Organizations which rely on network infrastructure for their business operation must utilize security technology to protect the network from harmful actions of automated attacks as well as malicious human activity. It is also important to enact policies and guidelines for the employees of the organization, which in many regards can be the weakest link in the chain of security. According to a survey by The Ponemon Institute (2012), “78 percent of respondents said their organizations have experienced a data breach as a result of negligent or malicious employees or other insiders” (p.1). A statistic like this points to the need for comprehensive policies that detail the company’s expectations and mandates for specific situations relating to cybersecurity.
Policy Considerations
In order for a cybersecurity policy to be successful, it should cover every conceivable situation (Easttom, p.201, 2012). Security events that are not associated with a policy are likely to not be handled as efficiently as an event that does have a policy. Policies reduce or eliminate uncertainty over the expected way a security event is to be dealt with. A successful cybersecurity policy will restrict actions enough to facilitate a secure network while avoiding mandates which restrict behavior so tightly that employees will become resentful or find ways to circumvent the policies. When considering specific policies, it is important to not create policies that are unclear or open to interpretation. Instead, each policy should be as specific as possible, leaving little room for interpretation or misunderstanding.
Cybersecurity policies can be in the form of advisory or compulsory. Policies that are advisory are suggested, but not enforced. An advisory polic...
... middle of paper ...
..., the company’s security policies will undergo a review by management and the IT staff on a biannual schedule. By a process of periodic review, the company’s cybersecurity policies will remain relevant and effective, even as circumstances change over time.
References
Cisco. (2005). Network Security Policy: Best Practices White Paper. Retrieved January 19, 2014 from http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper
09186a008014f945.shtml
Easttom, C. (2012). Computer security fundamentals. Indianapolis. Pearson.
Microsoft. (2012). Strong Passwords. Retrieved January 19, 2014 from http://technet.microsoft.com/en-us/library/ms161962.aspx
Ponemon Institute. (2012). The Human Factor in Data Protection. Retrieved January 19, 2014 from http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_trend-micro_ponemon-survey-2012.pdf
The topic for week 3 of Computer Ethics was based upon an IT security policy in relation to a company’s ethics. The discussion board began with how training as well as education needs to be implemented throughout the business to ensure confidential information is not sent out without encryption or following other procedures put in place. This not only maintains the integrity of the company, but also makes the employees accountable as well. This can be accomplished by a well defined security policy and procedures which outlines the plan of action and the implementation. Many agreed a well documented plan needs to be kept updated as well as conveyed to the rest of the staff so everyone knows what their role is. In addition, Dawan pointed out that a security policy is a “living document” which is one that is forever changing to try and keep up with hackers. Many also agreed it is imperative everyone in the organization needs to be trained on the security policies at an organization.
With the increasing use of emerging technologies and the associated information security threat threshold, Ohio University has adopted the NIST 800-53 security control framework to support their regulatory compliance efforts. NIST 800-53 is being implemented to provide a comprehensive set of security controls. This control framework is responsible for instituting minimum requirements that meet approved standards and guidelines for information security systems. It provides a baseline for managing issues relating to mobile and cloud computing, insider threats, trustworthiness and resilience of their information systems. NIST defines the standards and guidelines to be adhered to meet the cyber security control that align to FISMA expectations.
It is best to prevent security incidents from occurring in the first place – therefore prevention should be a top priority for the IT staff at CEG. The National Institute of Standards and Technology (NIST) recommends five main categories of incident prevention; risk assessments, host security, network security, malware prevention, and user awareness training (Cichonski P., Grance T., Millar T., & Scarfone K., 2012 p.24). Risks of the various types of possible security incidents should be identified and prioritized based on likelihood and potential harm. Risk assessment should be periodic and ongoing. Host security is achieved by hardening each host on the network. Host hardening includes keeping current on the latest software patches, enabling and monitoring audit logs, and assigning permissions based on a system of least privilege. Network security is primarily concerned with securing the perimeter of the network to prevent unauthorized intrusion. This includes the use of firewalls, intrusion detection systems (IDS), securing VPN, and blocking unnecessary ports. All hosts on the network must run and regularly update malware protection software. And all employees should...
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Wilshusen, Gregory. "Cyber Security: A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges." United States Government Accountability Office. http://www.gao.gov/assets/660/652817.pdf (accessed April 27, 2014.
President Obama has realized the seriousness of the upcoming threats and turned the government focus more toward defending the information and communications infrastructure and In May 2009, he issued a request from top to bottom review of the current situation. The report titled the Cyberspace Policy Review includes strategy, policy, and standards regarding the security of and operations in cyberspace. According the white house’s cybersecurity foreign policy, the Cyberspace Policy Review highlighted two objectives and ten near-term actions to support the cybersecurity strategy.
...the marketplace, increase profit, and comply with both external and internal policies and procedures, including federal laws and regulations. It is imperative before an organization begins to discuss, design or implement policies a clear understanding of hardening and the benefits of a layered defense at key “point on the network (public and private), at the server, and at the desktop. Policies written by an organization, which encompasses guidelines or mandates from a government entity are therefore ensure a layered approach.
The topic of network security is a reoccurring theme in today’s business world. There is an almost unfathomable amount of data generated, transmitted, and stored every day. Unfortunately the media and traditional reporting sources these days typically only focus on outside threats such as hackers. Many people completely overlook the insider threats that are present and can potentially pose and even bigger threat then any outside source. One of the acronyms that is constantly repeated in the security industry is the principle of CIA or confidentiality, integrity, and availability. Authorized users, whether by accident or through malicious acts, are in a unique position to threaten all three aspects of CIA.
With a rise in security breaches experienced by companies in the last few years, it is no wonder that businesses are implementing stronger security policies. Two topics that deserves to be addressed by businesses are PC protection software and external access to corporate networks. There may be no sure way to prevent attacks on the corporate network but there are steps companies can make to limit such activities. This paper will discuss the possible guidelines that companies may implement to strengthen security policies.
Building and Designing a network can long and tedious task. The time and development of security policies is a process that can equal the creation time of the network topology. The security implementations to secure the infrastructure must be based of best practices. Network administrators and users all must become a cohesive force in the protection of the network.
Although all of the legal parameters are not presented to the public, they maintain common ethical standards to protect our citizens. I don’t think cybersecurity receives enough recognition for their contribution to this nation’s security. The training is extensive, the skills are mandatory, and the mistakes are catastrophic, so a lot of pressure is placed on the employees in this field. Cybersecurity may never fully be understood by someone who is not tangibly involved, but the dedication and effort cybersecurity provides is priceless. Computer security is a must and without it all things could fall apart.
In recent years, many possible plans to enact government regulation to improve cybersecurity have been suggested. Most recently, in 2017, then U.S. president Barack Obama implemented the Cybersecurity National Action Plan (CNAP). The plan would have invested $19 billion in cybersecurity by gathering experts to make recommendations in regards to cyber security, help secure the government IT group, and encourage more advanced security measures (Daniel 1). However, while CNAP does present a way to solve the problem, it just adds another program that attempts to enhance cybersecurity: “It is the multiplicity of programs and division of responsibility that diminishes their effectiveness. At least eleven federal agencies bear significant responsibility for cybersecurity” (Cohen 1). Every so often, another cybersecurity program will be established, but former plans are seldom removed. This leads to a large amount of departments to share responsibility, which creates general confusion and limits each department’s power. Furthermore, widespread government regulation may weaken cybersecurity. Many fear that any regulation would not be flexible enough and would instead allow easier hacking (Ridge 3). If every system in the entire nation had the same security measures, it would be much easier to break into as by breaking into one system, a hacker a could break into everything.
It also defines what should be done when the user misuses the network, if there is any attack on the network or if there are any natural outage to the network.
The nation has become dependent on technology, furthermore, cyberspace. It’s encompassed in everything we deliver in our daily lives, our phones, internet, communication, purchases, entertainment, flying airplane, launching missiles, operating nuclear plants, and implicitly, our protection. The more ever-growing technology empower Americans, the more they become prey to cyber threats. The United States Executive Office of the President stated, “The President identified cybersecurity as one of the top priorities of his administration in doing so, directed a 60-day review to assess polices.” (United States Executive Office of the President, 2009, p.2). Furthermore, critical infrastructure, our network, and internet alike are identified as national assets upon which the administration will orchestrate integrated cybersecurity policies without infringing upon and protecting privacy. While protecting our infrastructure, personal privacy, and civil liberties, we have to keep in mind the private sector owns and operates the majority of our critical and digital infrastructure.
Li, P. D. (2014). Information and Computer Security. International Journal of Information and Computer Security, 3-7.