Enterprise Technical Infrastructure Security Plan

23 May Enterprise Technical Infrastructure Security Plan

NAME

American Military University

ISSC490

Comprehensive Security Outline

Introduction

The IT Security Management for Applied Predictive Technologies (APT) will aim to meet the security requirements of the company and other external requirements, for example, legislation and contracts. The IT Security Management will also provide basic level security to APT, which is independent of external requirements and maintains uninterrupted operations of information technology in the company.

Proposal

Implementation of the IT Security Management in line with the APT’s Safety and Security Management System. The security outline will estimate importance of information and data assets of the company while considering different parameters, for example, email policy, confidential data policy, and password policy among others.

Asset Identification

Overview

Asset identification will be done to establish a process for handling and classifying Applied Predictive Technologies (APT) information assets based on the information’s value, sensitivity, and criticality to the company (Ramachandran & Chang, 2016).

Scope

The procedure will apply to all users who store, process, and access the company’s sensitive information.

Policy

Information management and security policy of Information and Communication Technology (ICT). The policy will be guided by the principles of information asset management.

Enforcement

The company will develop security classification and information asset procedure (Ramachandran & Chang, 2016). The process of handling and classifying the company’s information assets will be developed from the procedure based on the information value, criticality, and sensitivity.

Acceptable Use Policy

Overview

Outline the acceptable use of Applied Predictive Technologies ICT resources by all users.

Scope

The policy will apply equally to all users of the company’s ICT resources.

Policy

Employee equity and diversity policy to enhance analysis if market experiments using the company’s software.

Enforcement

Applied Predictive Technologies will ensure appropriate management controls are implemented to offer acceptable use of ICT resources (Sohrabi & Solms, 2016).

Confidential Data Policy

Overview

Critical and confidential data needs will be secured during transfers across all communication channels of APT.

Scope

Data classified as confidential under the company’s information classification standard.

Policy

All confidential information will be protected from destruction, interception, copying, and modification (Armarego & Murray, 2015). The policy will be achieved through encrypted information and encrypted data and information exchange facilities.

Enforcement

Data owners and custodians should facilitate the security of data while the IT Security department will provide encryption methods and programs.

Email Policy

Overview

Guarantee proper use of APT’s email system and ensure all users are aware of acceptable and improper use of email systems.

Scope

All emails sent from APT’s email address by all employees, agents, and vendors operating on behalf of the company.

Policy

APT’s email system uses should be consistent with the company’s policies and procedures, for example, safety, ethical conduct, and applying proper business practices as required by the law.

Enforcement

Compliance will be verified through business tool reports, feedback to policy owner, internal and external audits, and periodic walk-throughs among other methods (Solms & Sohrabi, 2016).

Mobile Device Policy

Overview

Describes conditions under which APT permits the use of mobile devices and how the company manages mobile technology in the prevention of risks.

Scope

The policy will apply to APT’s staff, faculty, vendors, and other people who are granted privileges to access APT resources.

Policy

APT’s Acceptable usage policy will be used.

Enforcement

Privacy Administrator and Information Security policy contacts support the policy and disciplinary action will be taken when one violates the policy (Armarego & Murray, 2015).

Incident Response Policy

Overview

Provide the process for documentation, appropriate internal and external reporting, and communication when incidents that threaten the company’s digital assets.

Scope

APT’s data, information systems, networks, and any device or person who access the systems or data.

Policy

Information Technology Services (ITS) will be used to report intrusion attempts and any other security related incidents against APT.

Enforcement

Provide oversight on APT’s incident response by through communication, training, and enforcement of the policy (Sohrabi & Solms, 2016).

Network Security Policy

Overview

Establish technical guidance and procedure requirements to ensure protection of APT’s information handled using the computer networks.

Scope

All those who access APT’s computer networks.

Policy

All information exchanged and stored in APT’s network and not identified as property of other parties will be treated as APT’s asset. APT will prohibit the disclosure, duplication, diversion, and any other form that could lead to misuse or theft of information.

Enforcement

The Chief Information Officer of APT will establish, administer, maintain, and implement the network policy.

Password Policy

Overview

Standardize the creation of strong passwords, protect, and frequently update the passwords.

Scope

All personnel with the responsibility of an account in APT and those who require any form of access that requires passwords (Sohrabi & Solms, 2016).

Policy

Password Construction Guidelines will be used at user and system level passwords

Enforcement

Compliance measurement will be done, exceptions should be approved, and non-compliance will be subject to disciplinary action.

Physical Security Policy

Overview

Ensure the physical security of APT’s information and computer systems by providing responsibilities for physical security.

Scope

The policy applies to all APT’s information and computer systems and printed copies which can contain sensitive information.

Policy

Applicable access controls, for example, environmental and protective measures to properly protect physical computer systems.

Enforcement

Violators of the policy are subject to disciplinary action, for example, denial of access and legal penalties.

Wireless Network and Guest Access Policy

Overview

Identify the process for giving access to APT’s wireless network.

Scope

Applies to the use of computing devices, information and network resources on the entire APT’s computing network (Solms & Sohrabi, 2016).

Policy

Implementing wireless service following appropriate procedures for authorized guests.

Enforcement

The APT reserves the rights to audit systems and networks to ensure compliance with the wireless network and guest access policy.

Disaster Recovery

Overview

Defines the requirement for a standard disaster recovery plan for APT describing the process to recover IT systems.

Scope

The IT Security Management Staff of APT to ensure all recovery plans are developed, tested, and updated when need arises.

Policy

Several contingency plans will be created and practiced to the highest extent possible (Torabi & Mansouri, 2015).

Enforcement

Compliance measurement will be done using business tool reports and exceptions must be approved by the APT IT Security Management Staff (Sohrabi & Solms, 2016).

Business Continuity Planning

Overview

Developing the ability of APT to detect, prevent, reduce and where possible deal with IT security management disruptive events.

Scope

The policy will apply to all APT employees and visitors.

Policy

Integrate the disaster recovery and business continuity management culture of the company.

Enforcement

The company will adopt the principles of approach, deployment, results, and improvement cycle. The cycle will establish the stability of the business continuity management framework.

Security Awareness Training

Overview

Establish formal, documented security awareness education programs for APT’s information systems users. Appropriate training controls are facilitated by the security awareness training (Ramachandran & Chang, 2016).

Scope

Applies to all users of APT and all the IT resources owned and operated by the company.

Policy

Basic security awareness training, role-based security training, and security training records.

Enforcement

All APT employees will have to complete security awareness training once in a calendar year.

References Armarego, J., & Murray, D. (2015). Managing information security and privacy risks. Technology in Computer Science, 189-198. Ramachandran, M., & Chang, V. (2016). Cloud computing adoption framework. Transactions on Services Computing, 138-151. Sohrabi, N., & Solms, R. V. (2016). Information security policy compliance model. Computers & Security, 70-82. Solms, R. V., & Sohrabi, N. (2016). Information security policy . Computers & Security, 70-82. Torabi, S. A., & Mansouri, A. (2015). Towards organizational resilience. Operational Research, 261-273.