Information Security Policy Statement

  1. Home
  2. AllAssignmentHelp Samples
  3. Information Technology
  4. Information Security Policy Statement
513 52 11 2670

Requirement

information security assignment. 

Solution

Introduction

The company that has been selected for the assessment is Data Services and Systems Pt. Ltd. It is a hypothetical company based out of Guiyang City, China. The company provides data analytics services to various clients around the world. The client of the company ranges from large companies to small companies and some governmental organizations. The company operates with around fifty employees who work in-house. Along with that, the company also has many individuals working for it as freelancers. The freelancers are located in various countries around the world. They provide their services to the company from their respective home countries. All the activities of the company are technology based and company has never involved itself in the activities that require offline management. There are some activities such as field survey for data collection that is conducted by country specific freelance teams. The company is smaller in size and it has no head office outside China. The only method that has been considered to operate for other countries is through the internet based services. The data collection and management of those countries are taken care at the head office. The data collection and compilation is done by the freelancers.

Allassignmenthelp.com has expertise and experience in coursework writing help. Our team has professionals with relevant industry experience who can provide you with the best information technology assignment help. So without wasting any of your time place your order and get the best quality online assignment help.

The company management is concerned about the various security risks that might impact the organization’s activities in the days to come. Some of the concerns are related to security of the data and information from physical and technical damages and others. Therefore, the management is willing to implement Information Security Management System (ISMS) to ensure that all the risks are taken care. Various chapters in this section are focused on identifying the likely risks that can occur and then devising appropriate mitigations plans for them. The second chapter discusses about the scope of the ISMS for the company. The third chapter discusses the information security policy statement. The fourth chapter assesses the various security risks. The fifth chapter identifies the possible responses to the assessed risks and the sixth chapter discusses the various security controls as per ISO 27002.

Scope of ISMS

The company is situated in Guiyang City which is the capital of Guizhou province of Southwest China. The city receives flood almost every year. The company is physically present at this city only and there is no other physical presence in any part of the world. However, as per the business market is concerned, the company covers various countries such as USA, European Countries, India, and others. The company is into data analytics and management. The clients of the company hire it to conduct various forms of analysis to understand and analyse the market trends and other aspects. The data is collected by the company through online network of numerous freelancers active throughout the world. The operations department of the company handles these freelancers. The department assigns responsibilities to these freelancers through email and chat. The completed tasks are received through emails. At present the company uses QQ as the mail and chat messenger to conduct its business worldwide. The freelancers use QQ International to connect with the operations department. The report related to completion of particular task such as data collection from field, data collation and other activities are informed to the Finance department that in the end of each month distributes the finance. The 
The dependency on the online communication is huge within the company and it cannot operate even for a single day without the presence of this aspect. The company has current 65 desktops, in which around ten are idle and the rest are functional. The operations department uses around 30 of these computers and the rest of the computers are distributed among other departments. All the computers are connected with High Speed Broadband for the internet connection. The company also uses large data storage centre which is situated on the ground floor of the company headquarter. The data centre of the company uses various components for its functioning. Some of the important components are heat exchanger, transformers, server room, cooling-units, extinguishing gas, diesel generators, cooling water, batteries, telecommunications, and video cameras. The company uses different software available for different types of data analysis and maintenance such as IBM’s SPSS, R, and others. There are some more technological assets such as iPads, laptops, mobile phones, landline connection, and others. 
The company’s headquarter is a six storey building. The ground floor has the data centre, and the rest of floors are for staffs and company management. Other than the technological assets, and building, the company has furniture sets used by the staffs to work.

Information Security Policy Statement

Given below is the information security policy that is active within the company:

  • 1.    The company will safeguard the entire information received from the client. 

  • 2.    The data and information will be kept confidential from access to any third party until ordered to do so by the management.

  • 3.    It should be ensured that the network infrastructure available is reliable and sound for proper functioning of the business.

  • 4.    The compliance to international information security standards should be followed.

  • 5.    The management of the organization will handle all the security related issues and the changes in the policy will on its discretion. 

  • 6.    The continued assessment of the risks should be done to ensure any shortcomings are identified as early as possible.

  • 7.    Before or after the implementation of any changes within the organization should be followed by security assessment.

  • 8.    The access to sensitive information will be protected within multiple layers and will be accessed by authorized personnel only. 

  • 9.    The information should be segregated into sensitive and general information the moment it arrives to make a clear distinction and management (Bulgurcu et al, 2010). 

  • 10.    While at employment, all the information generated by a particular employee will be the asset of the company and will be stored in the company repository. 

  • 11.    The employees are instructed not to use their personal equipment like laptops, smartphones, and other such thing within the company premise to access the data and information of the company (Hone and Eloff, 2002). 

  • 12.    Use of any external storage device is not allowed with any computer or other electronic equipment of the company. 

  • 13.    All security issues must be reported to the management at shortest possible time.

Risk Assessment

This section is concerned with identification of various security risks that are likely to threaten the functioning of the business. There are twelve security risks that have been identified. Six of them are adversarial risk and the rest are non-adversarial risk (ISO 27002, 2005). 

Given below are the adversarial risks that have been identified for the organization:

  1. Deliver Malware to Internal System: The hackers from outside the organization can insert malware into the system that can disrupt the functioning or steal information that is sensitive. These are mostly done to sell the information to the competitors.

  2. Network Sniffing of Exposed Network: The presence of any exposed network to the external environment might allow the external party to gain the system access.

  3. Craft Phishing attack: There can be various forms of phishing such as webpage cloning or emails that seem to be coming from authorized personnel but not in actual.

  4. Get physical access through authorized staffs: Stealing the access of authorized person physically to get into the system.

  5. Communication interception attacks: gaining access by attacking the communication that use weak encryptions

  6. Brute force login: External parties can guess access passwords and other authorizations codes. Software to crack codes possibly used in these cases.

Given below are the non-adversarial risks that have been identified for the organization:

  1. Spill sensitive information: it is about sending the sensitive material to the unauthorized individuals.

  2. Flood at primary facility: This company is located in Guiyang which is a flood prone location. The location of server is on the first floor of the building and it is likely to get impacted if flooding occurs. Therefore, flood is a major threat to the company.

  3. Mishandling of sensitive or critical information: Mishandles the information and unknowingly leaves at places where it should not have been.

  4. Disk error: Storage corruption occurrences that destroys the information present on the disk

  5. Unreadable display: The company has desktops that are of no appreciable quality and it is expected that due to the poor display of some of the computer, challenge in handling the information can come up.

  6. Incorrect privilege settings: Due to the mistake of the administrators, some unauthorized person is allowed access to sensitive material  

Response to Identified Risks

Given below are the responses to the identified risks from the “Risk Assessment” above:

 

  1. Craft Phishing Attack: The phishing attacks can be prevented by providing training to the employees to ensure that they detect the phishing efforts before it impacts any system. They need to be taught about the way to identify the emails that looks suspecting. The information source of the email should be checked prior to opening it. Direct link clicking should be prevented (Litan, 2004). The employees need to be taught to believe their instincts on opening a new page or email and if there is slightest of doubt, then action must not be taken. If not sure, then someone from security division must be contacted.

  2. Deliver Malware into Internal System: The company will be working on three steps to detect malware and prevent intrusion into the internal system. They are keeping the system up to date, using right anti-virus software, and running cross checking of the system periodically. The company is using windows operating system on all its computer as it is compatible with most of desktop applications. The windows will have automatic updates on which automatically keep the system upgraded with security patches time to time. Effective anti-virus will be used on all the computers (You and Yim, 2010). The anti-virus will of enterprise level. Any anti-virus is not powerful enough, so periodic cross checks will be done for entire system within the organization. 

  3. Brute Force Login: The external parties can conduct brute force attacks in various ways. The use of guessing is preferred manner and various combinations is tried to open the system by the person. The manual guessing works well if the personal is familiar with the other party. In other cases, software are used. The prevention of brute force can be done through implementation of account lockout policy. In this, consecutive three failed attempts will require the user to contact the administrator. The second method is delaying the account access for certain period after wrong attempt. The third method is the use of challenge-response test. There are tools like reCAPTCHA that can be used (Von Ahn et al, 2008). Google also provides image options that can eliminate the attack of automated systems.

  4. Flood at Primary Facility: The city is prone to flood due to its location. The company has placed its data centre on the ground floor in the beginning as it was assumed to be comfortable to establish one on the ground floor rather carrying all the components to other floors. The flood might impact the data centre severely and result in data loss. This can be prevented by taking two consecutive steps. The first step is to establish a remote data storage services. This can be done through transferring all the files on cloud network. Reputed companies like Amazon, Google, and Microsoft provide such services. The next step is to transfer the data centre to the top floor.

  5. Disk Error: The challenge of disk error can be resolved by having an instant copy of whatever is saved on the computer disk at another location. The employees need to be trained on how to keep another copy at different location within the company. However, if such situation arises in the future, then there are some methods that will be utilized. They are testing the memory – to identify is there any issue with the memory; trying the disk on another system; replacing cables; and updating the bios.

  6. Unreadable Display: The unreadable display issue within the company is due to the purchase of some old computers when the company was being established. However, after the growth of the company, these computers are still being used. The displays are in pretty based shape. The company management needs to invest some budget into the purchase of some good retina display monitors which will be comfortable for the employees to use and also will reduce the likeliness of human led mistakes. The company can make bulk purchases from reputed brands like Wipro, Samsung, Dell and others to upgrade the physical system. 

Information Security Controls

Given below are the information security controls (ISO 27002, 2005) for the risks that have been identified earlier:

  1. Craft Phishing Attack: Clauses 8.2.1 (management responsibilities), 8.2.2 (information security awareness, education, and training), 10.9.1 (electronic commerce), 10.9.2 (on-line transactions), 10.9.3 (publicly available information), 13.1.1 (reporting information security events) will be applicable. The controls will be implemented by conducting one week training session of the employees. The training will be followed by minor tests to ensure everyone knows the things taught.

  2. Deliver Malware into Internal System: Clauses 12.2.2 (control of internal processing), 12.3.1 (policy on the use of cryptographic controls), 12.4.1 (control of operational software), 12.4.2 (protection of system test data), 11.5.5 (session time out), 11.5.6 (limitation of connection timing), and 10.10.3 (protection of log information) will be applicable. These controls can be implemented by hiring an external agency to manage and implement the mechanisms at appropriate places.

  3. Brute Force Login: Clauses 11.5.1, 11.5.2, and 11.5.3 will be used to ensure that the system is prevented from the brute force login. These clauses refer to secure log-on procedures, user identification and authentication, and password management system respectively. The implementation of the secure encrypted system will be facilitated. The encryption service will be bought from external agencies.

  4. Flood at Primary Facility: Clauses 7.1.1 (inventory of assets), 9.1.1 (physical security perimeter), 9.1.4 (protecting against external and environmental threats), and 9.2.4 (equipment maintenance) will be used. The company will being one month project which will focus on changing the data centre location and transferring files.

  5. Disk Error Unreadable Display: Clauses 10.5.1 (Information back-up), 10.7.2 (Disposal of Media), 10.7.3 (Information handling procedure), 9.2.6 (secure disposal or re-use of equipment), and 9.2.7 (removal of property) will be applicable. This aspect will be taught at the training session.

  6. Unreadable display: Clauses 7.1.1 (inventor of assets), 7.1.2 (ownership of assets), 9.2.4 (equipment maintenance) will be applicable. The company will purchase new monitors in bulk from good brand like Samsung. 

Conclusion

The security risks identified in this paper are expected to take place for the company and the measures that have been identified are possibly appropriate enough to handle these situations. The six security risks detailed in the last two chapters can be referred to as preliminary ones as there exists other risks also that can impact the company in some way or the other.

Place Order For A Top Grade Assignment Now

We have some amazing discount offers running for the students

Place Your Order

References

  • Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), pp.523-548

  • Höne, K. and Eloff, J.H.P., 2002. Information security policy—what do international information security standards say?. Computers & Security, 21(5), pp.402-409.

  • ISO 27002, (2005). Information technology — Security techniques — Code of practice for information security management.

  • Litan, A., 2004. Phishing attack victims likely targets for identity theft.

  • Von Ahn, L., Maurer, B., McMillen, C., Abraham, D. and Blum, M., 2008. recaptcha: Human-based character recognition via web security measures. Science, 321(5895), pp.1465-1468.

  • You, I. and Yim, K., 2010, November. Malware Obfuscation Techniques: A Brief Survey. In BWCCA (pp. 297-300).

AllAssignmentHelp Logo

Give your grades a boost

Just share your requirements and get customized solutions on time.

  • 1,168,768 Orders
  • 4.9/5 Overall Rating
  • 5,052 Experts
Citation Generator

Best Online Citation Generator Tool

Eliminate writing errors with AllAssignmentHelp

Try Now

Grammar Checker

Instant Grammar Checker

Check Spell & Sentence Correction with AllAssignmentHelp

Try Now

Plagiarism Checker

Plagiarism Detection

Check Your writing for plagiarism and correct grammar.

Try Now

Word Counter

Word Counter

Stay within the word limits of your homework

Try Now

Get Quality Assignment Without Paying Upfront

Hire World's #1 Assignment Help Company

Place Your Order