Security Policies in an IT Environment

Security Policies in an IT Environment

Information security policy is essential in any setting where information is accessed, owing to the sensitivity and importance of information (Anderson 26). Within an organisation or institution, the biggest threat information comes from the people within who can access the information. Users have usernames and passwords they use to access information. Consequently, a security policy has to be formulated to at as the organisation’s constitution that directs the way people access the network and oversee internal and external security issues. This paper presents a security policy of a university (Allen 34).

A).Computer Desktop Security Policy

1-what is user allowed to do?

  • Users are free to access information or programs on the university information system or which they have authority to access (Gurpreet 45).
  • The user should be accountable for his computer and the data contained.
  • As noted by Easttom users should apply good judgement by protecting data through passwords and by closing all windows with sensitive information (80).

2-what is user not allowed?

  • Users are not allowed engage in any illegal objective or transmit files in contra to applicable university, local, state or federal laws. In addition, users must not deliberately take part inn activities that may threaten or harass others (Spagnoletti & Resca 208).
  • Users should not also engage in activities aimed at compromising the performance of computers, deprive other authorized users access to information, or try to circumvent security measures of the university.
  • Users should avoid to try to access information or programs on the university information system or which they have no authority to access. They should not share passwords or devices that are used for authorization purposes.
  • Users should avoid engaging in any activity that goes against the university’s code of conduct or security policies (White 123).

3-what are the consequences in both situations above?

Implementing and following the security measures as underlined in this policy provide the user with additional protection from possible malicious programs as well as unauthorised access (Kiountouzis 409). However, those whom fail to implement the stated security measures may lead to their computers being infected. In such case, the university will immediately terminate your connection to the system until when the university feels that the computer is secure.  In addition, further action may be taken by the university in cases where the user knowingly engages in activities meant to comprise the security of the university information system (McNab 204).

4-what is the best practice?

All computers must be installed with latest anti-virus software to ensure that the security of information is not under any threat. In addition, all desktop computers must have firewall software that is configured in accordance to the university guidelines. All computers must use be installed with genuine software that is legally licensed. The university should carryout periodic audits to ensure this is being followed.

B).Email Security Policy.

1-what is user allowed to do?

  • Users should entail the latest anti-virus and properly configure the anti-virus to offer maximum protection to the computer.
  • Users should avoid opening nay email attachment if they do not know the send of that email; they should as well know the intention why the email was send.
  • Create complex passwords with both numbers and alphabets. However, the passwords should not be shared with anybody; it is good to memorize them.
  • If you decide to share any particular files through the email from your computer, be sure that the access to the file is protected with a secure password.
  • Regularly check the website of the operating software vendor for example Microsoft for crucial security updates that could be necessary for the machine (Lambo 76).

2-what is user not allowed?

  • The following underlined activities are not allowed because they may derail the proper functioning of e-mail system and may comprise the security of the system.
  • Sending or even forwarding chain emails
  • Sending unnecessary messages to numerous people unless when required to accomplish the academic objective of the university (White 43).
  • Sending very large for instance 20 million characters, or numerous message s unless when permission is obtained earlier from system administrator (Whiteman and Mattord 332).
  • Deliberately forwarding or sending e-mail that contains computer viruses. Users should also avoid sending or receiving sensitive academic information from non-university e-mail accounts. Similarly, sensitive university information should not be transmitted or stored in public systems.

3-what is the consequence in both situations above?

  • Those who follow the dos outlined in the policy will not suffer any consequences and will be expected to continue adhering to the stipulations laid down on email security policy. However, those who breach this policy will be reported to the Chief Information Officer, who in turn investigate the breach and act appropriately. Appropriate measures include any of the following (but not limited to these):
  • Temporary or permanent termination of access to the system
  • Suffer university sanctions as underline by student, or staff code of conduct, these may include suspension or termination from the university
  • Monetary fines to the university or concerned party
  • Prosecution based on prevailing civil or criminal laws (where the user violates local. state or federal law will be referred to these authorities for further action) (Peltier 201).

4-what is the best practice?

Default passwords that come with the machine have to be change. New passwords must be created according to the underline naming conventions:

Passwords have to be with a minimum of eight (8) characters long and contain both alphabets and numbers (Krutz & Russell 203). It is good practice to change passwords on a regular basis at least after every three months.

C).Remote Access Policy

1-what is user allowed to do?

  • Users of the network with remote access connection can log in and access information. The system is secured with encrypted connection (Easttom, 211).
  • The user with remote access to the system will be allowed to access any resource of the university according to his security privileges.
  • Users should know that when in session, they are still access the information in line with the university policies.

2-what is user not allowed?

  • Students, staff and any employee of the university are not allowed to share the login details with anybody, not even close family members.
  • Users of the university network who have a remote connection must ensure that their computers are not connected to other networks, while accessing the university network; unless the connection is on their personal network that is fully controlled by the user.
  • No connection to third party should be allowed (Aceituno 205), this can only happen when then connection complies with the set requirement sent by the university.

3-what are the consequences in both situations above?

Those who fail to comply with the set policy will face disciplinary actions such as losing the privileges to access the network. For employees, the university may be suspended from work, or even their employment contract terminated (Stamp 231).

4-what is the best practice?

Lambo points out that Best practices dedicates that a remote access should be deployed with maximum security (101). In addition, it should also have strong authentication.  The remote system should not be configured in different access policies meant for the same user, this will cause connection problems.

Works Cited

Allen, H. Julia . The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley, 2001. Print.

Anderson, K., (2006).IT Security Professionals Must Evolve for Changing Market, SC Magazine, (October 12)

Easttom, C. William..Computer Security Fundamentals (2nd Edition)” Pearson Press, 2011. Print.

Gurpreet, Dhillon.  Principles of Information Systems Security: text and cases. NY: John Wiley & Sons, 2007. Print.

Kiountouzis, E. Kokolakis. Information systems security: facing the information society of the 21st century. London: Chapman & Hall, Ltd, 2007. Print.

Krutz, Ronald and Russell, Dean. The CISSP Prep Guide (Gold Edition ed.). Indianapolis, IN: Wiley, 2003. Print.

Lambo, Taiye.. “ISO/IEC 27001: The future of infosec certification”, ISSA Journal. (2006): 60 (6), 19–25

Layton, P. Timothy. Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications, 2007. Print.

McNab, Chris. Network Security Assessment. Sebastopol, CA: O’Reilly, 2004. Print.

Peltier, Thomas. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications, 2002. Print

Peltier, Thomas. Information Security Risk Analysis. Boca Raton, FL: Auerbach publications, 2001. Print.

Shon, Harris . All-in-one CISSP Certification Exam Guide (2nd Ed. ed.). Emeryville, California: McGraw-Hill/Osborne, 2003. Print.

Spagnoletti, Paolo & Resca, Andrea. “The duality of Information Security Management: fighting against predictable and unpredictable threats”. Journal of Information System Security 4 (2008): 46–62.

Stamp, Mark.  Information Security: principles and practice. New York: Cengage Learning 2011. Print.

White, Gregory. All-in-one Security+ Certification Exam Guide. Emeryville, CA: McGraw-Hill/Osborne, 2003, Print.

Whiteman, E. Michael and Mattord, J. Herbert.  Principles of Information Security.  New York: Cengage Learning. 2011. Print.

Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.

[order_calculator]