Logical and physical topographical layout
A visual view of physical and logical network helps in implementation and also to identify security problems. Network diagrams are best represented in a graphical format expressing varied forms of information. Research has shown that an optimal layout is the one that links all devices together. A map of the network helps in understanding better when a security situation arises. A physical layout as the name suggests, depicts the physical location of all network devices and components (Kosak, Marks, & Shieber, 1994).
Microsoft Visio software is used for creating a network diagram (Figure 1). In the diagram switches, bridge and routers are shown that connect the workstations. A firewall is in place that protects the LAN from potential malicious threats of the internet. A printer is connected through the Main Server and Hub as a shared resource for all workstations belonging to different departments. The logical layout is also included in the design that shows the IP address range for all devices in the network. The IP address helps in identifying and mapping each device in the network. The logical layout is helpful in security situations for quickly identifying the problem location, troubleshooting and resolving the issue.
A comprehensive security policy
The CIA triad stands for Confidentiality, Integrity and Availability. An attack on either of the elements of the CIA is an attack on the Information Security of the organization.
A good security policy should comprise of protecting the CIA triad. A good policy address ethical aspects related to employee, password usage, information and access to network resources (Whitman, & Mattord, 2011). Below is the information security policy for the company.
Company Security Policy
I. POLICY
A. The policy of The Company is that all information electron or print will be subject to protection from unauthorized intentional or accidental modification or destruction.
B. All policies and procedures need to be documented and periodically reviewed for appropriateness.
C. At each department level, additional policies and standards will be developed detailing the implementation of this policy. Existing systems must be made compliant as soon as practical and possible.
II. SCOPE
A. The scope of information security included of the protection and security of confidentiality, integrity, and availability of information.
B. The agenda for managing information security in this policy is applicable to all entities and workers The company along with other Involved Persons and vendors.
C. This policy and all standards concern to all protected information.
III. RISK MANAGEMENT
1- Systematic analysis of all The Company information networks and systems will be performed frequently to inspect the types of threats whether it is internal or external, electronic and non-electronic, natural or artificial
2-The analysis will also detect the present vulnerabilities in each entity that can potentially expose the information resource to the threats.
3-From the combined evaluation of risks and vulnerabilities, estimation will be determined concerning risks of confidentiality, integrity, and availability of the information.
4-Based on the periodic evaluation, actions will be implemented that decrease the impact of the threats by dropping the quantity and scope of the vulnerabilities down.
IV. INFORMATION SECURITY DEFINITIONS
Risk: The prospect of a loss of confidentiality, integrity, and availability of information resources.
Affiliated Covered Entities: Legally isolated, but affiliated covered entities choose to assign themselves as a single covered entity for HIPAA.
Confidentiality: Data or information must not be disclosed to unauthorized person and processes.
Availability: Accessibility and usability of data or information upon demand by an authoritative personal.
Integrity: Data or information has not been misrepresented or misused in an illegitimate manner.
Involved Persons: Every employee of The Company whatever the status is.
Involved Systems: All the technical equipment such as computer and network systems operated within The Company environment, including all platforms (operating systems).
V. INFORMATION SECURITY RESPONSIBILITIES
A. Information Security Officer
The Information Security Officer (ISO) is responsible for developing and implementing security procedures, policies, and controls, after approval from
The company. Explicit responsibilities include ensuring that all the security policies and procedures are adhered to by entity. Providing necessary security support to the users, and owners of computer resources are another significant responsibilities.
B. Information Owner
The owner of the information is a manager responsible for the creation of information. It also corresponds to the administration of an organizational unit. In this context, the ownership may be collective, and the owner may entrust ownership responsibilities to another individual. The main responsibilities include complete knowledge of information and deciding a data maintenance period for the information. He ensures appropriate procedures to shield the integrity, confidentiality, and availability of the information. He can authorize access and assign custodianship. Reporting punctually to the ISO about loss or misuse of information and commencing corrections on problems identification, promoting employee edification and awareness through ISO approved programs, are several other responsibilities for information owner.
C. Custodian
The custodian of information is responsible for storage and processing of the information. The responsibilities of the custodian are providing or recommending physical and procedural safeguards. Identification and response to security incidents and instigating appropriate actions on identification of problems are custodian’s responsibilities.
D. User Management
The management who administer users as defined. User management is responsible for supervising the employees' access and use of information, including review and approval of all authorization requests for employees. Also, respond to security change requests from employees' and informing opposite parties of employee terminations and transfers
E. User: User has the right to read, enter, or update the information
VI. INFORMATION CLASSIFICATION
Classification is performed to encourage proper controls for protection and privacy of information. The classification allocated and the associated controls applied are reliant on the sensitivity of the information. Information is classified according to the most perceptive detail included.
B. Confidential Information
Confidential Information is very significant and extremely sensitive material that is not as classified as PHI. This information is personal and must be limited to those with a genuine business need for access. This information includes personnel information, proprietary information of commercial research sponsors, access passwords, file encryption keys and financial information. Illegitimate disclosure of this information to an unauthorized person is the violation of laws and regulations.
C. Internal Information
Internal Information is proposed for unobstructed use within The company and in some cases within associated organizations such as business partners. This type of information is widely-distributed within the organization.
D. Public Information
Public Information is to be specifically approved by a designated authority. It includes marketing brochures and material posted to The company entity internet web pages and disclosed outside of The company.
VII. COMPUTER AND INFORMATION CONTROL
All involved systems and information are the property of THE COMPANY and expected to be preserved from unauthorized misuse, manipulation, and destruction. These protection events may be corporeal or software based. It includes Ownership of Software, Virus Protection, Access Controls, equipment and Media Controls, and several other Media Controls.
Compliance
A. The Information Security Policy is applicable to all users of THE COMPANY information including of employees, volunteers, medical staff and outside affiliates. Failure to fulfilling the Information Security Policies and Standards by any employee or associated person may lead to disciplinary action as well as dismissal in accordance with THE COMPANY procedures. In the case of outside affiliates it may result in the termination of the affiliation. Any unauthorized act or failure to meet the terms of Information Security Policies and Standards by students may compose grounds for corrective action according to procedures of THE COMPANY. Further, penalties might be applied.
B. Possible corrective reaction may be applied to following:
1. Unauthorized disclosure of Confidential Information.
2. Unauthorized disclosure passwords.
3. Attempting to obtain a password belonging to other.
4. Attempting to use someone else's password.
5. Installing unlicensed software on company devices.
7. Intentional unauthorized damage to information.
Password Control Standards
THE COMPANY Information Security Policy demands strictly controlled passwords. Below minimum standards must be implemented for compliance of password controls.
1. Passwords must never be shared with any other person.
2. Passwords must regularly be changed in every quarter.
3. Passwords must have a minimum length of 6 digits.
4. Passwords must not be programmed or recorded anywhere.
System software must enforce following standards:
1. Encryption of passwords routed over a network.
2. Passwords are entered in a non-display field.
3. Disable password on more than three consecutive failures. Lockout time is at 30 minutes.
5. Maintain a history of previous passwords and prevent reuse.
(Greene, 2006)
References
Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.
Kosak, C., Marks, J., & Shieber, S. (1994). Automating the layout of network diagrams with
specified visual organization. Systems, Man and Cybernetics,
IEEE Transactions on, 24(3), 440-454.
Greene, S. S. (2006). Security Policies and Procedures.
