Free Systems Security Policy Essay Sample
This policy document basically defines specific requirements, rules and regulation that will govern the appropriate use of our newly developed e-commerce domain and the entire computing system of the organization. These rules are universally applicable to both employees of the organization and its potential customers. The computer facilities, all related data and information therein are important assets of the organization and thus should be accorded adequate security. All parties concerned should share equal responsibility and accountability in ensuring the security, confidentiality and integrity of any information used.
This policy covers authorized access, use, disclosure, modification and damage of any information found on the organization’s computer systems. Its purpose is to encourage effective and efficient use of information on its business transactions and operation for full realization f the organization’s goals and objectives. This policy emphasizes adequate security on data relating to its customers. Both customers and employees are thus expected to cooperate fully with the system developers and administrators to enable full attainment of the organization’s objectives.
This security policy is applicable throughout the organization and to other third parties, such as customers, system developers and the general public. Violation of the rules stipulated in this policy by an employee will automatically lead to disciplinary actions and termination of employment. Other parties will face prosecution in a court of law. All the security requirements in this policy must be enforced by any user of the computer systems.
All information that is generated or obtained or used for transaction purposes shall be treated by the company as sensitive information and shall not be provide to other parties without discrete permission from the owner. The inception, development and implementation, and proper use of the new system are the sole responsibilities of every user. Any sensitive data, such as payroll or pricing information, residing on individual computers must be protected with document passwords or encrypted. In order to prevent violation of users’ privileges, no user will be allowed to share User-IDs and passwords with their colleagues. User policies will define what users can do when using the network or data and as well as defining security settings such as password. User policies will limit what can be added to the network that may interfere with its security, for instance, installation of new programs at the workstations, the types of programs end-user are allow to use and how they can access and manipulate data (Pfleeger & Shari, 2003).
User policy security requirements will include password policies that help keep user accounts secure. The system will define how often users are allowed to change their passwords, the length of the passwords complexity rules that control the characters to be used in the password, for example, lower or upper-case letters, numbers and special characters. The proprietary information rules will govern use information owned by the company. It will further define where such information is stored and how it is transmitted. Internet usage policies will control the use of emails and any data sent over the internet. System use regulations will control on program installations into the system, prevent instant messaging file sharing and manage personal account and their respective log-ins. The remote use system will check for viruses, malwares and Trojans that may be harmful to the system. Every user is to adhere with the information technology policies that define maximum system security and stability. The new system must be able to offer recovery and validation facilities after attacks by viruses. It should also make recommendations to prevent similar incidents, and provide instant back-ups, where it should be stored and system programs that do carry out the back-up process. Server configuration settings shall modify the systems, block or allow ports, provide and control the user interfaces, auto forward emails, perform system auditing and assessment (Lehtinen, Russell &Gangemi, 2006).
There should be effective disaster management and recovery which includes server recovery, data recovery, end-user recovery and emergency response techniques. Proper risk management to ensure that vulnerable and threats to the system are prevented. Countermeasures should be employed to tackle such risks. The system should as well provide informational confidentiality, that is, there should be no disclosure of information to unauthorized individuals. Customer credit card numbers should be encrypt by the system during transmission by limiting places where it may appear for example in the databases and log files, and provide safe storage for the data. It should also offer data integrity which implies inability to modify stored data without detection. The system must as well provide integrity to the messages send in addition to data confidentiality.
Another important aspect of a good system is data availability. This enhances quality services to customers by availing information they may require at the right time. The communication channels used to access the data must be always functioning correctly. It should also ensure that denial-of-service attacks are prevented. For authenticity purposes, all the data, transactions and communications and documents used within the system must be genuine. It must also ensure that the users are the real people whom they claim to be. To effectively monitor the system, system controls must be put into place. These may include administrative controls such as Data Security Standards imposed by Visa and Master cards (Peltier, 1991).
It must also have logical or technical controls that use software and data to monitor and control access to information and the computing system. For instance passwords, network based firewalls and data encryption. Passwords should have limited attempts, and limited time periods.
Physical controls such as network separation and cable locks monitor the environment of work place and computing facilities. Access controls including identification and authentification to help regulate who can access what data and for what purpose.