The employees of Global Distribution, Inc. (GDI) company have been entrusted to act in good faith and to further safeguard the assets of the organization as well as the confidential member information placed under the ownership of the organization (Ciampa, 2011). These significant resources must at all times be under strict protection in order to alleviate any potential impacts to GDI and its employees. Information security at GDI should, therefore, be treated as of utmost importance and hereby be integrated into all aspects of GDI’s business operations. The company has therefore laid down the security policies and standards in order to ensure that the objective of running a secure business at GDI is achieved. This Security Policy Document should, therefore, be integrated into all aspects of planning, administration and operations of GDI as each of these aspects require to be protected so as to mitigate potential risks associated with day to day business operations.
Purpose Of The Policy
This document is aimed at fulfilling the following purposes:
- To protect GDI information and end users.
- To set down the rules and regulations for anticipated behaviors by GDI users, the management and all the departments at GDI.
- To curtail potential risks and problems that may threaten business operations at GDI.
- To empower the GDI Information Technology Department to observe and investigate any security mishap.
- To provide a target for GDI to audit the security level.
- To describe, set down and permit the penalties to be administered in contravention to any policy.
This policy document, while basic in nature, gives a general overview of important information that is meant to uphold, develop and comprehend the GDI security policies. The intended audience for this policy, therefore, includes the Management Team of GDI, the technical staff, GDI end users and authorized external users.
Network Usage And Security Policies
Server Security Policy
The purpose of this policy is to set down the regulations governing the base configuration of all the internal servers and corresponding apparatus that are owned/or controlled by GDI. This policy also acts in the best interest of GDI as it ensures minimum access to GDI information and technology.
All internal servers will be under the ownership of GDI Management System. The operational responsibility will be placed in the Information Technology (IT) department. The server configuration channels will be identified and approved by the IT department based on the GDI’s operational needs. The IT department will supervise and ensure configuration compliance and set up an exception policy designed to suit the GDI working environment. The IT department should have a described process to change the configuration channels, which should include an assessment and approval by GDI management.
- The servers should be duly registered under the GDI management system and the details concerning the server contacts, their location, and the back-up contact well stipulated.
- Any information regarding the servers that is available to the management system must be updated from time to time.
- Any configuration adjustment for production servers should have an approved laid down procedures.
The general configuration procedures should be in accordance with GDI guidelines (Thomas and Stoddard, 2011). The GDI guidelines should ensure that;
- The servers are located in a physical environment and entry-control techniques put in place.
- The current security details are adopted and installed in the system unless the current details are bound to interfere with normal GDI business operations.
- The correlation of trust relationships between the set systems is discouraged as they pose a huge security risk. Alternative types of communication should be upheld.
- The set GDI standard security guidelines will always be applied in the event a certain function requires to be performed.
- If alternative secure channel access is technically viable, then privileges entry is permissible over such channels.
All activities that are bound to compromise the security nature of the system due to their sensitivity should always be logged. The activities will also require a saved audit trail to be retained for a maximum of one month. An abnormal activity should be reported to the GDI management with immediate effect.
Virtue Private Network Policy (VPN)
This policy lays down procedures for accessing the GDI main network channels. The GDI employees and authorized external end users are entitled to benefit from VPN. All users are thereby entitled to such services such as choosing a preferable Internal Service Provider (ISP) and coordinated software installation.
- The GDI employees with VPN privileges should ensure that non-GDI members do not gain access to the GDI internal networks.
- All other traffic not connected to GDI corporate network will be stopped.
- The VPN users should each have access to a password for security purposes.
- The VPN uses will only be allowed to access a single network tunnel.
- The VPN users who remain inactive for more than one hour will automatically be disconnected from GDI network.
- Computers that are not GDI owned must be configured to meet the GDI’s VPN and network policies requirements.
- Only GDI-approved VPN external end users may be recognized.
Acceptable Use Policy
The purpose of this policy is to safeguard the GDI’s employees, clients and the organization from unlawful actions of individuals, whether knowingly or unknowingly. The policy gives a guideline regarding the approved usage of a computer at GDI to protect against risks such as virus attacks or legal issues.
While the GDI network administration has taken up the desire to ensure that some level of privacy is maintained, it is the responsibility of the end users to protect the GDI network. The GDI end users are therefore prohibited from the following activities, inter alia;
- Sharing any data created on the GDI system as the data remain the property of GDI.
- Unlawful replication of copyrighted data that GDI or the end user has no active license.
- Installing risky programs into GDI network or server.
- Using the GDI computing asset to participate in illegal activities as established under the workplace laws.
- Engaging in fraudulent transactions of products originating from the GDI account.
- Using the network to breach the security and disrupt normal operations of GDI network communication.
This policy ensures that the security of approved GDI users is safeguarded.
Passwords for GDI accounts should have a combination of the upper and lower case alphabets as well as numbers. They should be more than eight characters.
- All passwords that have been put in the GDI password database should be changed after every three months.
- All passwords that are used at the production system level should be incorporated in the GDI password database.
- All passwords given to authorized individuals at GDI should be changed after six months.
- All passwords should not be communicated to a third party in any manner.
The purpose of this policy is to ensure that sensitive information possessed by GDI employees is not disclosed to 3rd parties unless with proper authorization.
- Any GDI information that has been made public by an authorized person can be freely shared with other non-GDI members without any potential harm to GDI systems.
- GDI information has been characterized as follows:
- Minimal Sensitivity Information – This is common information of the company. This information should be made accessible to GDI employees and authorized users. The distribution of such information will not be restricted except in instances that the recipients are unauthorized users of the GDI system.
- More Sensitive Information – This kind of information is restricted to information pertaining to the business, financial aspects, technical aspects and other selected personal information in the GDI system. The information should be made accessible only to authorized GDI employees and non-employees who possess access control.
- Most Sensitive Information – This kind of information is restricted to GDI’s trade secrets, operational and technical information that is key to the success of the company. This information should only be made accessible to the GDI employees and non-employees with approved access.
Acceptable Encryption Policy
The policy acknowledges algorithms to be used during encryption. This ensures that the user process is limited. The policy also ensures that the national policies are adhered to. Further, it recognizes the authority to distribute and employ the encryption expertise outside the GDI jurisdiction.
GDI employees should limit themselves to the use of approved standardized algorithms for encryption technology. The application of proprietary encryptions should be reviewed before being employed by qualified personnel duly appointed by GDI management.
Remote Access Policy
The principles for creating a link to GDI’s network should be well set out and distinguished from any other host. This is vital as a means of protecting GDI from exposed risks resulting from unauthorized use of GDI resources. Such damages can be liable for loss of confidential information, damage to public reputation and GDI’s internal systems.
- GDI employees and authorized end users with privileged remote access to GDI’s network should make sure that their access is the same as the users on site connection to GDI.
- Close relations for GDI authorized end users to have general access to the internet accessed via the GDI network for users who enjoy flat-rate services. However, the GDI employee will be held liable for any violation of GDI policies if the close relation misuse the access granted.
- The remote access should be stringently restricted and well protected with a strong password or pass-phases.
- The login details to gain remote access by GDI employees should be well protected and not shared with any other person.
Wireless Communication Policy
The purpose of this policy is to protect the company’s networks through the prohibition of accessing the GDI networks using unprotected wireless communication means. The company will only allow the usage of such wireless systems that meet the required standards of this policy. The wireless communication devices ranging from mobile phones and personal computers that are directly connected to any of the GDI’s internal networks.
This policy makes it mandatory for all wireless devices to ensure hardware encryption of at least 58 bits. The devices should have a MAC address for easy tracking. The wireless devices should also maintain a tough user authentication that keeps it in check against the databases that are not internal.
Automatically Forwarded Email Policy
The purpose of this policy is to ensure that sensitive company information is not disclosed to unauthorized users. This policy ensures that sensitive information is not transmitted by an automatic email forward from authorized GDI end users to unauthorized personnel.
This policy requires the GDI employees to be cautious when sending internal information via email to an external source. Automatically forwarded email from GDI to an external source is thereby prohibited unless such automatic forward is approved by authorized GDI personnel. Sensitive information, as set out in the Information Sensitivity policy should not be forwarded unless permission to do so is granted by an authorized GDI personnel and the email is encrypted as set out in the Acceptable Encryption Policy.
The purpose of this policy is to mandate the GDI management to conduct and scrutinize the security audit on all the systems at GDI. This is important for the management in order to ensure integrity, establish possible security incidents that might have been breached and monitor any abnormal activity that may jeopardize normal GDI’s business operations.
This policy requires direct access to GDI management upon request for audit purposes. This access includes, but not limited to:
- Any level system access to any communication device or wireless device.
- Access to any such information that has been generated and stored in the GDI’s custody, whether in electronic form or hardcopy.
- Access to GDI’s work restricted areas.
- Access to GDI’s network systems.
Risk Assessment Policy
The purpose of this policy is to ensure that the GDI management undertakes a risk assessment from time to time in order to establish sensitive areas and to establish an immediate remedy to the problem. This policy allows the management to perform a risk assessment on any area that is within the GDI premises or an external entity that has entered into a third party agreement with GDI.
Any GDI user should not act as a hindrance to the risk assessment procedure and immediate cooperation is required from any user held accountable. The GDI employees should also portray their full support and actively participate in the development and implementation of a remediation plan.
Data Backup And Recovery Policy
The purpose of this policy is to ensure that production servers and computers are frequently backed to guarantee protection against tragedies that may result in loss of important GDI data.
It is not the responsibility of the IT department to back up personal computers. It is therefore of essence that GDI ends users to back up their information after every two weeks. The users will be held liable for any important data lost as a result of hardware failure.
Any GDI employee or external end user lawfully bound this policy may be subject to disciplinary action in case of violation as the GDI management may deem fit (Poole, 2012).
Ciampa, M. (2011). Security: Guide to Network Security Fundamentals. Boston: Cengage Learning Publishers. Web.
Poole, O. (2012). Network Security. Burlington: Butterworth-Heinemann Publications. Web.
Thomas, T., and Stoddard, D. (2011). Network Security First Step. Indianapolis: Cisco Press. Web.