Global Finance Inc Security Policy - Case Study Example

GFI SECURITY POLICY Number INTRODUCTION Global Finance Inc. GFI is a financial management organization operating in Canada, United States and Mexico. A public company listed on the NYSE, it specializes in financial management, loan processing, money investment, and loan application approval. The company has 1600 employees and a host of physical resources. Its growth over the years has propelled it to fame as it appeared in Fortune Magazine. The company host its IT service in-house in a sprawling and expansive data centre located in the 5tgh floor of the corporate tower. Though the CEO is adamant that IT services should be outsourced, there is a need for organizational IT footprint. As a Computer Security Manager I am mandated to protect the physical and operational security of GFI. Currently, I report directly to Mike Willy the COO. With a budget of $5.25 million and 11 staff, I intend through this paper to draft a security policy that outlines the physical and logical controls to be applied companywide. The purpose of this proposal was to give a detailed composition of GFI security policy, its formulation and implementation process. The security policy contains a set of principles proposed and adopted by the organization as a guideline to determine the course of action. The desired security policy proposal is important to the organization in that it outlines the various steps and procedures that GFI community and the management should follow to formulate policies that regulate how resources and technologies are used. This organizational security policy is proposed to safeguard the personal information of its staff, clients and business associates from possible abuse, misuse and unauthorized access. This policy will allow GFI security arm to manage and regulate the access, use and handling of the company’s information technology resources. BACKGROUND A successful IT program is founded on three fundamental aspects: an IT policy that reflects on the needs of the campus, awareness and communication with all users of their IT responsibilities and roles and finally development of controls for monitoring and evaluation of the effectiveness of the program. The first step in the development of an awareness and training program is training. GFI has reported a number of security vulnerabilities and attacks over the past due to diminishing security footprint in the organization. The ability to rely on external vendors to pull the company out of the mess whenever an incident occurs is worrying. The recent attacks in GFI outline the importance of an in-house IT presence. Oracle database servers were attacked and the company had to pay immensely for it. Likewise, GFI has recently been in the limelight for all the reasons. Engineers have witnessed increased traffic but cannot ascertain the specific cause. Likewise, there are network latency and slow performance in the remote sites. The increasing need for mobility and where employees want to use mobile devices and are willing to bring their own introduces an additional security risk. Wi-Fi networks willing permit this flexibility but security over the networks is a source of concern. Finally, the company wishes to offer its products and services in the online framework and is worried about cloud security and customer database. SECURITY POLICY In the light of these developments, an organizational security is a must for GFI. Once a security policy has been developed, training and awareness are conducted in line with the policy. A security awareness and training material integrates the behaviours the campus wants to reinforce as well as skills for doing it and the applicable audiences. Most probable topics that are considered in developing the material include password user management, protection against viruses, worms and Trojans, policy implications, resource use and management, incident response and recovery, personal access and use, social engineering among others. The source of awareness material is majorly professional organizations, e-mail advisories, conferences and seminars, and periodicals. Once all the deliberations has been made, it is put on paper and supplied to everyone in the campus to access it. Implementation process involve communication and delivery of awareness material through various mechanisms such as posters, e-mails, newsletters, publications and other efficient, effective and favourable means. The techniques adopted should be easy, scalable, reach to greater number of users and accountable(Enrico Nardelli, 2005). ORGANIZATIONAL ASSETS Global Finance Incorporation has a number of assets including policies, technologies, procedures and knowledge. These assets are in form of artifacts, practices and knowledge that enable it to perform its operations.GFI assets can be listed as follows; Computers and computing resources Network Personnel Data in the company’s Oracle Database Physical infrastructure involving buildings and automobiles GFI SECURITY POLICY Information Policy This policy is a sample security document providing best practices in dealing with security threats and vulnerabilities and outline regular security lapses in the company as well as countermeasures. This security policy is drafted in accordance with NIST special publication 800-53 Application which provides the guidelines for organizations in the process of system audits to discover security and system needs. The Act stipulates the effective methods for account management, access enforcement, control of information flow, duty separation and least privileges. For example, NIST 800-53 is used to manage factors such as session controls, automatic marking, and management of publicly-accessible content, user-based collaboration and access control. The information security access control policy given below is an example. IT ACCESS CONTROL POLICY 1.0 Network Access control 1.1 Network use Policy The company will provide connection to the network for the purpose of research and learning. Network access should be used for business purposes alone. Staff will be granted access to permitted networks while other networks will only be accessed after specific authorization has been granted (Gildas Avoine, 2007). 1.2 Authentication for external connection All remote users will be authenticated in order to access information resources such as financial transactions and customer details. The Computer Security Program Manager will be responsible for providing this service. 1.3 Remote diagnostic Port Protection Modems attached to systems are protected from unauthorized use by disconnecting diagnostic ports not in use. Third party users must be authenticated before accessing devices through remote ports. 1.4 Network segregation. A risk assessment based on the cost and the impact of routing and gateway technology is performed to grant third parties necessary controls to access networks. New networks that are developed and tested are segregated from the rest of the company’s internal network through firewalls to eliminate the effects of malfunctioned software’s. Confidential information should be segregated and assigned different servers. 1.5 Wireless network policy Wireless networks at the company should be restricted to lock out intruders and third parties. Computers connected via wireless technology should be restricted to the company premises. 1.6 Mobile computing policy GFI will institute policies that control the use of laptop computers, PDAs and mobile phones on its network. BYOD policy will manage users using their own devices. Before a user is allowed to connect to the company network, it must be authenticated by Chief Security Manager. 2.0 USERNAME AND PASSWORD MANAGEMENT Managing the security of users through their user accounts and passwords is essential in ensuring the overall security of the organization. Usernames and passwords are important in managing legitimate users accessing organizations resources. 2.1 User account policies All company employees are issued with a username once they are employed in the organization. The system administrator has the overall mandate to assign usernames to new users Users are required to change their usernames at the first login The system administrator audit and monitor dormant usernames. A username that is dormant for a period exceeding six months is permanently deregistered. Once de-registered the system administrator has the sole discretion to register a user The system administrator has the mandate to lock a user accounts for whatever reasons deemed necessary under the law 2.2 Password management Upon the first log in a user is required to change their password Password are required to be complex and at the same time easy for users to remember A system administrator will enforce a password history mechanism to ensure that old passwords are not reused again. Users are also not allowed to change their passwords immediately after setting a new one. This policy is managed through minimum age policy The system administrator will enforce a password expiry policy that guards against the use of a single password for a long period of timed. User will be required to periodically change their passwords after a period not exceeding six months. The system administrator will disable the account after five unsuccessful logins attempts. A five strikes login policy will be implemented to prevent computer password attacks. The security policy will come into force if a user tries to unsuccessfully log in into their accounts for five times. By default, they will be blocked and required to report to the system administrator after a period of 24 hours in order to be reset (Moskowitz, 2012). When a new account is created for the user, an account expiry and new account creation policy will be enforced. Users will be prompted to change their passwords under a new or additional account. The number of failed login attempts will be displayed to give users a tracking history before they get locked out The last successful log in will be displayed to enable uses track their last account use Each password will have the following characteristics Upper case characters, A, B, C, D E ….. and lowercase numbers a,b,c,d Numbers 1, 2, 3, 4, 5, 6 Special objects such as $@&+=()%> Read More