws, such as in the United States.
C. Data security guidelines assist the management in ensuring that customer data and other confidential information is not accessible to unauthorized persons.
1. Guidelines for data security include data classification (confidential, public, Highly Confidential, Secret), data back-up (protect against loss of data), data restoration (in case of fatal attack leading to system failure) (WSDIT, 2001).
a. All information used in GFI shall be classified as either confidential, public, highly confidential, or secret.
b. The classification of information into these three categories or types shall be done by proper authorities as appointed by GFI`s managers and executives (SANS, 2013).
c. GFI`s public information is comprised of information that all employees within the company shall have free access. They can also share this information among peers and with other people outside the company (SANS, 2013). GFI`s information classified as confidential is information that can be shared only within a department and not between or among departments like public information. Which information should be declared as confidential shall be made proper authorities (DPSTCS, 2013). Note that GFI has different departments such as Accounting, Customer Service, Human Resources, IT, etc.
d. Highly confidential information is that which should only be accessed, distributed, and exchanged among managers and executives of GFI. The designation of which information shall be considered as highly confidential shall be done by proper authority.
e. Secret information is information accessible only to the security department and the CEO.
f. GFI shall have contingency plans in-case of system failures which threatens the security and loss of client information. The contingency plan includes the keeping of copies of client information on portable storage devises. These devises can then be used in restoring client information incase lost to the system failure (WSDIT, 2001).
2. Methods of data transfer and storage are secured by encryption products such as the secure transfer of electronic files, data storage, and the secure e-mail delivery (Danchev, 2003).
3. Client information such as their identity (name of the firm) and the nature of help they are receiving from GFI shall be known by pseudonyms to employees designated to work for it. The actual meanings of these pseudonyms shall only be revealed to managers and executives and to some delegated employees who need to have a direct contact with the firm.
4. All employees, managers, and executives shall report to the appropriate authorities about any violation of information rule as soon as identified. The incident should be reported through proper channels or personally to the proper authorities.
5. Rewards ad recognition shall be given to those individuals who have shown consistent obedience to information security policies and to those who were able to report incidents of violation.
D. Reliable network security is unavoidable for companies that use the internet to serve their customers.
1. Several policy guidelines are important for successful network security including network breach detection, authentication and encryption of wireless devices, and patch management (WSDIT, 2001).
a. Maintain point to point hardware encryption that is at least 56 bits (DPSTCS, 2013).
b. The hardware address used by employees should be registered and can track (DPSTCS, 2013)..
c. Use strong user authentication which can be used to check for the encroachment of external databases (DPSTCS, 2013).
d. All employees are prohibited to access GFI networks using unsecured wireless communication mechanisms. Employees shall only use wireless systems that satisfy the criteria imposed by GFI security department (SANS, 2013).
e. Each employee who wishes to access the GFI network through wireless connections shall need to obtain a waiver from the company leads (managers or executives) before proceeding (SANS, 2013).
f. These policies shall be applicable to all devices used for wireless communication, which includes: cellular phones, PDAs, personal computers, or any device which has the capacity to transmit and receive packet data and are connected to GFI`s internal networks (DPSTCS, 2013).
g. Any employee found to violate any of these policies shall be liable for reprimand or expulsion from GFI (SANS, 2013).
2. Guidelines for prevention of network security breach include anti-virus protection, e-mail client, and web browser security (Danchev, 2003).
a. All virus checking systems should be approved first by the security officers (SANS, 2013).
b. Virus checking systems shall be deployed via the multi-layered approach (gateways, servers, desktops, etc.). This policy can help assure that all files are sufficiently and appropriately scanned for threats such as viruses (DPSTCS, 2013).
c. All employees shall not be allowed to turn-off the virus detecting systems. If there are instances when such actions are needed, it shall be done with the assistance and supervision of security officers (DPSTCS, 2013).
d. Browsers approved by the security department shall be the only ones used by employees. These browsers should have strong firewalls.
e. E-mails shall not be used to send personal messages between employees, or between employees and clients or customers.
f. E-mail passwords shall follow a standard format. That is, the passwords should be strong (alphanumeric plus symbols).
g. Employees shall only use licensed email-software. Free to use email software such as Gmail, Yahoo, or Social networking sites such as Facebook or Twitter shall not be allowed to be used to send emails to clients or even among GFI employees.
h. Only the approved email software shall be used to circulate company related information particularly those that are labeled Confidential, Highly Confidential, or Secret.
j. GFI`s email system shall never be used for the distribution or creation of offensive and disruptive messages, which includes offensive comments about race, hair color, gender, age, disabilities, sexual orientation, religious beliefs, pornography, national origin, or political beliefs (SANS, 2013).
k. A regular inspection on computers shall be conducted and facilitated by the security department to identify illegally installed software or programmes, or other free communication software.
l. Only use GFI system supported anti-virus software.
m. Anti-virus should be available for download from GFI`s databases.
n. Always download the most current anti-virus version and run updates if they are already available.
o. Anyone who violates these security policies shall be liable to reprimand or expulsion from the company or even imprisonment if important information were proven to be intentionally leaked.
E. Access security guidelines help organization in controlling the end user access and utilization of an organization`s application.
1. General access guidelines include the use of logon and password to regulate access of customer confidential data and information by unauthorized persons (WSDIT, 2001).
a. Logon information and password should be labeled as confidential. Highly confidential. They should not be divulged even with peers but only to people designated as security managers (DPSTCS, 2013).
b. The creation of logon ID`s and passwords should follow password control standards: passwords should be changed regularly when and how many times should the passwords be changed shall depend on the degree of access the employee has on GFI information. The more information the user is allowed to access, the higher the rate of password change (DPSTCS, 2013).
c. Passwords should follow the prescribed length – they should have a minimum length of six (6) characters. These characters should be composed of letters, numbers, and symbols. The letters should be a mixture of small and capital letters (SANS, 2013).
d. Passwords shall never be saved when prompted by applications. They should never be recorded anywhere were other people can see and use them (DPCSC, 2013).
e. To easily remember passwords, they should have an association with the user (DPSTCS, 2013).
2. The general access guidelines should be supported by GFI`s monitoring software in its system.
a. System software must monitor the length and the character used by the employees. It should also be able to prompt the user to change his or her password according to the schedule of password change for that user.
b. System software should be able to determine the number of tries a user does in trying to use his or her password. A limit to the number of tries should be implemented. Once the limit is exceeded the user`s identification code is disabled.
c. System software should be able to maintain a list of previously used passwords and prompts the user to not use them again incase such event happens.
d. System software should be able to do automatic lock out when the computer is inactive.
3. Remote access should be made secure by proper configuration of access devices used by end-user via remote access system, and following ethical standards of using GFI properties (RSA Security, 2000).
a. Remote access to the internet using GFI computers for recreational purposes by immediate family members of the GFI employee through GFI network shall be allowed for employees with flat rate.
b. GFI employees shall make sure that their family members do not violate any of the company`s policies on remote access that is, immediate family members should not perform illegal activities, or use GFI properties, such as, laptops to conduct other business transactions.
c. The employee shall be made answerable to any violation his or her family member has done in using remote access. The employee shall bear the responsibility and the consequences of the violations.
d. GFI`s employees / contractors with privileges for remote access to GFI`s network shall make sure that every time he or she uses remote access that he or she is not connected to any other network at the same time.
e. Only GFI approved applications shall be used in conducting business while using remote access.
f. In using personal equipment, such as personal computers, to gain remote access to GFI`s network, then the equipment should have the minimum requirements required by GFI.
4. Security threats associated with internet-based applications (internet access) should be made secure by the determination of mandate requirements and quantification of potential impact (WSDIT, 2001).
a. Downloading of applications from the internet that are not needed by the company, whether they are free or licensed shall not be allowed.
b. Using of internet-based applications (those which do not need downloading to use or are supported by the currently installed applications on the company`s computers) is not allowed.
A. Increase IT security threats has necessitated the formulation of effective policy guidelines to safeguard the confidentiality of organizations from current and emerging threats.
B. Security policy guidelines assist organizations in responding to security threats rapidly and in an effective way.
C. Essential guidelines can be classified as personal, physical, data, network, and access security guidelines.
D. Improving the Security Departments Capability to monitor the execution of the policies will greatly affect GFI system`s ability to avoid getting hacked or being infected by viruses.
Danchev, D. (2003). Building and implementing a successful information security policy. Mahe: Internet Software Marketing Limited.
Defense and Public Safety Technology Consulting Service, DPSTCS (2013). `Security Policies` CPCS Technologies [online]. Available at:
Frost & Sullivan (2008). A More Secure Approach to Dynamic Web Threats. CA: Frost & Sulivan.
RSA Security (2000). A guide to security policy: A primer for developing an effective policy. Keon: RSA Security.
SANS. (2013). `Information Security Policy Templates`, Sans.org [online]. Available at: < http://www.sans.org/security-resources/policies/> [Accessed 5 October 2013].
Washington State Department of Information Technology (2001). Information technology security guidelines. Washington DC: Washington State Department of Information Technology.
Topic: Security Policy Document Project for Global Finance Incorporated