Policy Statement
It is the responsibility of XYZ Information Security department to maintain integrity, security, confidentiality and availability of information to all departments and authorized personnel in the company network, computers and data systems infrastructure. All users are expected to exercise responsible sharing and utilization of the said systems. In addition, efforts to protect information and resources, transmitted and stored in the infrastructure is a shared responsibility of all users and the IT department. Violations of the policy are subjected to disciplinary actions not limited to disciplinary action, suspension and termination.
Policy Purpose and Objectives
Information is a primary component of the business that needs adequate protection from unauthorized use, destruction, disclosures and modification. The objective of the policy is to set forth guidelines for the integration of security practices to the information system for the daily company’s daily use. This objective will ensure the continuity of the XYZ Credit Union’s businesses and to minimize the damages and apparent risks brought by security breach in the system and at the same time to minimize impact.
Scope
The policy is directed to all employees, senior staff, managers and executives of XYZ Credit Union. The scope of this policy covers the three important domains of the company’s IT infrastructure such as acceptable use, vulnerability assessment, security awareness and asset protection. The main areas of concern defined in this policy are the proper use of internal information as well as utilization of external materials obtained from the internet, level of security, proper use of IT assets, computers, servers, internet service, data and storage mediums.
Standards
Information security focuses on three standard functions namely access control, administrative users and information protection. In light of that, XYZ will employ encryption technology to protect critical and sensitive data such as customer details, bank account numbers, credit card numbers, Social Security numbers and credit reports. The IT department follows an implementation standard that encrypts pertinent data, which includes option for e-mail and password encryptions. The IT security management team imposes software and hardware standards such as the use of appropriate Operating systems preferably Windows 7 Enterprise, Microsoft Office Suite with Outlook service hooked to the company’s intranet for encryption technology integration, information monitoring and control. Finally, to assess the effectiveness of security implementations the company needs to employ the use of Cisco Security, cloud and system management, network services application and other products. This will ensure the effective implementation of this policy. Most importantly, the policy will comply with the guidelines specified by the National Institute of Standards and Technology (NIST SP 800-53 V.3) and the Federal Information Processing Standards Publication (FIPS).
Procedures
The completeness and effectiveness of XYZ Credit Union’s information policy should be constantly monitored and maintained during data handling, storage, generation, and transmission. Modified or otherwise corrupted information that poses a risk to decision–making due to errors and data that are impossible to be repaired should be documented and reported for alternative possible retrieval. Data integrity maximization is relatively important in ensuring effective implementation of the policy. Therefore, everyone using the IT resources in the company is required to adhere to adhere to the following:
- All issued passwords should be kept confidential, in any event that the user forgot the password; he/she should report it to the administrator for retrieval or password change. The encryption technology will prevent multiple trials on the same password and the network security system will lock the user from logging in to the network to prevent breach of access.
- Abuse of use of resources such as Internet connection will also be reported through email the Chief Security Officer. Resources such as Internet connection, chat and propriety software are only limited for business related use. The use of such resources for personal objectives will be reprimanded.
- Internal documents, memos, critical information are to be kept internally and should not be shared outside of the company’s network and will not be made available for public access unless approve by the appropriate authority.
- Critical information and other sensitive data that are lost, misused or disclosed to unauthorized people will also be subjected to the full extent of punishment in violation of this policy.
- Data will be categorized according to their level of sensitivity and importance. Common data can be shared within the network, but the critical ones are to be stored in secured server storage with limited access level. The system would be able to detect when such information has been transferred or shared outside of the network.
- Employees or anyone from the company will not be allowed to use external storage devices, which can be prevented by disengaging the USB drivers in the company computers.
Guidelines
Audit and accountability is a proponent of implementation control. Therefore, security-relevant events will be audited and recorded for future evaluation. For example, in any event that security breach within the system was detected, the accountability form should provide a manifestation of his actions and provided resolution. The audit logs will also provide a bigger picture of all the tacking activities that happened in the system. One of the most common roadblocks that the policy is likely to face is information dissemination of the policy. In order to ensure that everyone in the company is aware of the policy, emails will be sent out together with a compliance and accountability form that everyone should sign to conform understanding of the new policy. On the other hand, security breach and misuse of the system can be resolved by means of conducting staff training.
References
American.edu (n.d.). American University's IT Security Policies. Retrieved May 12, 2013, from http://www.american.edu/oit/policies/Security-Policies.cfm
Stallings, W. (2007). Standards for Information Security Management. The Internet Protocol Journal, 10(4).
