Premium Essay

SANS-Information Security Policy

Submitted By
Words 220
Pages 1
Numerous corporations spent millions each year attempting to improve and harden information system capabilities. Recently after the widespread data breach of several publicly known companies, a large portion on the expenditures have been focused on securing systems. However, a majority of these investments have been less effective and been circumvented by employee negligence or insider breaches (Chen, Ramamurthy & Wen, 2012). Therefore, at the core of any well-established information security program is an effectively written security policy that guides employees of safe actions.
The information security policy document outlines the specific rules and requirements that must be followed ("SANS - Information Security Resources | Information

Similar Documents

Premium Essay

Password Guidance

...cy/index.html Retrieved on February 27, 2014 nist.gov. (2011).NIST Policy on Information Technology Resources Access and Use. Retrieved from http://www.nist.gov/director/oism/itsd/policy_accnuse.cfm Retrieved on February 27, 2014 HHS, 2007. HIPAA Security Series. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf Retrieved on March 8, 2014Task 1Heart Healthy Information Security Policy:The information security policy is divided into two major parts – the policy for any new user entering the organization and the password management:New Users:All the new users will get appropriate access and rights, which will be reflective of their responsibilities in the organization. These accesses will enable the user to access all the required data files and information to complete their tasks. While assigning the rights and accesses to the new user a a document should be signed between the new user and the supervisor which will detail all the roles and responsibilities that the user will perform and also the corresponding access and rights. In case the user requires any administrator access then signature of the respective manager will be required. All the new users will have to undergo an orientation program and some additional training which will tell them about the work place, work culture, security policies, information security policies etc. The additional trainings will focus on password management, remote device protection, file downloads...

Words: 283 - Pages: 2

Premium Essay

Human Resources Security Information

...Human Resources Information Security Standards Human Resources Information Security Standards Standards August 2009 Project Name Product Title Version Number Human Resources Information Security Standards Standards 1.2 Final V1.2 Final Page 1 of 10 Human Resources Information Security Standards Document Control Organisation Title Author Filename Owner Subject Protective Marking Review date Wokingham Borough Council Human Resources Information Security Standards Steve Adamek, Head of Business Systems G\Government Connect\WBC Policies Head of Business Systems IT Policy Internal Public April 2010 Revision History Revision Date Revisor Previous Version Description of Revision V2.1 V2.2 V2.3 V2.4 V1.0 V1.1 V1.2 Laura Howse Laura Howse Steve Adamek Laura Howse Laura Howse Laura Howse Laura Howse 2.0 2.1 2.2 2.3 2.4 1 1.1 Updated to include WBC references Updated to incorporate WBC changes Updated to incorporate Unison changes Updated to incorporate Unison changes Final Version Updated to include feedback from Human Resources Updated to include feedback from Human Resources Document Approvals This document requires the following approvals: Sponsor Approval Name Date Director of Transformation General Manager for Business Services & Section 151 Officer Head of Business Systems Deputy Head of Human Resources Computacenter Service Manager (Outsourced IT Provider) Document Distribution Andrew Moulton Graham Ebers Steve Adamek Maureen Vaughan-Dixon...

Words: 2757 - Pages: 12

Premium Essay

Msit 540: Management of Information Security

...SECURITY POLICY for PIXEL, INC. Table of Contents Abstract 3 Purpose 3 Roles and Responsibilities 4 The policy statement 4 Policies specific to Roles 5 Chief Security Officer (CSO) 5 Chief Information Officer (CIO) 5 Pixel Inc. employees 6 Pixel Inc. Business partners 6 Pixel Clients 6 Risk Management 7 Policy 9 Sensitivity 10 General 11 Network Access 11 Network Equipment 14 Desktop Policy 15 Messaging Policy 16 Server Policy 16 Backup 17 Physical Security 18 Enforcement 20 Appendix 22 References 23   Abstract This paper describes the security policy of a fictitious company called Pixel Inc. The Pixel Inc. is a small business with nearly 100 employees with business focus on multi-media. Due to the nature of business, the company uses varying operating systems such as windows, Mac and Linux systems wired over a gigabit Ethernet networking. The security policy focuses on the securing intellectual property on storage and transportation. The usage policies are also devised for desktops and devices. Purpose The information security is crucial for Pixel Inc. to secure its information technology assets. The security is expected to provide protection from unauthorized access of its intellectual properties, system assets, network equipment’s, customer data and business system information. The policy described here is for implementing security practices across Pixel Inc. in everyday use of the information technology assets...

Words: 3640 - Pages: 15

Premium Essay

Chinese

...in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Security Policies: Where to Begin A company that realizes that they have unfortunately been applying security in an ad-hoc fashion and have not put the necessary security policies in place to reduce the risk to their corporate assets, has hired you as the Security Officer. They have implemented many of the standard security products and technologies (firewalls, anti-virus, IDS, etc.), but they find viruses and intrusions still occur. As the newly appointed Security Officer you are to develop their security policies and procedures from top to bottom to ... Copyright SANS Institute Author Retains Full Rights AD Security Essentials V1.4b Title: Security Policies: Where to Begin Name: Laura Wills Date: December 12, 2002 Introduction A company that realizes that they have unfortunately been applying security in an ad-hoc fashion and have not put the necessary security policies in place to reduce the risk to their corporate assets, has hired you as the Security Officer. They have implemented many of the standard security products and technologies (firewalls, anti-virus, IDS, etc.), but without the policies and processes defined, they find viruses and intrusions still occur. As the newly appointed Security Officer you are to develop their security policies and procedures from top...

Words: 6709 - Pages: 27

Premium Essay

Security Policy Document

...1.0 Purpose The purpose of this policy is to describe the security requirements for Global Distribution, Inc. (GDI). It is important that GDI protects the confidentiality, integrity and availability of information that is essential for day-to-day business operations. This policy will apply to all information that is electronically stored, received, typed, printed, filmed, and generated. Information technology systems are critical for Global Distribution, Inc. interrelationship between data and operations. GDI’s 3,200 employees and contractors are all responsible for protecting information from being accessed by unauthorized persons, modification, disclosure and destruction. An effective security policy sets the guidelines of an organization’s approach to security. The policy varies from a plan, in that a plan is a call to action, while a policy defines the goals of the plan. 2.0 Acceptable use Policy Global Distribution’s network administrator plans to provide a reasonable level of privacy to it users, but all users must note that all data that is created on the corporate WAN and remote facilities (warehouses) is property of GDI (SANS Institute, 2006). In order to protect the network of GDI, any information or data stored on company devices are subject to management monitoring and therefore confidentiality cannot be guaranteed. An audit of the network can be conducted at anytime to ensure that users are in compliance with policies. It is requires that all employees understand...

Words: 2146 - Pages: 9

Premium Essay

Aircrafts

...Table of Contents Executive Summary 3 Company Overview 3 Vulnerabilities 3 Hardware Vulnerabilities 3 Policy Vulnerabilities 6 Recommended Solution - Hardware 7 Impact on Business Processes 10 Recommended Solution – Policy 10 Impact on Business Processes 11 Budget 11 Summary 11 References 13 Executive Summary The purpose of the report is to assist Aircraft Solutions (AS) in indentifying the most significant Information Technology (IT) security vulnerabilities. AS products and services are at the forefront of the industry and the protection of such is very important as they are an industry leader. The vulnerabilities that will be discussed are the firewall configuration, virtualization of their hardware assets and defining security policy regarding the timeliness of firewall configuration and updates. Company Overview Aircraft Solutions, headquarters located in San Diego, California develop and fabricate products and services for companies in the electronic, commercial, defense and aerospace industries. AS is made up of two (2) different divisions, the Commercial Division and the Defense Division. The Commercial Division is located in Chula Vista, CA and the Defense Division is located in Santa Ana, CA. AS company strategy is to offer low cost design and computer aided modeling packages to companies and assists them through the lifecycle of their product in an effort to save money for the consumer while profiting from their business....

Words: 2440 - Pages: 10

Premium Essay

Security Aircraft Solution

...Security weaknesses within an organizations system put the organizations assets at risk. After reading and viewing the infrastructure and architecture of AS, there are a few vulnerabilities that are very noticeable that would put their system at risk. The two evident areas are the vulnerabilities with the policy and the hardware. The first vulnerability apparent is the policy on updating the firewall and router rule sets. The security policy of AS, require that all firewalls and router rule sets are to be evaluated every two years. This is a lengthy amount of time to go without evaluating the rule sets. The intervals in the evaluation of the rule sets would put the organization at great risk for potential threats. The second vulnerability that is noticeable is that the backups are stored at the server location. This would put the company at great risk if there were ever some kind of disaster to occur. The security weaknesses mentioned above can be decreased with proper security controls. Vulnerabilities Hardware Vulnerabilities The hardware infrastructure of the AS Headquarters in San Diego, California had been identified during our recent security assessment as being a potential security weakness to the company's overall information systems security infrastructure. The system hardware infrastructure comprises of Five (5) Individual Servers One (1) Switch Two (2) Routers One (1) Firewall The hardware area of concern was the lack of Firewalls being used to protect...

Words: 2393 - Pages: 10

Premium Essay

Title Is Awesome

...IS 471 Policy Development and Security Issues Lab 4 (Due October 22, 2014) Introduction In any company, a security policy helps to mitigate the risks and threats the business encounters. However, unless a company happens to be in the information security industry, the task of identifying, assessing, and categorizing the myriad of risks can be an overwhelming one. Thankfully, a company’s IT infrastructure can be divided in a logical manner to more easily sort the risks. These divisions are the seven IT domains. The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation. In this lab, you will identify known risks, threats, and vulnerabilities, and you will determine which domain of a typical IT infrastructure is affected. You will then discuss security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. You will next determine which appropriate security policy definition will help mitigate the identified risk, threat, or vulnerability. You will organize your results into a framework that can become part of a layered security strategy. Learning Objectives Upon completing this lab, you will be able to: •     Identify risks, threats, and vulnerabilities commonly found in the seven domains of a typical IT infrastructure.      Determine which domain is impacted by the risk, threat, or vulnerability.      Determine...

Words: 1159 - Pages: 5

Premium Essay

Cyberlaw, Regulations and Compliance

...Healthy Information Security Policy: A. 1. The policy for information security has two different sections – first is managing passwords and second is new user policy. They are discussed in detail as below: New Users: When a new user enters the organization, depending upon the roles and responsibilities assigned to the person, he will be given corresponding access rights. With the help of these access rights the person would be able to access the required files and data necessary for his tasks. When these access rights are assigned the user should sign a document, which will list his roles and responsibilities. This document will be co-signed by his supervisor as an agreement. If a user requires elevation in privileges, he will need to get permission from the respecting manager. When new people join organization they will be taken through an orientation program which will give information on security policies, work culture, work place, information security practices etc. Besides orientation program the users will also be trained on topics like remote device protection, password management, content management, file downloads, access levels and its importance and acceptable use of internet and email. These trainings will be mandated for all the new users and after completion of training this will be documented and stored. As per HIPAA guidelines unless all these mandatory trainings are completed they are not given access to the company data and records (HIPAA Security Guidance...

Words: 1304 - Pages: 6

Premium Essay

Paper

...CMIT320 Security Policy Paper Week 3 Table of Contents Introduction: GDI background and given problem……………………………………… 1 Important Assets…………………………………………………………………………. 2 Security Architecture for GDI…………………………………………………………… 3 Twenty Possible Security Policies………………………………………………………. 4 Details and Rationale of the Twenty Security Policies………………………………….. 5 Twelve Security Policies that should be Applied to GDI……………………………….. 6 Conclusion……………………………………………………………………………..… 7 References……………………………………………………………………………….. 8 Outline I. Introduction a. Briefly discuss the background of GDI. b. Also, discuss about the given problem of the IT security, infrastructure, cost, etc. II. Discuss the important assets of the company that need protection c. Asset identification: “Identity and quantify the company’s assets” (Meyers, 2009, p. 215) i. Important assets include: 1. Computer network equipment (Meyers, 2009, p. 215) 2. Data (Meyers, 2009, p. 215) 3. Servers, printers 4. Routers, firewalls, switches, wireless devices, etc. d. Access control methods: sensitivity, integrity, availability (Meyers, 2009, p. 157). e. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” (Meyers, 2009, p. 215). f. Identify solutions and countermeasures: “Identify a cost-effective solution to protect assets” (Meyers, 2009, p. 215)...

Words: 573 - Pages: 3

Premium Essay

Government

...External Environment and Government Policy Introduction The generic argument for governmental intervention is that the marketplace does not perform its normal function of optimizing resource production efficiency and resource allocation decision making as classical economics theory suggests. As a result of the market’s failure, government can, and some say should, intervene to fix the problem. However, some have argued that government interventions are designed to benefit those special interests that influence politicians rather than society as a whole (Austin & Boxerman, 2008). Discuss the impacts of breach to Healthcare Information systems, especially the financial and privacy impacts. Some of the most devastating security breaches can occur during employee termination when steps are not taken to remove access to resources in a timely manner. HIPAA guidelines specify that when employees are terminated, that certain steps, at a minimum, must be followed. These include changing locks, removal from access lists, removal of user account, and confiscation of keys, tokens and other access cards. Though these steps may seem to be common sense, some organizations may not have documented procedures to follow when an employee is terminated. Additionally, the responsibility for carrying out the termination procedures must be clearly assigned and documented (SANS Institute, 2001). Security Training In order for a security program to work well, the employees must be educated insecurity...

Words: 1211 - Pages: 5

Premium Essay

Risk Management

...6 May 2011 Heart-Health Insurance Information Security Policy Proposal By Thomas Groshong A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness...

Words: 1045 - Pages: 5

Premium Essay

Heart-Health Insurance Information Security Policy Proposal

...6 May 2011 Heart-Health Insurance Information Security Policy Proposal A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management...

Words: 1042 - Pages: 5

Premium Essay

Dlp Dlp Dlp

...Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Data Loss Prevention AD Copyright SANS Institute Author Retains Full Rights . 08 , Au tho rr eta ins ful l rig hts Data Loss Prevention 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 Prevention Data Loss 06E4 A169 4E46 te GIAC Gold Certification Ins titu Author: Prathaben Kanagasingham Advisor: John C.A Bambenek © SA NS Accepted: August 15th 2008 Prathaben Kanagasingham © SANS Institute 2008, 1 As part of the Information Security Reading Room Author retains full rights. . ins Table of Contents ful l rig hts Data Loss Prevention Introduction....................................................................................3 2. Deeper Look at DLP Solution........................................................4 3. Identification of Sensitive Data......................................................6 tho rr eta 1. Data in Motion.....................................................................8 3.2 Data at Rest.....................................................................…9 3.3 Data at End Points.............................................................10 08 , Au 3.1 Choosing a Vendor...

Words: 8522 - Pages: 35

Premium Essay

Alternating State Government It Security Policies

...Alternating State Government IT Security Policies University of Maryland University College Europe Instructor: Professor Cybersecurity in Government Organizations CSIA 360 24 April 2016 The purpose of IT Security Policies within the state governments IT security policies are the foundation that any business or government should have implemented with their IT systems before the systems are going to be accessed or in other terms used by users and or customers. The successful implementation of such IT security policies are necessary for the infrastructure of IT systems that are going to be operated safely. IT security policies normally are papers that address the requirements of the system’s rules that are to be fulfilled, which usually is a defined set of rules. The individual IT security policy addresses a specific area in detail like such as an acceptable user policy that outlines how the system is to be used with what each user can perform on the system (SANS, 2016). Each individual state is responsible for implementing its own IT security policy because there is no precise must do practice in place when it comes to fulfilling IT security policies for the state governments. State agencies and offices are responsible for their own IT security policies. Each state addresses IT security policies and the associated problems with implementing these, but two states barely mention the topic, which reflects with rare information concerning their cybersecurity plans...

Words: 1515 - Pages: 7