...WATERWORLD WATERPARKS Information Security Policy Version 1.0 Revision 191 Approved by John Smothson Published DATE March 23, 2011 CONFIDENTIAL/SENSITIVE INFORMATION This document is the property of WATERWORLD WATERPARKS. It contains information that is proprietary, confidential, sensitive or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to WATERWORLD WATERPARKS, Attention: IT Director. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of WATERWORLD WATERPARKS Executive Management. Revision History Changes | Approved By | Date | Initial Publication | John Smothson | 3-23-2011 | | | | | | | | | | | | | | | | | | | | | | | | | | | | Table of Contents 1 Introduction and Scope 8 1.1 Introduction 8 1.2 Payment Card Industry (PCI) Compliance 8 1.3 Scope of Compliance 8 2 Policy Roles and Responsibilities 10 2.1 Policy Applicability 10 2.2 Information Technology Manager 10 2.3 Information Technology Department 11 2.4 System Administrators 12 2.5 Users – Employees, Contractors, and Vendors 12 2.6 Human Resource Responsibilities 12 2.6.1 Information Security Policy Distribution 13 2.6.2 Information Security Awareness Training 13 2.6.3 Background Checks 13 3 IT Change Control Policy 15 3.1 Policy Applicability and Overview 15 3.2 Change Request Submittal...
Words: 28277 - Pages: 114
... Information Security Policy Student Name: Brice Washington Axia College IT/244 Intro to IT Security Instructor’s Name: Professor Smith Date: 11/7/2011 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary Due in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario. With advancements in technology there is a need to constantly protect one’s investments and assets. This is true for any aspect of life. Bloom Design is growing and with that growth we must always be sure to stay on top of protecting ourselves with proper security. For Bloom Design...
Words: 4226 - Pages: 17
...Introduction Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has...
Words: 6195 - Pages: 25
...1. Executive Summary 2 2. Introduction 3 2.1 Company Overview 3 2.2 Security Policy Overview 4 2.3 Security policy goals 4 2.3.1 Confidentiality 4 2.3.2 Integrity 5 2.3.3 Availability 5 3. Disaster Recovery Plan 6 3.1 Risk Assessment 6 3.1.1Critical Business Processes 7 3.1.2 Internal, external, and environmental risks 7 3.2 Disaster Recovery Strategy 8 3.3 Disaster Recovery Test Plan 8 3.3.1 Walk-throughs 8 3.3.2 Simulations 9 3.3.3 Checklists 9 3.3.4 Parallel testing 9 3.3.5 Full interruption 9 4. Physical Security Policy 10 4.1 Security of the building facilities 10 4.1.1Physical entry control 10 4.1.2 Security offices, rooms and facilities 11 4.13.Isolated delivery and loading areas 12 4.2 Security of the information systems 12 4.2.1Workplace protections 12 4.2.2Unused ports and cabling 13 4.2.3 Network/server equipment 13 4.2.4 Equipment maintenance 13 4.2.5 Security of laptops/roaming equipment 13 5. References 14 Executive Summary The objective of this proposal is to present the information security policy created for Bloom Design Group. The issue of a company’s network security continues to be crucial because the results of data loss or significant system failure can be disastrous for a company. An alarming number of companies fail to realize how vulnerable their network is to internal, external, and environmental risks. One of the top priorities of an organization should be maintaining...
Words: 3568 - Pages: 15
...Insurance Information Security Policy Review In an effort to ensure Heart-Healthy Insurance’s Information Security Policy is up to date, complies with current regulatory requirements, takes advantage of industry standards, utilizes recognized frameworks, is relevant, and meets the requirements of all relevant regulations and standards, a review of the current Information Security Policy has been performed. The following recommendations on how users are provided access to the information systems used by Heart-Healthy Insurance and the password requirements for each system will ensure that the company’s policy is in compliance with all relevant federal regulations and industry standards. As an insurance company, Heart-Healthy Insurance works with and stores personal health information, financial information, and credit card information of clients and business partners. Data of this type is required to be protected by the United States Federal Government under several privacy acts. Heart-Healthy Insurance must also be Payment Card Industry Data Security Standard (PCI-DSS) compliant due to the fact the company takes credit cards to pay for premiums and deductibles. Below is information on each privacy act and security standard that Heart-Healthy Insurance must be in compliance with. The Payment Card Industry Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI-DSS) was developed “to encourage and enhance cardholder data security and facilitate...
Words: 1355 - Pages: 6
...Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 ________________________________________________________________________ 1 MICROS Systems, Inc. Enterprise Information Security Policy Version 8.0 Public Table of Contents Overview – Enterprise Information Security Policy/Standards: I. Information Security Policy/Standards – Preface……………....5 I.1 Purpose …………….……………………………………………...5 I.2 Security Policy Architecture ………………….………………….6 I.3 Relation to MICROS Systems, Inc. Policies……………………..6 I.4 Interpretation………………………………………………….…..7 I.5 Violations…………………………………………………….….....7 I.6 Enforcement…………………………………………….................7 I.7 Ownership………………………………………………................7 I.8 Revisions…………………………………………………………..7 II. Information Security Policy - Statement………………………..8 MICROS Enterprise Information Security Policy (MEIP): 1. Information Security Organization Policy (MEIP-001)...……....9 2. Access Management Policy (MEIP-002)…………………………10 3. Systems Security Policy (MEIP-003)...…….…………………......11 4. Network Security Policy (MEIP-004)…………………………….12 ________________________________________________________________________ 2 MICROS Systems, Inc. Enterprise Information Security Policy Version 8.0 Public 5. Application Security Policy (MEIP-005)…..………………………13 6. Data Security/Management Policy (MEIP-006)……………….14-15 7. Security Incident Handling Policy (MEIP-007)..………………...
Words: 4971 - Pages: 20
...Introduction to Policy Augmentation Process Due to the fact that both HIPAA and HITECH are non-prescriptive security frameworks HITRUST common security framework (CSF) was leveraged to augment the Heart-Healthy Insurance Information Security Policy. Moreover, HITRUST CSF was chosen as it maps to various other information security frameworks applicable to Heart-Healthy Insurance Company (i.e. HIPAA, HITECH, PCI, ISO 27000-series, etc.). Furthermore, CSF compliance worksheet is an intelligent tool that allows for control mapping to the aforesaid security frameworks based on the scope of assessment (i.e. type of organization, number of insured members, number of system users, number of transactions, etc.). New-User Policy Augmentation Using the aforesaid CSF-based logic, the following security controls are applicable to the new user protocols of Heart-Healthy Insurance overarching security policy: • Heart-Healthy users will be granted accessed to the system on need-to-know bases and on the principle of least privilege. • Users will be given access rights based on their job roles and responsibilities as well. • Common job roles will be defined in order to receive standard user access, critical and non-critical access rights will be removed within 24 hours after a user has changed roles or has left the company. • All Heart-Healthy employees requesting remote access or dial-in-services must sign the acknowledgement of understanding and accept the use policy and rules of behavior...
Words: 524 - Pages: 3
...On The Development of Comprehensive Information Security Policies for Organizations The article selected for review is titled, “On the Development of Comprehensive Information Security Policies for Organizations.” The article is from the International Journal of Academic Research; the authors are Fahad T. Bin Muhaya, Fazl-e-Hadi, and Abid Ali Minhas. The article offers guidelines on the development of information security policies for organizations based on a proposed framework. The introduction of the article emphases the importance of protecting information, “Information security failures have gradually damage many progressing organizations; ruining its repute, reducing customer trust and ultimately lose its market share.” I believe is this a very strong introductory statement. The introduction of the article also implies that a new form of terroristic attacks may come from breaching organizations and accessing sensitive information. The authors further suggest that information security comprises of three elements which are human, organizational, and technological vulnerabilities. The article objective is clearly stated as a tool on how to develop or improve information security. The development approach when viewing an organizational structure is defined in the article as threats versus defense. The article identifies security policy issues at the environment, application, cryptography, network, and physical layers. This is a simple definition but I feel that viewing...
Words: 565 - Pages: 3
...6 May 2011 Heart-Health Insurance Information Security Policy Proposal A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management...
Words: 1042 - Pages: 5
...Axia College Material Information Security Policy Axia College IT/244 Intro to IT Security Dr. Jimmie Flores April 10, 2011 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary There are several threats to the security of networks and data. While there is no definite way to prevent all of the incidents that can befall a network, by developing a proactive security plan that will encompass many of the known threats data loss and corruption can be minimized. Sunica obtains different levels of customer information and records large amounts of financial information on their network. The best way to prevent the loss...
Words: 4350 - Pages: 18
...identical, deduplication technology can produce a backup that is scaled down in size, making it more manageable in terms of time and resources as well as in terms of physical media such as disk or tape space. Deduplication technology can be implemented at the network level and consist of only local operations, or it can also be integrated into cloud based technologies that take advantage of economies of scale through the use of remote and managed services. Deduplicate data Eliminating redundant data can significantly shrink storage requirements and improve bandwidth efficiency. Because primary storage has gotten cheaper over time, enterprises typically store many versions of the same information so that new work can reuse old work. Some operations like Backup store extremely dismissed information. Deduplication lowers storage costs since fewer disks are needed, and shortens backup/recovery times since there can be far less data to transfer. In the context of backup and other near line data, we can make a strong supposition that there is a great deal of duplicate data. The same data...
Words: 1234 - Pages: 5
...Running Head: UNIT 1 ASSIGNMENT Unit 1 - Information Security Policy Regina Sykes Kaplan University Abstract ------------------------------------------------- This paper will provide information on the purpose of a security policy and components of a security policy. Additionally, this paper contains information on a specific organization and the unique important items the organization choose to establish security policies around. Lastly, this paper provides information around the major areas of concern, missing or incomplete information in the policy and areas that are ill-advised in an identified organization’s security policy. Unit 1 - Information Security Policy Introduction Many organizations rely on the use of networks and computers to manage the business. Along with the use of networks and computers to manage the business there is also the need to establish a plan to secure the technology both the network and computers . A security policy is the plan developed with instructions from senior leadership instructing decision makers in the organization on how to protect the organization’s assets (Mattord & Whitman, 2012). There are various components of a security policy which include, statement of policy, equipment usage and access control, prohibited uses regarding equipment, who manages the systems, policies around violations of the policy, modifications and review section and lastly, limits of liability (Mattord & Whitman, 2012). Part 1 ...
Words: 2121 - Pages: 9
...Human Resources Information Security Standards Human Resources Information Security Standards Standards August 2009 Project Name Product Title Version Number Human Resources Information Security Standards Standards 1.2 Final V1.2 Final Page 1 of 10 Human Resources Information Security Standards Document Control Organisation Title Author Filename Owner Subject Protective Marking Review date Wokingham Borough Council Human Resources Information Security Standards Steve Adamek, Head of Business Systems G\Government Connect\WBC Policies Head of Business Systems IT Policy Internal Public April 2010 Revision History Revision Date Revisor Previous Version Description of Revision V2.1 V2.2 V2.3 V2.4 V1.0 V1.1 V1.2 Laura Howse Laura Howse Steve Adamek Laura Howse Laura Howse Laura Howse Laura Howse 2.0 2.1 2.2 2.3 2.4 1 1.1 Updated to include WBC references Updated to incorporate WBC changes Updated to incorporate Unison changes Updated to incorporate Unison changes Final Version Updated to include feedback from Human Resources Updated to include feedback from Human Resources Document Approvals This document requires the following approvals: Sponsor Approval Name Date Director of Transformation General Manager for Business Services & Section 151 Officer Head of Business Systems Deputy Head of Human Resources Computacenter Service Manager (Outsourced IT Provider) Document Distribution Andrew Moulton Graham Ebers Steve Adamek Maureen Vaughan-Dixon...
Words: 2757 - Pages: 12
...cy/index.html Retrieved on February 27, 2014 nist.gov. (2011).NIST Policy on Information Technology Resources Access and Use. Retrieved from http://www.nist.gov/director/oism/itsd/policy_accnuse.cfm Retrieved on February 27, 2014 HHS, 2007. HIPAA Security Series. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf Retrieved on March 8, 2014Task 1Heart Healthy Information Security Policy:The information security policy is divided into two major parts – the policy for any new user entering the organization and the password management:New Users:All the new users will get appropriate access and rights, which will be reflective of their responsibilities in the organization. These accesses will enable the user to access all the required data files and information to complete their tasks. While assigning the rights and accesses to the new user a a document should be signed between the new user and the supervisor which will detail all the roles and responsibilities that the user will perform and also the corresponding access and rights. In case the user requires any administrator access then signature of the respective manager will be required. All the new users will have to undergo an orientation program and some additional training which will tell them about the work place, work culture, security policies, information security policies etc. The additional trainings will focus on password management, remote device protection, file downloads...
Words: 283 - Pages: 2
...Annotated Bibliography Assignment 1 Gary L. Williams Information Assurance Research Literature RSC 830 January 20, 2015 Dr. Emily Darraj Annotated Bibliography Assignment 1 The purpose of this assignment is to examine the topic cybersecurity via an annotated bibliographic review of multiple dissertations. This assignment will work toward the identification of a future dissertation topic within this field and also towards the identification of research material in support of the final dissertation. The annotated bibliographic reviews contained within this paper will work to provide information that will support my future research and provide experience in garnering and explaining the salient tenants of research material. NOTE: This paper will not include proper APA formatting as citations have been bolded to ensure the professor can discern where citations begin and end. Curtis, S. K. (2012). Commitment to cybersecurity and information technology governance: A case study and leadership model. (Doctoral dissertation). Retrieved from the ProQuest dissertation and thesis database. (UMI No. 3569139) The problem as described by the author in this quantitative study is senior managers are not using web analytic technology (WAT) and there is a lack of literature describing why this is the case. The purpose of this study is to “examine how management consultants perceive WAT” (p. 22). This study has seven hypotheses. Unified theory of acceptance use of technology...
Words: 3359 - Pages: 14