1. What is a security policy and why does an organization
need a security policy?
security policy is a set of rules and processes that an employee must follow
when accessing or manipulating an organisations network or data assets. These policies also document what to do in a
situation if it does occur.
organisation needs these type of policies to:
Establish a set of rules on how
information security is approached.
To identify and prevent the
compromise of a system and its information such as data misuse, networks and
To adhere to an organisation’s
ethical and legal responsibilities – there is legislation put in place to
protect the customers’ data. If a
company abide by these responsibilities, they may be penalised in the form of a
fine or a temporary ban on providing services, ultimately putting the services
they provide at threat.
To engage employees – security is
the responsibility of everyone within the company – from the end user, Security
Administrator to IT professionals.
To dictate who gets access to what
– some employees will require higher privileged access in the system compared
to others. For example, an end user in a
HR department will need access to resources for HR, but won’t need access to
User Account Control. Whereas this may
concern Security Administrators etc.
example of one of these policies includes restrictions on who can access what
data in order to stop confidential data being viewed by people that don’t
actually need to see it.
can be classified with the CIA Triad which documents the security requirements
as confidentiality (Ensure that sensitive data is only obtainable to those
supposed to use it), integrity (Data is altered only in a specified and
approved manner) and availability (Information is accessible when needed).
2. Come up with an example of
your own of an issue, which could be caused by missing security policies?
An issue that could occur as a result of a
missing policy is unauthorised access by an individual through a company’s
employee account. This could happen when a policy documenting how passwords
need to be made strong with the use of unique characters and certain length and
changed after a certain time period is missed. The policy may look something
passwords must be kept private and have a unique set of characters in order to
make them less susceptible to attack.
must also be changed every three months to avoid them being easily guessed and
mustn’t be too similar to the previous password used.
passwords must contain at least one lower-case letter, upper-case letter and a
number to ensure that they are more unique”
This issue could lead to an individual
masquerading himself as this said employee and giving themselves access to the
whole network and to any and all data that it holds. This would allow for
eavesdropping or changing information to their advantage, putting the integrity
of data at risk and stealing data for their own personal gains.
3. What are the basic things that
need to be explained to every employee about a security policy? At what point
in their employment? Why? (List at least 4 things). (For example, how to handle
is the responsibility of everyone within the company. Any opportunity for a hacker to further gain
knowledge of the security can result in further opportunities developing. For example, if an employee writes down their
password and leaves it at their desk, or throws it away in a non-confidential
waste bin, the hacker could then try to snoop around and try to figure out
their username. Usernames may be generic
too (e.g. first letter of first name, followed by surname), so if the hacker is
aware of a few usernames, he may be able to figure out that username and
password combination. A way of
preventing this may be to use 2 Factor Authentication, as the hacker won’t be
able to sign in unless they had the physical device used to authenticate the
user. Four basic things that should be
explained to an employee about a typical security policy are:
How to properly manage your Username and
password as well as any other important information.
A company’ most insecure part of their network
might be humans, as they might record their authentication credentials on
paper, follow bad practices etc. Training
should be put in place to emphasise how important these credentials are and the
devastating impact that it could have if these credentials got into the wrong
How to act when a potential security incident
or intrusion attempt takes place.
A company’ should have taken measures for these
‘contingency plans’. This should be
executed in the event of an IT disaster.
All employees should be briefed on this plan if such event was to occur.
How to use workstations and Internet
There may be a fair use policy on top of that,
preventing employees from browsing certain websites that might either be
distracting or pose a threat. This may
also prevent an employee to run applications that haven’t been approved. All these measures combined make good
practice of the security policies put in place.
What will happen if an employee does not abide
by these policies.
In order to deter employees from breaking these
policies there needs to be punishments in place. These need to be explained to
employees so that they know the consequences and severity of what they are
doing when a policy is broken. This could range from suspension all the way up
to getting arrested.
Always applying the latest updates
Employees should immediately be
made aware to always download and install the latest updates for their
anti-malware programs and any programs they use to improve upon the security of
their workstation and to perform full scans of their workstation at least once
security policy should be explained to an employee before they are let anywhere
near a system. Not knowing any of the rules and procedures and proceeding to
access the system could lead to the network being compromised and important
data being corrupted all through an uninformed employee.
security policies could be completed before any employee even signs a contract
as it allows a potential employee to review what they are getting into and
along with this shows how serious the company are about their security
protocols. A signature from the employee once they have read and understood the
policy will create an agreement of cooperation between the employee and the
organisation that the policies will be followed.
the initial explanation of the security policy it should be reviewed with
employees at regular intervals during their employment. This keeps the security
policies for the organisation fresh in the employees head and again reaffirms
the level of seriousness it is to the organisation. An added benefit of this is that it allows
for any newly introduced policies to be taught and enforced. To really check the knowledge of employees a
test could also be given with a required pass rate.
4. Your organisation has an
e-mail server that processes sensitive emails from senior management and
important clients. What should be included in the security policy for the email
security policy for an e-mail service for an organisation should be thorough
and be applied to all employees at every level.
There are many security errors, cost impacts and performance
implications that can affect a company without properly thinking through all
scenarios. A security policy for this
server should include:
Encrypting Email for
sensitive nature of the emails being sent through the server means that
encryption should be applied to every message sent. This will stop any eavesdropping across the
network, especially if sending outside the organisation where security could be
Digitally Signing Email
having employees use digital signatures it provides authentication that the
email is from the person who sent it.
This will reduce the possibility an employee will be caught out from a
fraudulent email as they will be looking for the signature. The procedure also
creates a tamper evident seal that will fail if an email has been changed in
Emails only allowed to be
sent to known associates of the organisation
The email server is set up for senior
management and important clients meaning that the email address used to contact
them can be established as secure and any other email addresses can be treated
with more suspicion. This policy can
also be paired with restricting sending emails to and from personal email
accounts as these are unsecure.
emails should be kept for a certain length of time before being deleted. This allows for recovery of information and
encase any security incidents do occur through the email system it can be
traced back. It also takes the stress
off the main email server as archived emails can be stored cheaply on other
emails should be put through some sort of screening software to look for
anything that could do damage to the organisations network or reputation. This could include swear words, malware or
the email address from suspicious people.
Limiting the Size of Email
limiting the size of all emails going through the server it reduces the amount
of space needed and will improve performance overall. This will also reduce the likelihood of a
denial of service attacks as without the limit hackers can send emails with large
attachments using all available resources on the server. Over time this will have a significant cost
impact as less servers will be needed for storage purposes.
5. Read the UCL and Harvard
university security policies 1, 2. Compare and critique the policies
suggesting improvements/updates, as appropriate.
University’ Security policy consists of ‘Data Classification Levels’, unlike
UCL’s security policy. Harvard
University have took the approach to classify their data based on:
Level of sensitivity
Level of value
Level of criticality to the
classification of such data will help in developing baseline security measures
to protect their data.
the right, you will see the 5 different levels of data classification for
Harvard University. The higher the
level, the greater the required protection.
data is classified into 3 different sensitivity levels/classifications.
This would be level 1. This data is
public because the unauthorised alteration or disclosure of that data would
result in little/no harm to Harvard University.
This would consider level 2 and 3. This
data, if disclosure or altered, could result in some harm. This data isn’t public, or restricted and as
such it makes sense to treat it as private data.
This would consider level 4 and 5. This
data, if disclosure or altered, could result in devastating harm. Examples of Restricted data include data protected by UK
privacy regulations and data protected by confidentiality agreements.
Both University’s security policies are
divided up into sections however Harvard university’s security policies are all
simply laid out with each having a link to a more in-depth version for the
selected policy that are split into separate sections to describe the policy in
regards to different scenarios (e.g. for users, for devices, for servers). This
allows for a user to easily find and jump to a specific security policy they
want to read up on and makes the security polices as a whole appear less wordy,
where as UCL have their security policies all listed on the same pdf file with
each section being shown as lengthy paragraphs and would be difficult for
someone to easily jump to a certain policy and so I think UCL could benefit from
having their security policy written up in a similar fashion to how Harvard
university have written theirs.
At the end of the UCL’s list of their security
policy, they have a revision table which lists all the changes/updates made to
the document that includes; which section that the edit was made, the date that
the change was made, and if the change had been checked and approved. Also
includes the latest date that the document had been checked for revision, the
date of the next planned revision would be and a list of committees/groups who
were responsible for approving the changes made to the security policies.
UCL have a section on disciplinary procedures
(5.3 & 6), outlining the consequences if these policies are broken. Whereas Harvard seem to brush over this, for
the sake of a more concise, ‘user-friendly’ policy, and where UCL tend to
explain the objectives of their Information Security policy (1.3), Harvard seem
to jump straight into the policies without explaining why a staff member is
even complying with the rules.
Harvard have broke their policy into 3
different components, which are broken down further.
Whereas UCL have one.
In summary, Harvard has the most appropriate
design to appeal to university students and staff, along with policies that are
small and easy to read. However, UCL
policies seem to offer more detail that don’t leave room for assumptions.
Harvard policy has a questionable completeness to it as it leaves out details
users may deem important.