This task will introduce you to basic policy design and help you understand the importance of specific policies to the organization. The following organization and company profile will be used to complete this task.
Company Profile
Your company has all of its future potential pinned to the fact that it has several unique productsin FDA-approved trials. If the products are approved for use, the company will be able to obtain additional funding. Recently, a sensitive internal document was found posted on the Internet. The company is worried that some of this information may have ended up in the hands of a competitor. If key proprietary information was leaked, it could endanger the future of the company.
Company Overview
Your talks with senior management revealed the following. The company is betting everythingon the success of these products. Most of its key employees have been stolen away from competing firms. These employees were originally attracted by the promise of huge stock options. HR has all these records and they have to keep track of any payouts if they occur.
Your talks with senior management revealed the following. The company is betting everythingon the success of these products. Most of its key employees have been stolen away from competing firms. These employees were originally attracted by the promise of huge stock options. HR has all these records and they have to keep track of any payouts if they occur.
The company has been lucky—venture capital has poured in. All of this capital has been invested in research and development (R&D). Once a design is pulled together, the company locks in the documentation. It doesn’t actually build the product in the United States; a subsidiary in South Korea assembles the design. The finished product returns to the United States for final tests, and then the product is submitted for FDA trials.
Because the company is new and poised for growth, the rented office and lab space is full.
There are several entrances to the building, and people can come and go through any of them.
Employees often work from home. Employees connect to the office from home via virtual private
networks (VPNs). They have been required to sign an acceptable-use policy that specifies
for what purposes they can use the network and its resources.
Employees often work from home. Employees connect to the office from home via virtual private
networks (VPNs). They have been required to sign an acceptable-use policy that specifies
for what purposes they can use the network and its resources.
There is no full-time network administrator; those responsibilities fall on a research assistantthat has experience managing systems in a college environment (but not in a high-security environment). The network consists of one large local area network (LAN) connected to the Internet through a firewall appliance—except for the VPNs, where the firewall still has its factory-default configuration. Employees must use two-factor authentication to log into local computers, and laptops have biometric authentication.Because a storm last year wiped out a competitor, the company called in a disaster recovery expert and backup policies were developed. It also contracted with a service bureau for its backup services, should the network go down because of a disaster. This led the company to set up policy templates for other major areas, but policies have not been completed.
Policy Development Overview
Once an organization has decided to develop security polices, the question that usually comesto mind is “What’s next?” The best place to start is to frame the policies within some type of existing framework.
Once an organization has decided to develop security polices, the question that usually comesto mind is “What’s next?” The best place to start is to frame the policies within some type of existing framework.
Two examples of such a framework are ISO 17799 and BS7799. BS7799 is a recognized standard that breaks security policy into ten categories. These include the following: Business continuity planning Addresses business continuity and disaster recovery:
System access control Addresses control of information, protection of network resources, and the ability to detect unauthorized access.
System development and maintenance Addresses the protections of application data and the safeguards associated with confidentiality, integrity, and availability of operational systems .
Physical and environmental security Addresses the physical protection of assets and the prevention of theft.
Compliance Addresses the controls used to prevent the breach of any federal, state, or local law.
Personal security Addresses the protection of individuals and the protection from human error, theft, fraud, or misuse of facilities
Security organization Addresses the need to manage information within the company.
Computer and network management Addressees the need to minimize the risk of system failure and protect network systems
Asset classification and control Addresses the need to protect company assets
Security policy Addresses the need for adequate policies to maintain security .
0 comments:
Post a Comment