Security Policies

The objective of the corporate email security policy is to outline the principles to be followed across all email related information systems to fulfil regulatory and compliance requirements, contractual obligations and follow industry best practices, policies and standards in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Corporate email service and associated mailing lists are privileges services provided by the company to conduct day to day business. The use of corporate email service requires full adherence to company policy and code of conduct. The policy protects all the information and information systems across the enterprise while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Some of the known vulnerabilities of electronic mail service are junk, fraudulent, unsolicited and spamming emails, which are usually initiated from outside the organization. Traditional threats associated with electronic mail service are malware and virus attachments, identity theft, phishing, knowing or unknowingly sending emails to thousands of recipients etc. Email access through laptops and webmail increase the risk of unauthorized access by several folds. Email clients on mobile devices like smartphones pose serious risks in the event of device theft, loss or break-in. Corporate email security policy will reevaluate risk, threat and vulnerabilities on a quarterly basis and implement new recommendation to reduce the residual risk.

Responsibilities

The policy is issued and maintained by CIO office. Domain leads of emails are responsible for reliable and uninterrupted service. CSO office is responsible of safeguarding the physical and logical security of email related infrastructure, which include email servers, email client, end-user devices etc. Corporate emails are declared as company property whether accessed through traditional computers (laptops, desktops etc.) or modern mobile devices (smartphones) with usage strictly limited to conduct business. Email service users are required to exercise caution while transmitting sensitive information and safeguard against unauthorized access. Emails with proprietary and subscriber information are required to be encrypted using corporate encryption service.

Technology Guidelines and Standards

The guidelines on electronic mail security of National Institute of Standards and Technology (NIST, 2018), which is SP 800-45 version 2 will be used to design, implement and maintain corporate email system. the guideline provides encryption standards, mail server administration, email client security, best practices to secure mail servers’ operating system, applications and secured access.

Procedures

Access to email service is offered to all employees of the enterprise as well as departments. Use of the electronic mail service is governed by enterprise policy and code of conduct. Emails are backed up at enterprise storage per information retention policy. Email traffic is managed by maximum email size, number of recipients and mail box size. Domain leads will apply filters to identify spam and phishing emails. CSO will provide antivirus and malware protection for all email related corporate assets. Sensitive and proprietary customer and enterprise information, like social security, address, date of birth, credit card number, bank information, financial information etc. are secured through encryption (Sophos, 2018). Another important step is to ensure full disk encryption across all information systems (2018).

Enforcement

To educate all employees and users of email, some short online training can be helpful in highlighting the do's and don’ts of email. Since the email is the formal mode of communication to perform business, which is why enforcement of business code of conduct will help in setting ups the boundary of employee expectations. However, from company's perspective, some things require strict implementation to maintain order; for instance, filtering suspicious executable attachments, restricting email attachment size, encryption of emails, junk and spam identification, blocking offensive content and so on. If violation of business code of conduct happens than HR can be involved for intermediate and severe cases while minor violations, which are still documented can be handled by reporting Manager through counseling and additional training. If multiple violations of business code of conduct happen than employee's employment can be terminated with immediate effect.

Definitions

Threat analysis group (2018) define threat as anything that can exploit a vulnerability either intentionally or accidentally to damage or destroy an asset. Vulnerability is referred as weakness or gaps in a program related to electronic mail service that can lead to unauthorized access to an asset. Finally, risk is defined as potential for loss or damage of an asset as a result of threat exploiting a vulnerability thus risk is described as an intersection of assets, threat and vulnerabilities. (2018).

Watts (2018) define threat as an incident which can harm a system or overall organization. Threat can be:

1. Natural – floods, tornadoes etc.

2. Unintentional – employee mistake etc.

3. Intentional – spyware, malware etc.

On the other hand, risk is referred as the potential loss due to vulnerability exploited by threat. For instance, risk can be financial, privacy, business disruption, reputational damage, legal implications, loss of life etc. (2018).

Internet Use Policy

Purpose

The objective of the internet use policy is to outline the principles to be followed while using internet on company provided machines (desktop, laptop, smartphone etc.), during business hours, performing work duties (meetings etc.), visiting business client locations, and within company premises to fulfil regulatory and compliance requirements, contractual obligations and follow industry best practices, policies and standards in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Internet use, which means accessing websites outside the corporate intranet is a privileged service provided by the company to conduct day to day business. The use of internet requires full adherence to company policy and code of conduct. The policy protects all the information and information systems across the enterprise while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Use of unsecure websites can pose serious risk in the form of virus, malware etc., which can harm company’s information technology infrastructure by damaging or leaking sensitive proprietary data. Business efficiency can be impacted due to potential downtime associated with malware infected machines. There are increased threats of ransom where other party hold access of company’s sensitive information in exchange of money. Download of illegal software can lead to potential copyright issue. Use of peer-to-peer sharing programs can make the machines vulnerable to malicious users. Employee productivity can be impacted by unnecessary browsing during the business hours. Valuable network bandwidth and resources are wasted due to unnecessary internet traffic.

Responsibilities

The policy is issued and maintained by CIO office. Leads of web traffic are responsible for reliable and uninterrupted internet service for business reasons. CSO office is responsible of safeguarding the physical and logical security of IT infrastructure, which include browser, routers, transport backhaul, servers, end-user devices etc. Internet usage is strictly limited to conduct business. Internet service is provided to gather data and research material related to company business only.

Technology Guidelines and Standards

Cyber security framework of National Institute of Standards and Technology (NIST, 2018), which will be used to design, implement and maintain IT infrastructure. The framework offers a complete structure of cybersecurity by assembling guidelines, standards, and practices in one place. The framework address cybersecurity issues from the perspective of people, physical and cyber.

Procedures

Access to internet is offered to all employees of the company. Use of the internet is governed by enterprise business policy and code of conduct. Internet activity is recorded at enterprise storage per information retention policy. Domain leads will identify high internet traffic users, users accessing prohibited web sites etc. for disciplinary actions. Active website filtering will be used to block sites with offensive words, materials, media etc. CSO will provide antivirus and malware protection for all devices capable of accessing internet. Security certificates will be updated regularly by CIO to protect company assets. Another important step is to ensure full disk encryption across all information systems, which will prevent data leakage in the event of breach (Sophos, 2018).

Mobile Device Use Policy

Purpose

The objective of the mobile device use policy is to outline the principles to be followed while using mobile devices (laptop, tablet, smartphones etc.) provided by company all the time to fulfil regulatory and compliance requirements, contractual obligations and follow industry best practices, policies and standards in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Mobile device use, which include making and receiving phone calls, accessing corporate email, browsing internet etc. are privileged services provided by the company to conduct day to day business. The use of mobile devices requires full adherence to company policy and code of conduct. The policy protects all the mobile devices across the company while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Use of mobile devices by employees incur high cost to company, which is why use of voice minutes and data usage is strictly limited to business use. International calls are blocked on all mobile devices. Text messaging service can be used sparingly by employees, but text service usually causes high cost to company in terms of international charges, inter-connect carrier changes etc. Data usage on the mobile devices is charged based on number of bytes, which is why use of internet and hotspot is limited to business use only. Spam calls can cause financial loss to employee, which is why company’s provided number should not be dispersed on social media and personal use. Storage and playback of indecent media (audio and video), messages etc. is strictly prohibited. Browsing illicit internet websites can pose serious risk to device, which can lead to data loss and breach. Screen passwords are mandated to protect the device from misuse in the event of device theft or loss. Installation of applications not related to business is strictly prohibited. Backup of mobile devices should be performed on another company provided laptop or computing device. Usage of social media applications on mobile device is prohibited. Full encryption of mobile devices is mandatory for all employees. Keeping the operating system updated is necessary for a secure and safe mobile device usage.

Responsibilities

The policy is issued and maintained by CIO office. Leads of mobile devices are responsible for issuance of mobile devices with appropriate voice and data plans for business reasons. CSO office is responsible of safeguarding the physical and logical security of mobile devices, which include VPN, secure applications, mobile internet, mobile email etc. Internet usage on mobile device is strictly limited to conduct business. Voice and data service on the mobile device is provided to conduct company business only.

Procedures

Mobile devices, which include smartphone, laptop, tablet etc. are offered to all employees of the company. Use of the mobile devices is governed by enterprise business policy and code of conduct. All the activity on mobile devices is recorded at enterprise storage per information retention policy. Domain leads will identify abusive users, users with old operating system, illicit applications etc. for disciplinary actions. CSO will provide antivirus and malware protection for all mobile devices. Full disk encryption is mandated across all mobile devices, which will prevent data leakage in the event of breach (Sophos, 2018).

Applications Use Policy

Purpose

The objective of the applications use policy is to outline the principles to be followed while using applications on desktop, laptop, tablet and smartphones provided by company all the time in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Applications are needed on all computing devices to perform specialized tasks like word processing, image editing, worksheet, computations, designing, forecasting, presenting and so on. However, the use of applications on any company provided devices is strictly limited to business use only. The use of applications requires full adherence to company policy and code of conduct. The policy protects all the applications installed on the devices across the company while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Applications which are developed in-house are available to all employees free of cost. However, third party applications are frequently used to conduct business on a day to day basis. It is therefore mandatory to install applications from company’s internal software store. Applications hosted on computer software store are license protected and tracked by IT department for usage fee. Applications which is not used by employee for three months duration will be automatically deleted from the system. To reduce the licensing cost, reporting managers will approve the installation of each application on their direct report’s devices. Applications requiring periodic update will be forcefully pushed and installed across the company, to ensure that all fixes are in place. Usage of applications for personal use is strictly prohibited and result in disciplinary action. Sharing of application outside company can result in termination of employment. Misuse of application is prohibited to safeguard company’s IT assets. Illegal and unauthorized applications are not allowed on any device issued by the company.

Responsibilities

The policy is issued and maintained by CIO office. Leads of applications, software and operating system are responsible for the availability of applications to conduct business. CSO office is responsible of safeguarding the physical and logical security of devices installed with applications. Applications incur high licensing cost to company, thus require tracking of appropriate usage by employees.

Procedures

Applications are installed on all computing devices offered to employees of the company. Use of the applications is governed by enterprise business policy and code of conduct. Installation, usage, update and deletion of application is tracked by IT department. Domain leads will identify abusive users, users with old operating system, illicit applications etc. for disciplinary actions. CSO will provide antivirus and malware protection for all mobile devices.

References

NIST (2018). Guidelines on electronic mail security. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-45/version-2/final

King County (2009). Information Technology Governance policies and standards. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=2ahUKEwiP6aevp7zdAhXh5IMKHRrmBmAQFjAEegQIBhAC&url=https%3A%2F%2Fwww.kingcounty.gov%2F~%2Fmedia%2Foperations%2Fit%2Fgovernance%2Fpolicies%2FEnterprise_Information_Security_Policy_signed.ashx%3Fla%3Den&usg=AOvVaw3pC-8RpWyphdZWR8JvL86-

Threat analysis group (2018). Threat, vulnerability, risk – commonly mixed up terms. Retrieved from https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/

Watts, S. (2018). IT Security Vulnerability vs threat vs risk: what’s the difference? Retrieved from http://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/

Theriault, C. (2017). What is an information security framework and why do I need one? Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/

Sophos (2018). Sample data security policies. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=2ahUKEwj_l7vOnLzdAhWs7YMKHehmC7kQFjAIegQIAxAC&url=https%3A%2F%2Fwww.sophos.com%2Fen-us%2Fmedialibrary%2FPDFs%2Fother%2Fsophos-example-data-security-policies-na.pdf%3Fla%3Den&usg=AOvVaw2CfCvJ3nLv3tvTLu83RSjo