Random Widget Works: Information Security Policy Eric ISA 3300 W-01 Whitman Summer Semester 6/21/2013
Table of Contents Organization Overview... 4 Organization Overview... 5 Information Security Policy Need... 6 Enterprise Information Security Policy... 7 Enterprise Information Security Policy... 8 ENTERPRISE INFORMATION SECURITY POLICY FOR RANDOM WIDGET WORKS... 9 Purpose...9 Information Security Elements...9 The Need for Information Security...9 Information Security Responsibilities and Roles...9 Reference to Other Information Technology Standards and Guidelines... 10 Issue Specific Security Policies... 11 1. Purpose... 14 2. Authorized Uses... 14 3. Prohibited Uses... 15 4. Systems Management... 15 5. Violations of Policy... 16 6. Policy Review and Modification... 17 7. Limitations of Liability... 17 FAIR AND RESPONSIBLE USE OF RWW COMPUTER s... 18 1. Statement of Purpose... 18 2. Authorized Uses... 18 3. Prohibited Uses... 18 4. Systems Management... 19 Page 2
5. Violations of Policy... 19 6. Policy Review and Modification... 20 7. Limitations of Liability... 20 FAIR AND RESPONSIBLE USE OF RWW EMAIL... 22 1. Statement of Purpose... 22 2. Authorized Uses... 22 3. Prohibited Uses... 22 4. Systems Management... 23 5. Violations of Policy... 24 6. Policy Review and Modification... 24 7. Limitations of Liability... 24 References... 26 Page 3
Random Widget Works Organization Overview
Organization Overview Random Widget Works makes quality widgets and equipment for modern businesses. Established in 1995, Random Widget works has grown into the largest manufacturer of widgets and other equipment. It strives to be the preferred manufacturer of choice for every business widget equipment needs. Random Widget Works values commitment, honesty, integrity, and social responsibility among its employees. It is committed to providing services for its corporate, social, legal, and natural environments. Random Widget Works based in Atlanta, Georgia has over 350 employees. The company CEO, Alex Truman, revolutionized the field of widget manufacturing. The Chief Information Officer for Random Widget Works is Mike Edwards who has been a part of Random Widget Works since the beginning. Recently Mike Edwards decided that the company needed to increase its information security. He decided to create a Chief Information Security Officer to help comply with this need. Based on the recommendation of co-worker Charlie Moody; Iris Majwabu was given the position. Page 5
Information Security Policy Need Random Widget Works needs an Enterprise Information Security Policy and Issue Specific Security Policies. If the company does not recognize the need for Security, the company will face loss in profits, customers, employees, and has the possibly of being charged with crimes due to laws being broken. A company needs an Enterprise Information Security Policy to plan for all events that may hurt the company. EISP sets the strategic direction for all the organization s security efforts (Whitman, & Mattord, 2010). The EISP is drafted by the Chief Information Security Officer, reviewed and approved by the CIO, and other executives. It does not require frequent modification, unless the direction of the company changes. Random Widget Works will not have to worry about making too many modifications since it has written many of the policies from scratch. When making the EISP, Random Widget Works will need to make policies that will help the company protect itself, but also keeping the Mission and Objectives that it was founded on in Perspective (Whitman, & Mattord, 2010). Issue Specific Security Policy is crucial to Random Widget Works well-being as a company. If a disaster falls on the company, the ISSP will have everything listed that needs to be done. This policy will make technology policies known throughout the company. Managers and employees will know what they should and should not do while at work. This policy protects both the employees and the organization. Page 6
Random Widget Works Enterprise Information Security Policy
Enterprise Information Security Policy The Enterprise Information Security Policy is known by many names. Some call it security program policy, general security policy, IT policy, and a number of other names (Whitman, & Mattord, 2010). The purpose of this Policy is to set the direction for all of the company s security needs. Enterprise Information Security manages, develops, and implements the requirements of an information security program. For these programs to be made they must be approved throughout the organization by information security management, IT development, IT operations, and others (Whitman, & Mattord, 2010). When designing an EISP for Random Widget Works, we keep in mind of the company s mission, vision, and values. If the EISP does not coincide with the company s mission, vision, and values, the policy will not benefit the company or make sense. Random Widget Works strives to be the leader in widget machinery so an EISP plan needs to be made that will not only protect the company s interests but also not restrict its ability to develop into the company it wants to become. The EISP in companies differ depending on their needs but they all have some similarities. An EISP states the company s viewpoint of security. Are they strict with security or are they more easy going? The EISP has information about the design of the Information Security Organization and who is responsible for the information security role. It then states the responsibility of all members of the company for security (Whitman, & Mattord, 2010). A good EISP document has a number of important components. The purpose, tells what the policy is, what the reasoning is and what it includes. An element of the Information Security document defines the different security viewpoints for Random Widget Works EISP. The next component is the Need section, which tells about the organization and what is needed to protect assets in regards to clients, employees, or other companies. Additional components are the list of responsibilities in an organization and the roles to support Information Security in the company. The last component lists the laws the company must abide by (Whitman, & Mattord, 2010). Page 8
ENTERPRISE INFORMATION SECURITY POLICY FOR RANDOM WIDGET WORKS Purpose This policy establishes Information Security Practices for machinery, computer equipment, telecommunications, email, and other incidents (Whitman, & Mattord, 2010). This policy is intended to give guidance for the company so all employees follow operating procedure when doing their given task with Random Widget Works. Managers, Information Security, as well as other employees will have assigned roles and levels of security clearance. Information Security Elements Information Security is the protection of data, and the software and hardware that uses that data. Random Widget Work s Information Security is based on the need to maintain Confidentiality, integrity, and availability of information. The information security model consists of training and education, policies, and employee/ customer protection (Whitman, & Mattord, 2010). The Need for Information Security Information Security is a necessity for all legal and ethical issues, and it is obligated to protect its clients and employees sensitive information. Information security is needed to protect Random Widget Works from employee errors, criminal activity, disasters, and system failure. Data Integrity and Confidentiality is a major concern with Random Widget Works. Random Widget Works strives to protect the company by putting in safeguards so that errors will be detected and prevented. With an Information Security System, all issues will be dealt with appropriately and modifications will be made on occurrence to make the security system stronger. Information Security Responsibilities and Roles Chief Information Officer: The Chief information officer is responsible for overseeing the implementation of the Information Security Policy. The CIO reviews the recommended strategies for the Page 9
implementation of the Information Security Policy. Determines if the business impact of the strategy will be harmful for the company and makes sure that its inline with company s goals. The CIO also oversees the review and approval of the Information Security Policy by company Executives (Knight 2010). Chief Information Security Officer: The Chief Information Security Officer will be in charge of the development of the Information Security Policy. The CISO will develop and document procedures for the Information Security Policy. CISO is responsible for setting up an information security-training program for all employees of Random Widget Works. In event of breach to information security, CISO is responsible for conducting a response (Knight 2010). Data Steward: Data Steward is employee of RWW who sets data classification levels for different levels of employees. The privacy settings allow different levels of access for managers, information security staff, and employees (Knight 2010). The Data Steward ensures controls are met to protect confidentiality, Integrity and availability of data. The Data Steward is in charge of distribution of passwords, email accounts throughout company (Knight 2010). Users: A user is anyone employed or client conducting business with Random Widget Works. All users must follow guideline and procedures specified by Information Security Policy. All users must report any breach of security to Client Information Security Officer. Reference to Other Information Technology Standards and Guidelines - ISO 20007 series Page 10
Random Widget Works Issue Specific Security Policies
Issue Specific Security Policies Issues: Misuse of telecommunications: When taking calls for the company a person should always answer the calls with a predefined checklist. They should greet the caller; give the name of the company, and provide their name. Some receptionists may not have important information at their disposal but they still must be careful of giving out certain information. If a caller calls to say that he is the manager of a certain division and needs the email and phone number of a certain executive, the receptionist should have a policy for the way she conducts business. No information should be given out unless proof has been given and only if the information requested is not be capable of crippling the company if it reaches the wrong hands. A policy for telecommunications is necessary so that hackers will not have the ability to call up claiming to be someone important to receive important information. Misuse of electronic mail: When using the computers at work, only email throughout the company should be viewed and sent. When employees use their email for outside activities, there is a greater chance the computers can get viruses. A policy needs to be made so if an employee goes against policy and damages the computers at work do to negligence, he or she needs to be held accountable for their actions. To make sure each employee knows what to do with email, they should take a mandatory course telling them what they shouldn t do, and what types of emails they should look out after to help protect the company. Disaster planning and Incident Response: A fire broke out at Random Widget Works in the break room. The sprinklers turned on and destroyed many computers employees were working on. Luckily, for the employees and the company, the information is stored on the g: drive in a different location of the building. However, what would happen if that room caught fire? Would a sprinkler turn on and destroy all of the servers or would a gas be used to extinguishing the fire? The CISO needs to have a list of policies showing what must be done in an incident. If a fire in the break room ruins computers in the nearby office, the break room may need to be moved into a location where common accidents do not occur. Page 12
Employee Conduct: Employee Conduct is another issue that needs to be taken into account. Two employees were at their desks playing cards and eating lunch. One of them was using the compact disc tray as a coffee holder. There are a number of issues with this situation. They should go to the break room for lunch, and never have food out near the computers. The computer is company property and the employees should be accountable for any damages. A client came into the office that day and due to the actions of the employees, he decided not to place an order with Random Widget Works. Employee misconduct hurts the company in many ways, we lose clients, company property damages, and it makes the company acceptable to attacks from viruses and hackers. A policy needs to be in place so there is no question what is allowed at work, and so that the company can protect itself from damages or lawsuits. Page 13
FAIR AND RESPONSIBLE USE OF RWW INTERNET AND WWW 1. Purpose a. Scope and Applicability The Internet/World Wide Web Policy covers all aspects associated with the Confidentiality, Integrity, and Availability of information when using the Internet. The entire company is on the Internet on a daily basis and is in contact with employees and clients constantly. b. Definition of Technology Addressed The technologies addressed in this policy are all computers, servers, and machinery that connect to the internet at Random Widget Works. c. Responsibilities The CISO is responsible for developing a program that will train all employees about the correct way to use internet and what is permitting under the Information Security Policy. All users must take training course to understand policy so that no accident incidents will occur when on the internet while at Random Widget Works. 2. Authorized Uses a. User Access Management will have access to conduct internet activates with minimum access restrictions. Only sites that have been marked as potentially harmful will be prohibited. An example of this is no access to pornographic sites or websites prone to viruses such as face book. All employees who require access to internet for research will have the highest level of access because they need total roam capabilities. b. Fair and Responsible Use Fair and Responsible use of internet includes using internet to send email throughout the company, and only to employees of company, unless permission is give to email to potential clients. Internet usage will be permitted but only on company permits websites under company terms. c. Protection of Privacy All employees will be given an email address with an abbreviated name so that employee identities are not easily attained from the outside. For internet use, a username and Page 14
password is requiring so that only employee with certain levels of clearance can access internet. 3. Prohibited Uses a. Disruptive Use or Misuse Employees are not permitted to use internet to check bank accounts or personal websites. Playing loud music from internet is also not permitted due to company professional appearance and possible virus threat. b. Criminal Use All internet use for child pornography will be reported to police and employee will be terminated immediately from company. Internet use to sell information or sabotage company is criminal activity. c. Offensive or Harassing Materials Employees are prohibited from view websites that are pornographic, violent, or discriminatory in nature. d. Copyrighted, Licensed, or Other Intellectual Property Downloading any music or software without a license is prohibited. d. Other Restrictions Using internet on personal cell phones to going around company internet restrictions is prohibited. 4. Systems Management a. Management of Stored Materials All materials downloaded off the internet are stored on the g: drive on the company s server. The server will filter out any files considered a threat and manage a log of the source computers. b. Employer Monitoring Page 15
An internet log is recorded on the company server, which tells what sites an employee has been visiting and how long each day they spent on the internet. c. Virus Protection All files and websites are first scanned with a Virus Checker. If a threat comes up, the site will be blocked and put on record of list of prohibited sites. d. Physical Security The systems manager will be responsible for monitoring security throughout the company network. If an employee has broken policy procedures, a systems manager can ask physical security to escort employee off company premises until investigation has been completed. e. Encryption The information that is saved from the internet activity is encrypted and stored in the g: drive of the company server. This will prevent research or other sensitive information from being leaked due to intrusions from outside the company. 5. Violations of Policy a. Procedures for Reporting Violations When a violation has occurred, an employee must notify the CISO of the issue. The CISO will then resolve the situation accordingly by talking to the database administration, network administration, and giving a report of the incident to the CIO. b. Penalties for Violations Minor Violations will result in a write up of what the employee did and how it affected the company. For first time violations, employee many be given retraining over information security and proper work ethics. Repeat violations will be treated more severely resulting in requiring employee a leave of absence without pay, and possible termination. Major Violations will result in notification of CISO, CIO, Network Administration, and Database Administration. A hold will be placed on employee s access and report will be Page 16
developed. Physical Security will obtain employee and police will be called. Major violations result in employee termination. 6. Policy Review and Modification a. Scheduled Review of Policy Random Widget Works will require a meeting of the Information Security Policy every quarter. If a new internet related issue arises, immediate meeting must be conducted. A meeting including the CEO, CIO, and CISO will discuss the new trends in Security and offer any new changes that might be made to the policy. b. Procedures for Modification After the review of the policy, the CEO will determine if the changes the policy would best interest Random Widget Works. The changes to policy most coincide with company goals, while keeping business interesting in mind. The CEO will then give permission to update the policy with the new modifications. The CIO can temporary modify policy without approval during system emergences such as disaster or massive system corruption. 7. Limitations of Liability a. Statements of Liability If an employee violates company policy and is caught doing any illegal internet activity, Random Widget Works is not liable for any employee actions. b. Other Disclaimers All damages resulting from employee violating policy may result in termination and or lawsuit. Page 17
FAIR AND RESPONSIBLE USE OF RWW COMPUTER s 1. Statement of Purpose a. Scope and Applicability All computer equipment used at Random Widget Works including computers, printers, fax machines, servers, company phones, computer notebooks, personal digital assistant (PDA), and other hardware apply to the Computer Resources Policy. c. Definition of Technology Addressed This policy serves to address the issues relating to misuse of company computer property. d. Responsibilities All employees are responsible for knowing company policy and using company computer property that applies to data confidentiality, Integrity, and Availability. As well as information security, employees are responsible for using appropriate work ethics when around equipment. 2. Authorized Uses a. User Access All employees have access to company printers, faxes, and computers. They have the permission to use as long as abiding by company policy. b. Fair and Responsible Use All employees will be trained on safe and proper use of computer equipment. c. Protection of Privacy Employees will have privacy from other employees but a log of all employee activity is maintained on company servers. 3. Prohibited Uses a. Disruptive Use or Misuse All employees must use computer equipment for its intended purpose. No food or drinks are allowed near the computers and no one is allowed to sit on the equipment. b. Criminal Use Page 18
Employees will be brought up on criminal charges if caught tampering with the functionality of company computer property, or of caught sabotaging company equipment. c. Offensive or Harassing Materials No employee shall display, print, or fax inappropriate material, which may be pornographic, violent, or discriminative in nature. d. Copyrighted, Licensed, or Other Intellectual Property No installation of software shall be allowed on company property if software is unlicensed. e. Other Restrictions No outside computer resource is prohibited without permission from CISO. 4. Systems Management a. Management of Stored Materials All printed or fax activities are stored in a log in company server. b. Employer Monitoring All employees will be monitored on each computer resource they use. The amount of time spent and amount of resources used will be accounted for and stored in a log under each employee names. c. Virus Protection All computers and other computer hardware are protected from viruses on a network through strict firewalls and virus software. d. Physical Security All computer equipment at Random Widget Works is monitored by surveillance to ensure not property is damaged due to physical damage from disasters such as fire, or incidences such as theft. e. Encryption All data from company is encrypted so that if any data leaves Random Widget Work s company network, the data cannot be interoperated without the company s decryption software. 5. Violations of Policy c. Procedures for Reporting Violations Page 19
When a violation of computer resources has occurred, an employee must notify the CISO of the issue. The CISO will then resolve the situation accordingly by talking to the database administration, network administration, and giving a report of the incident to the CIO. d. Penalties for Violations Minor Violations will result in a write up of what the employee did and how it affected the company. For first time violations, employee many be given retraining over information security and proper work ethics. Repeat violations will be treated more severely resulting in requiring employee a leave of absence without pay, and possible termination. Major Violations will result in notification of CISO, CIO, Network Administration, and Database Administration. A hold will be placed on employee s access and report will be developed. Physical Security will obtain employee and police will be called. 6. Policy Review and Modification c. Scheduled Review of Policy Random Widget Works will require a meeting of the Information Security Policy for computer resources semiannually. If a computer resource related issue arises, CISO must be contacted immediately. A meeting including the CEO, CIO, and CISO will discuss any needed modifications to Computer Resource ISSP. d. Procedures for Modification After the review of the policy, the CEO will determine if the changes to policy would best interest Random Widget Works. The changes to policy most coincide with company goals, while keeping business interesting in mind. The CEO will then give permission to update the policy with the new modifications. The CIO can temporary modify policy without approval during system emergences such as disaster or massive system corruption. 7. Limitations of Liability e. Statements of Liability If an employee violates company policy and is caught doing any illegal activity with any company computer resource, Random Widget Works is not liable for any employee actions. Page 20
f. Other Disclaimers All damages resulting from employee violating policy may result in termination and or lawsuit. Page 21
FAIR AND RESPONSIBLE USE OF RWW EMAIL 1. Statement of Purpose a. Scope and Applicability Email Policy is critical for the security of Random Widget Works. It applies throughout the company and it has the strictest security. b. Definition of Technology Addressed Email is how the company communicates with its employees and to clients outside the company. c. Responsibilities Employees are responsible for knowing the correct way to use email so that information security, as well as company ethics policies, is followed. 2. Authorized Uses a. User Access All employees have access to email with a username and password. b. Fair and Responsible Use When using email, no employee should contact an address that does not have a company email. No employee should read or open any email if the address is known or does not have a company email address. An employee should not use the company email for personal use. c. Protection of Privacy All upper management will have protection so that important emails cannot be read by many of the employees. These restrictions will prevent sensitive information from being leaked. All emails sent on the RRW network are encoded so that if an email leaves the company network, it will not be readable. 3. Prohibited Uses a. Disruptive Use or Misuse Page 22
No emails not related to work shall be sent around company network. This does not include employee birthday, wish list, and company events. No jokes or gossip is to be sent around by email. b. Criminal Use Sending company secrets to other companies or news sources is illegal. Sabotaging the company computer system by sending a virus though the company email is illegal. c. Offensive or Harassing Materials No descrimitive or offensive emails will be permitted. These include sexual, violent, racist, emails no matter if the intent was not to be offensive. d. Copyrighted, Licensed, or Other Intellectual Property Emailing software throughout the network is illegal. All software must be licensed for use on company computers. e. Other Restrictions For security purposes no forwarding company emails to personal cell phones. 4. Systems Management a. Management of Stored Materials Emails are stored in a log on company s server. They can be looked up by CISO, CIO, Database Administrators, with the permission of the CEO. b. Employer Monitoring Every email is run through a company filter, which determines key words that might be consider offensive, or associative to computer viruses. All emails are logged in company server. c. Virus Protection Emails are scanned for viruses before they are received and before they are sent out. d. Physical Security Physical Security is needed to make sure no one is using computers off hours and to protect server room. e. Encryption Page 23
All emails are encrypted so that mail cannot be read outside of the company without being first decrypted. 5. Violations of Policy a. Procedures for Reporting Violations When a violation has occurred, an employee must notify the CISO of the issue. The CISO will then resolve the situation accordingly by talking to the database administration, network administration, and giving a report of the incident to the CIO. b. Penalties for Violations Minor Violations will result in a write up of what the employee did and how it affected the company. For first time violations, employee many be given retraining over information security and proper work ethics. Repeat violations will be treated more severely resulting in requiring employee a leave of absence without pay, and possible termination. Major Violations will result in notification of CISO, CIO, Network Administration, and Database Administration. A hold will be placed on employee s access and report will be developed. Physical Security will obtain employee and police will be called. 6. Policy Review and Modification a. Scheduled Review of Policy Random Widget Works will require a meeting of the Information Security Policy for Email every quarter. If a new email issue arises, immediate meeting must be conducted. A meeting including the CEO, CIO, and CISO will discuss the new threats and the response that will need to be conducted. b. Procedures for Modification The CEO will determine if the changes the policy would best interest Random Widget Works. The changes to policy must coincide with company goals, while keeping business interesting in mind. The CEO will then give permission to update the policy with the new modifications. The CIO can temporary modify policy without approval during system emergences such as disaster or massive system corruption. 7. Limitations of Liability a. Statements of Liability If an employee violates company policy and is caught doing any illegal email activity, Random Widget Works is not liable for any employee actions. Page 24
b. Other Disclaimers All damages resulting from employee violating policy may result in termination and or lawsuit. Page 25
References Knight, Ridder. (2010, August 15). Enterprise information security policy (eisp). Retrieved from Http://net35. Ccs. Neu. Edu/home/chrisv7/capstoneproject/kr_eisp.Aspx. Sans (2009). Sans security policy research projects. Retrieved from Http://www. Sans. Org/security-resources/sec_policy.php#specific. Whitman, M.E., & Mattord, H.J. (2010). Management of information security. Course Technology Ptr. Page 26