Policy Statement:
Maintaining the security, confidentiality, integrity, and availability of information stored in the union’s computer networks and data communications infrastructure is a responsibility shared by all users of those systems. All users of systems are responsible for protecting those resources and the information processed, stored or transmitted thereby as set forth in this policy. Violations of this policy may result in disciplinary action up to which is stated in the policy.
Purpose/Objectives:
Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.
- Confidentiality, integrity, and availability (CIA) concepts
- Layered security solutions implemented for the seven domains of a typical IT infrastructure
- Common threats for each of the seven domains
- IT security policy framework
- Impact of data classification standard on the seven domains
Scope:
What Are the Major Components of Risk to an IT Infrastructure?
One method is to examine the seven domains of a typical IT infrastructure. You can examine risks within each domain separately. When examining risks for any domain, you’ll look at threats, vulnerabilities and impact. When considering risk management, you can examine each of these domains separately. Each domain represents a possible target for an attacker. Some attackers have the skill and aptitude to con users so they focus on the User Domain. Other attackers may be experts in specific applications so they focus on the System/Application Domain.
We need to practice of identifying, assessing, controlling, and mitigating risks. Threats and vulnerabilities are key drivers of risk. Identifying the threats and vulnerabilities that are relevant to the organization is an important step. You can then take action to reduce potential losses from these risks.It’s important to realize that risk management isn’t intended to be risk elimination. That isn’t a reasonable goal. Instead, risk management attempts to identify the risks that can be minimized and implement controls to do so. Risk management includes several elements.
Standards:
Confidentiality, integrity, and availability (CIA) concept of Information System Security applied in Seven Domains of Typical IT Infrastructure for Confidentiality of Personal Data and Information like their Credit card or Bank account number, Social Security Number and Address Information. Under Integrity ensure to maintain valid, uncorrupted and accurate information like User names and passwords, Patents, Copyright, Source code and their Diplomatic info and Financial Data. Availability will be included IT and Organized – owned Asset for data classification standard.
Procedures:
The Most Important Implementation will be the C.I.A concept and its objective.
- Confidentiality— preventing unauthorized disclosure of information.
Data should be available only to authorized users. Loss of confidentiality occurs when data is accessed by someone who should not have access to it.
Data is protected using access controls and encryption technologies.
- Integrity— Ensuring data or an IT system is not modified or destroyed. If data is modified or destroyed, it loses its value to the company. Hashing is often used to ensure integrity.
- Availability— Ensuring data and services are available when needed.
IT systems are commonly protected using fault tolerance and redundancy techniques. Backups are used to ensure the data is retained even if an entire building is destroyed.
Who implements the CIA? Confidentiality identifies them as the User, IT admin, Network Administrator, Human Resources and the Senior Manager. Integrity is also the same under the Confidentiality and for Availability involve the IT Administrator, Network Administrator and third party vendor included the telecommunication company. I will implement the policy by holding meetings at which to introduce to the staff to the policies and procedures to be implemented.
Start with a general staff meeting to provide an overview. Proceed to smaller meetings among different departments with more specific instructions regarding how the policies and procedures will apply to them, as well as any special responsibilities and instructions that they need to know. Explain why implementing these policies and procedures, and how they will benefit both the company as a whole as well as individual departments and employees. Allow them to have plenty of time for questions and feedback. After determining how efficient the policy is, next is to schedule the assessments of the policies and replace the existing policy with the new one and hardly implement it.
Guidelines
Time frame the management to catch up with the new policy
A month will be given to the management to catch up with the new policy of the organization. If the result will fail, the compliance staff would get information why the policy is hard to follow as well as to come up with best possible solution.
Scheduling of the new policy
The time to implement the policy should be properly stated, if not impression such as the policy is not that prepared would come. The Chief Information Officer should clearly state when the policy will start to be implemented in the organization.
Answer for Question 3 and 4
The SANS process for building and implementing an information security policy is usable to create a well-organized policy that is supported by the organization’s management as well as the staff. It is essential for a policy to be supported not only by the IT department of the organization but also by senior management as well the other staff within the organization. The sections of a Security Policy delivery process as Active Support, Content, Monitoring, Implementation and Compliance.
The active support discusses how important the support from the senior management as well as the colleagues from top to bottom of the organization. Without this in place it will almost certainly fail to achieve the organization’s goal.It is divided into two phases. The first phase discussed how to get the support of the senior management in creating security policy. The second phase discussed how to convince the other staffs of the organization such as why they need policy and what are their benefits for the policy.
In the content section, it discussed how to make an effective security policy for the organization. Making such procedures both secure and workable can be a huge challenge and much discussion will be required with all interested parties to make them workable, manageable and acceptable. The content of the policy might vary on the organizational structure of the organization. Each position in the organizational structure might have different policy to be covered so it is essential to make a well detailed policy plan for each staff in the organization.
Before implementing the policy, it is necessary to monitor how effective the created policy is. In this section may state the sanctions. It alsoassure that the policy should be clearly states on what basis monitoring of staff activity may be undertaken by theorganization and by whom. It defines what the potential sanctions are in relation to deliberate ignorance of the policy requirements. Ensure that any such monitoring is a legal activity in your country/state and that it does not conflict with any other legislation (i.e. data protection / privacy acts etc.).
After the monitoring process, next is the implementation of the policy. Setting a date when to implement the policy is needed. Delayed in the implementation might risk to the impression that the policy is not that ready as it was. It is essential to advise the management as well as the other staff that there might be some problems on first days of the implementation of the policy.
The last section is the compliance. In case of changes needed for the created policy, the staff or the management can request or wish the changes. Not all policy is perfectly created, as time goes by the would be changes need to be done in the existing policy for as it would adapt to the need of the organization.
Discuss how you would implement policies in all seven domains of a typical IT infrastructure. List the roles and responsibilities of those implementing the policies and those who must follow the policies.
I will implement the policy by holding meetings at which to introduce to the staff to the policies and procedures to be implemented. Start with a general staff meeting to provide an overview. Proceed to smaller meetings among different departments with more specific instructions regarding how the policies and procedures will apply to them, as well as any special responsibilities and instructions that they need to know. Explain whyimplementing these policies and procedures, and how they will benefit both the company as a whole as well as individual departments and employees. Allow them to have plenty of time for questions and feedback. After determining how efficient the policy is, next is to schedule the assessments of the policies and replace the existing policy with the new one and hardly implement it.
Roles and Responsibilities
The roles and responsibilities defined below represent the staff positions or groups most directly involved in IT policy development
Chief Information Officer (CIO): The CIO has overall responsibility for IT policy and policy development at U-M, and approves new and revised standards and guidelines based on the recommendation of the Executive Director.
Chief Information Security Officer (CISO)/IIA Executive Director: The CISO works with the IT Policy Manager and Lead to ensure alignment of the IT Policy program with strategic ITS and NextGen Michigan objectives and priorities.
IIA Council: Council sets policy development priorities; and reviews and approves new or revised policies as the first level of governance approval.
IT Policy and Compliance Staff: IT policy and compliance staff provide overall direction for the IT policy function, including responsibilities for identifying and prioritizing policy needs, ensuring appropriate campus involvement in policy development, and conducting research and bench marking for emerging policy development.
http://samples.jbpub.com/9780763791872/91872_CH01_p001_028.pdf
http://cio.umich.edu/policy/framework.php
