Random Widget Works: Information Security Policy

(1)

Random Widget

Works:

Information

Security Policy

Eric Palmer ISA 3300 W-01 Whitman Summer Semester 6/21/2013

(2)

Page 2

.

Purpose ... 14

2

.

Authorized Uses ... 14

3

.

Prohibited Uses ... 15

4

.

Systems Management ... 15

5

.

Violations of Policy ... 16

6

.

Policy Review and Modification ... 17

7

.

Limitations of Liability ... 17

FAIR AND RESPONSIBLE USE OF RWW COMPUTER’s ... 18

1

.

Statement of Purpose ... 18

2

.

3

.

(3)

Information Security Policy Palmer

Page 3

5

.

6

.

7

.

FAIR AND RESPONSIBLE USE OF RWW EMAIL ... 22

1

.

Statement of Purpose ... 22

2

.

3

.

4

.

Systems Management ... 23

5

.

6

.

7

.

(4)

Random Widget Works

Organization

Overview

(5)

Page 5 Organization Overview

Random Widget Works makes quality widgets and equipment for modern businesses

.

Established in 1995, Random Widget works has grown into the largest manufacturer of widgets and other equipment

.

It strives to be the preferred manufacturer of choice for every business widget equipment needs

.

Random Widget Works values commitment, honesty, integrity, and social responsibility among its employees

.

It is committed to providing services for its corporate, social, legal, and natural environments

.

Random Widget Works based in Atlanta, Georgia has over 350 employees

.

The company CEO, Alex Truman, revolutionized the field of widget manufacturing

.

The Chief Information Officer for Random Widget Works is Mike Edwards who has been a part of Random Widget Works since the beginning

.

Recently Mike Edwards decided that the company needed to increase its information security

.

He decided to create a Chief Information Security Officer to help comply with this need

.

Based on the recommendation of co-worker Charlie Moody; Iris Majwabu was given the position

.

(6)

Page 6 Information Security Policy Need

Random Widget Works needs an Enterprise Information Security Policy and Issue

Specific Security Policies

.

If the company does not recognize the need for Security, the company will face loss in profits, customers, employees, and has the possibly of being charged with crimes due to laws being broken

.

A company needs an Enterprise Information Security Policy to plan for all events that may hurt the company

.

EISP sets the strategic direction for all the

organization’s security efforts (Whitman, & Mattord, 2010)

.

The EISP is drafted by the Chief Information Security Officer, reviewed and approved by the CIO, and other executives

.

It does not require frequent modification, unless the direction of the company changes

.

Random Widget Works will not have to worry about making too many modifications since it has written many of the policies from scratch

.

When making the EISP, Random Widget Works will need to make policies that will help the company protect itself, but also keeping the Mission and Objectives that it was founded on in Perspective (Whitman, & Mattord, 2010)

.

Issue Specific Security Policy is crucial to Random Widget Works well-being as a

company

.

If a disaster falls on the company, the ISSP will have everything listed that needs to be done

.

This policy will make technology policies known throughout the company

.

Managers and employees will know what they should and should not do while at work

.

This policy protects both the employees and the organization

.

(7)

Enterprise

Information

Security Policy

(8)

Page 8 Enterprise Information Security Policy

The Enterprise Information Security Policy is known by many names

.

Some call it security program policy, general security policy, IT policy, and a number of other names (Whitman, & Mattord, 2010)

.

The purpose of this Policy is to set the direction for all of the company’s security needs

.

Enterprise Information Security manages, develops, and implements the requirements of an information security program

.

For these programs to be made they must be approved throughout the organization by information security management, IT development, IT operations, and others (Whitman, & Mattord, 2010)

.

When designing an EISP for Random Widget Works, we keep in mind of the company’s mission, vision, and values

.

If the EISP does not coincide with the company’s mission, vision, and values, the policy will not benefit the company or make sense

.

Random Widget Works strives to be the leader in widget machinery so an EISP plan needs to be made that will not only protect the company’s interests but also not restrict its ability to develop into the company it wants to become

.

The EISP in companies differ depending on their needs but they all have some

similarities

.

An EISP states the company’s viewpoint of security

.

Are they strict with security or are they more easy going? The EISP has information about the design of the Information

Security Organization and who is responsible for the information security role

.

It then states the responsibility of all members of the company for security (Whitman, & Mattord, 2010)

.

A good EISP document has a number of important components

.

The purpose, tells what the policy is, what the reasoning is and what it includes

.

An element of the Information Security document defines the different security viewpoints for Random Widget Works EISP

.

The next component is the Need section, which tells about the organization and what is needed to protect assets in regards to clients, employees, or other companies

.

Additional components are the list of responsibilities in an organization and the roles to support Information Security in the company

.

The last component lists the laws the company must abide by (Whitman, & Mattord, 2010)

.

(9)

Page 9 ENTERPRISE INFORMATION SECURITY POLICY

FOR RANDOM WIDGET WORKS

Purpose

This policy establishes Information Security Practices for machinery, computer

equipment, telecommunications, email, and other incidents (Whitman, & Mattord, 2010)

.

This policy is intended to give guidance for the company so all employees follow operating procedure when doing their given task with Random Widget Works

.

Managers, Information Security, as well as other employees will have assigned roles and levels of security clearance

.

Information Security Elements

Information Security is the protection of data, and the software and hardware that uses that data

.

Random Widget Work’s Information Security is based on the need to maintain Confidentiality, integrity, and availability of information

.

The information security model consists of training and education, policies, and employee/ customer protection (Whitman, & Mattord, 2010)

.

The Need for Information Security

Information Security is a necessity for all legal and ethical issues, and it is obligated to protect its clients and employees sensitive information

.

Information security is needed to protect Random Widget Works from employee errors, criminal activity, disasters, and system failure

.

Data Integrity and Confidentiality is a major concern with Random Widget Works

.

Random Widget Works strives to protect the company by putting in safeguards so that errors will be detected and prevented

.

With an Information Security System, all issues will be dealt with appropriately and modifications will be made on occurrence to make the security system stronger

.

Information Security Responsibilities and Roles Chief Information Officer:

The Chief information officer is responsible for overseeing the implementation of the Information Security Policy

.

The CIO reviews the recommended strategies for the

(10)

Page 10 implementation of the Information Security Policy

.

Determines if the business impact of the strategy will be harmful for the company and makes sure that its inline with company’s goals

.

The CIO also oversees the review and approval of the Information Security Policy by company Executives (Knight 2010)

.

Chief Information Security Officer:

The Chief Information Security Officer will be in charge of the development of the Information Security Policy

.

The CISO will develop and document procedures for the

Information Security Policy

.

CISO is responsible for setting up an information security-training program for all employees of Random Widget Works

.

In event of breach to information security, CISO is responsible for conducting a response (Knight 2010)

.

Data Steward:

Data Steward is employee of RWW who sets data classification levels for different levels of employees

.

The privacy settings allow different levels of access for managers, information security staff, and employees (Knight 2010)

.

The Data Steward ensures controls are met to protect confidentiality, Integrity and availability of data

.

The Data Steward is in charge of distribution of passwords, email accounts throughout company (Knight 2010)

.

Users:

A user is anyone employed or client conducting business with Random Widget Works

.

All users must follow guideline and procedures specified by Information Security Policy

.

All users must report any breach of security to Client Information Security Officer

.

Reference to Other Information Technology Standards and Guidelines - ISO 20007 series

(11)

Issue Specific

Security Policies

(12)

Page 12 Issue Specific Security Policies

Issues:

Misuse of telecommunications:

When taking calls for the company a person should always answer the calls with a predefined checklist

.

They should greet the caller; give the name of the company, and provide their name

.

Some receptionists may not have important information at their disposal but they still must be careful of giving out certain information

.

If a caller calls to say that he is the manager of a certain division and needs the email and phone number of a certain executive, the receptionist should have a policy for the way she conducts business

.

No information should be given out unless proof has been given and only if the information requested is not be capable of crippling the company if it reaches the wrong hands

.

A policy for telecommunications is

necessary so that hackers will not have the ability to call up claiming to be someone important to receive important information

.

Misuse of electronic mail:

When using the computers at work, only email throughout the company should be viewed and sent

.

When employees use their email for outside activities, there is a greater chance the computers can get viruses

.

A policy needs to be made so if an employee goes against policy and damages the computers at work do to negligence, he or she needs to be held accountable for their actions

.

To make sure each employee knows what to do with email, they should take a mandatory course telling them what they shouldn’t do, and what types of emails they should look out after to help protect the company

.

Disaster planning and Incident Response:

A fire broke out at Random Widget Works in the break room

.

The sprinklers turned on and destroyed many computers employees were working on

.

Luckily, for the employees and the company, the information is stored on the g: drive in a different location of the building

.

However, what would happen if that room caught fire? Would a sprinkler turn on and destroy all of the servers or would a gas be used to extinguishing the fire

?

The CISO needs to have a list of policies showing what must be done in an incident

.

If a fire in the break room ruins computers in the nearby office, the break room may need to be moved into a location where common

(13)

Page 13 Employee Conduct:

Employee Conduct is another issue that needs to be taken into account

.

Two employees were at their desks playing cards and eating lunch

.

One of them was using the compact disc tray as a coffee holder

.

There are a number of issues with this situation

.

They should go to the break room for lunch, and never have food out near the computers

.

The computer is company property and the employees should be accountable for any damages

.

A client came into the office that day and due to the actions of the employees, he decided not to place an order with Random Widget Works

.

Employee misconduct hurts the company in many ways, we lose clients, company property damages, and it makes the company acceptable to attacks from viruses and hackers

.

A policy needs to be in place so there is no question what is allowed at work, and so that the company can protect itself from damages or lawsuits

.

(14)

Page 14 FAIR AND RESPONSIBLE USE OF RWW INTERNET AND WWW

1

.

Purpose

a

.

Scope and Applicability

The Internet/World Wide Web Policy covers all aspects associated with the

Confidentiality, Integrity, and Availability of information when using the Internet

.

The entire company is on the Internet on a daily basis and is in contact with employees and clients constantly

.

b

.

Definition of Technology Addressed

The technologies addressed in this policy are all computers, servers, and machinery that connect to the internet at Random Widget Works

.

c

.

Responsibilities

The CISO is responsible for developing a program that will train all employees about the correct way to use internet and what is permitting under the Information Security Policy

.

All users must take training course to understand policy so that no accident incidents will occur when on the internet while at Random Widget Works

.

2

.

Authorized Uses a. User Access

Management will have access to conduct internet activates with minimum access restrictions

.

Only sites that have been marked as potentially harmful will be prohibited

.

An example of this is no access to pornographic sites or websites prone to viruses such as face book

.

All employees who require access to internet for research will have the

highest level of access because they need total roam capabilities

.

b. Fair and Responsible Use

Fair and Responsible use of internet includes using internet to send email throughout the company, and only to employees of company, unless permission is give to email to potential clients

.

Internet usage will be permitted but only on company permits websites under company terms

.

c. Protection of Privacy

All employees will be given an email address with an abbreviated name so that employee identities are not easily attained from the outside

.

For internet use, a username and

(15)

Page 15 password is requiring so that only employee with certain levels of clearance can access internet

.

3

.

Prohibited Uses

a. Disruptive Use or Misuse

Employees are not permitted to use internet to check bank accounts or personal websites

.

Playing loud music from internet is also not permitted due to company professional appearance and possible virus threat

.

b. Criminal Use

All internet use for child pornography will be reported to police and employee will be terminated immediately from company

.

Internet use to sell information or sabotage company is criminal activity

.

c. Offensive or Harassing Materials

Employees are prohibited from view websites that are pornographic, violent, or discriminatory in nature

.

d

.

Copyrighted, Licensed, or Other Intellectual Property Downloading any music or software without a license is prohibited

.

d. Other Restrictions

Using internet on personal cell phones to going around company internet restrictions is prohibited

.

4

.

Systems Management

a. Management of Stored Materials

All materials downloaded off the internet are stored on the g: drive on the company’s server

.

The server will filter out any files considered a threat and manage a log of the source computers

.

(16)

Page 16 An internet log is recorded on the company server, which tells what sites an employee has been visiting and how long each day they spent on the internet

.

c. Virus Protection

All files and websites are first scanned with a Virus Checker

.

If a threat comes up, the site will be blocked and put on record of list of prohibited sites

.

d. Physical Security

The systems manager will be responsible for monitoring security throughout the

company network

.

If an employee has broken policy procedures, a systems manager can ask physical security to escort employee off company premises until investigation has been completed

.

e. Encryption

The information that is saved from the internet activity is encrypted and stored in the g: drive of the company server

.

This will prevent research or other sensitive information from being leaked due to intrusions from outside the company

.

5

.

Violations of Policy

a. Procedures for Reporting Violations

When a violation has occurred, an employee must notify the CISO of the issue

.

The CISO will then resolve the situation accordingly by talking to the database

administration, network administration, and giving a report of the incident to the CIO

.

b. Penalties for Violations

Minor Violations will result in a write up of what the employee did and how it affected the company

.

For first time violations, employee many be given retraining over

information security and proper work ethics

.

Repeat violations will be treated more severely resulting in requiring employee a leave of absence without pay, and possible termination

.

Major Violations will result in notification of CISO, CIO, Network Administration, and Database Administration

.

A hold will be placed on employee’s access and report will be

(17)

Page 17 developed

.

Physical Security will obtain employee and police will be called

.

Major violations result in employee termination

.

6

.

Policy Review and Modification a. Scheduled Review of Policy

Random Widget Works will require a meeting of the Information Security Policy every quarter

.

If a new internet related issue arises, immediate meeting must be conducted

.

A meeting including the CEO, CIO, and CISO will discuss the new trends in Security and offer any new changes that might be made to the policy

.

b. Procedures for Modification

After the review of the policy, the CEO will determine if the changes the policy would best interest Random Widget Works

.

The changes to policy most coincide with company goals, while keeping business interesting in mind

.

The CEO will then give permission to update the policy with the new modifications

.

The CIO can temporary modify policy without approval during system emergences such as disaster or massive system corruption

.

7

.

Limitations of Liability

a. Statements of Liability

If an employee violates company policy and is caught doing any illegal internet activity, Random Widget Works is not liable for any employee actions

.

b. Other Disclaimers

All damages resulting from employee violating policy may result in termination and or lawsuit

.

(18)

Page 18 FAIR AND RESPONSIBLE USE OF RWW COMPUTER’s

1

.

Statement of Purpose

a

.

All computer equipment used at Random Widget Works including computers, printers, fax machines, servers, company phones, computer notebooks, personal digital assistant (PDA), and other hardware apply to the Computer Resources Policy

.

c. Definition of Technology Addressed

This policy serves to address the issues relating to misuse of company computer property

.

d. Responsibilities

All employees are responsible for knowing company policy and using company computer property that applies to data confidentiality, Integrity, and Availability

.

As well as

information security, employees are responsible for using appropriate work ethics when around equipment

.

2

.

All employees have access to company printers, faxes, and computers

.

They have the permission to use as long as abiding by company policy

.

All employees will be trained on safe and proper use of computer equipment

.

Employees will have privacy from other employees but a log of all employee activity is maintained on company servers

.

3

.

Prohibited Uses

a. Disruptive Use or Misuse

All employees must use computer equipment for its intended purpose

.

No food or drinks are allowed near the computers and no one is allowed to sit on the equipment

.

(19)

Page 19 Employees will be brought up on criminal charges if caught tampering with the functionality of company computer property, or of caught sabotaging company equipment

.

No employee shall display, print, or fax inappropriate material, which may be pornographic, violent, or discriminative in nature

.

d. Copyrighted, Licensed, or Other Intellectual Property

No installation of software shall be allowed on company property if software is unlicensed

.

e. Other Restrictions

No outside computer resource is prohibited without permission from CISO

.

4

.

a. Management of Stored Materials

All printed or fax activities are stored in a log in company server

.

b. Employer Monitoring

All employees will be monitored on each computer resource they use

.

The amount of time spent and amount of resources used will be accounted for and stored in a log under each employee names

.

c. Virus Protection

All computers and other computer hardware are protected from viruses on a network through strict firewalls and virus software

.

All computer equipment at Random Widget Works is monitored by surveillance to ensure not property is damaged due to physical damage from disasters such as fire, or incidences such as theft

.

e. Encryption

All data from company is encrypted so that if any data leaves Random Widget Work’s company network, the data cannot be interoperated without the company’s decryption software

.

5

.

(20)

Page 20 When a violation of computer resources has occurred, an employee must notify the CISO of the issue

.

The CISO will then resolve the situation accordingly by talking to the

database administration, network administration, and giving a report of the incident to the CIO

.

d. Penalties for Violations

.

A hold will be placed on employee’s access and report will be developed

.

6

.

Policy Review and Modification c. Scheduled Review of Policy

Random Widget Works will require a meeting of the Information Security Policy for computer resources semiannually

.

If a computer resource related issue arises, CISO must be contacted immediately

.

A meeting including the CEO, CIO, and CISO will discuss any needed modifications to Computer Resource ISSP

.

d. Procedures for Modification

After the review of the policy, the CEO will determine if the changes to policy would best interest Random Widget Works

.

The changes to policy most coincide with company goals, while keeping business interesting in mind

.

7

.

e. Statements of Liability

If an employee violates company policy and is caught doing any illegal activity with any company computer resource, Random Widget Works is not liable for any employee actions

.

(21)

Page 21

f. Other Disclaimers

.

(22)

Page 22 FAIR AND RESPONSIBLE USE OF RWW EMAIL

1

.

Statement of Purpose

a

.

Email Policy is critical for the security of Random Widget Works

.

It applies throughout the company and it has the strictest security

.

b

.

Definition of Technology Addressed

Email is how the company communicates with its employees and to clients outside the company

.

c

.

Responsibilities

Employees are responsible for knowing the correct way to use email so that information security, as well as company ethics policies, is followed

.

2

.

All employees have access to email with a username and password

.

When using email, no employee should contact an address that does not have a company email

.

No employee should read or open any email if the address is known or does not have a company email address

.

An employee should not use the company email for personal use

.

All upper management will have protection so that important emails cannot be read by many of the employees

.

These restrictions will prevent sensitive information from being leaked

.

All emails sent on the RRW network are encoded so that if an email leaves the company network, it will not be readable

.

3

.

Prohibited Uses

(23)

Page 23 No emails not related to work shall be sent around company network

.

This does not include employee birthday, wish list, and company events

.

No jokes or gossip is to be sent around by email

.

b. Criminal Use

Sending company secrets to other companies or news sources is illegal

.

Sabotaging the company computer system by sending a virus though the company email is illegal

.

No descrimitive or offensive emails will be permitted

.

These include sexual, violent, racist, emails no matter if the intent was not to be offensive

.

d. Copyrighted, Licensed, or Other Intellectual Property

Emailing software throughout the network is illegal

.

All software must be licensed for use on company computers

.

e. Other Restrictions

For security purposes no forwarding company emails to personal cell phones

.

4

.

a

.

Management of Stored Materials

Emails are stored in a log on company’s server

.

They can be looked up by CISO, CIO, Database Administrators, with the permission of the CEO

.

b

.

Employer Monitoring

Every email is run through a company filter, which determines key words that might be consider offensive, or associative to computer viruses

.

All emails are logged in company server

.

c

.

Virus Protection

Emails are scanned for viruses before they are received and before they are sent out

.

Physical Security is needed to make sure no one is using computers off hours and to protect server room

.

(24)

Page 24 All emails are encrypted so that mail cannot be read outside of the company without being first decrypted

.

5

.

a. Procedures for Reporting Violations

When a violation has occurred, an employee must notify the CISO of the issue

.

The CISO will then resolve the situation accordingly by talking to the database

administration, network administration, and giving a report of the incident to the CIO

.

b. Penalties for Violations

.

A hold will be placed on employee’s access and report will be developed

.

6

.

Policy Review and Modification a. Scheduled Review of Policy

Random Widget Works will require a meeting of the Information Security Policy for Email every quarter

.

If a new email issue arises, immediate meeting must be conducted

.

A meeting including the CEO, CIO, and CISO will discuss the new threats and the response that will need to be conducted

.

b. Procedures for Modification

The CEO will determine if the changes the policy would best interest Random Widget Works

.

The changes to policy must coincide with company goals, while keeping business interesting in mind

.

7

.

a. Statements of Liability

If an employee violates company policy and is caught doing any illegal email activity, Random Widget Works is not liable for any employee actions

.

(25)

Page 25

b. Other Disclaimers

.

(26)

Page 26 References

Knight, Ridder

.

(2010, August 15)

.

Enterprise information security policy (eisp)

.

Retrieved from Http://net35

.

Ccs

.

Neu

.

Edu/home/chrisv7/capstoneproject/kr_eisp

.

Aspx

.

Sans (2009)

.

Sans security policy research projects

.

Retrieved from Http://www

.

Sans

.

Org/security-resources/sec_policy

.

php#specific

.

Whitman, M

.

E

.

, & Mattord, H

.

J

.

(2010)

.

Management of information security. Course Technology Ptr

.

Random Widget Works: Information Security Policy

Random Widget

Works:

Information

Security Policy

Table of Contents

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Organization

Overview

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Enterprise

Information

Security Policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.