“We certify that the attached document represents the
results of our own efforts, does not contain plagiarised material and has not
been developed on collaboration with non-group members.”
What is a security policy and why does an
organization need a security policy? Fiona.
A security policy outlines a strategy in order to protect a
network and resources. Within a security policy, rules or conditions are set
for subjects requesting access to resources, which are considered by the
reference monitor outlining permitted access for processes. Security policies
are also used in a broader aspect to outline security systems including threat
and risks management including acceptable use of IT systems and steps to take
in the event of a security breach.
Security policies are of high importance within organizations
primarily to ensure there are protective measures in place to protect the
confidentiality, integrity and availability data and technology systems within
an organization. The policy also outlines for users what is acceptable within
the organisation for example password complexity or data protection, this
creates a generic guideline for users and also penalties if these are not
adhered to. This also ensures staff including IT personnel know what is
expected of them with regards to IT systems and security.
Come up with an example of your own of an issue,
which could be caused by missing security policies? Fiona.
An example of an issue, which may be as a result of missing
security policies, is unauthorized personnel such as cleaning staff having
access to confidential client data listing personal contact details and medical
details. If a security policy were in place it would have been considered who
should have access to such data, only those requiring access for a process
should have access to this data. A policy in place would have meant
preventative measures were in place to prevent unnecessary and unauthorized
access. This is also a breach of the Data Protection Act under which an
organization must keep data safe and secure from unauthorized access, which
could lead to hefty fines, prosecutions or having to implement steps in order
to obey the law.
What are the basic things that need to be
explained to every employee about a security policy? At what point in their
employment? Why? (List at least 4 things). (For example, how to handle delicate
Every organisation needs to give a brief overview of the
concept of security to employees before they start a job. This is to make the
person aware that the organisation has security policies in place before
starting their employment. When starting employment, the employees then need
the security policies explained in detail.
There are 5 key security policies every organisation should
The use of strong passwords. This is essential
in order to keep user’s data confidential so no other persons can obtain it.
Usually a strong password consists of a combination of symbols, letters
(uppercase and lowercase) and numbers as it makes it makes it hard for people
to gain access to employee’s accounts for example hackers.
Data protection. This is a law in place to
protect personal data of employees stored within an organisation including on a
computer and hard copies i.e. paper filling. This law gives employees the legal
rights to have information stored about them and the way their personal
information is handled within a business.
Reporting any security breaches. If an employee
received a suspicious email including attachments/links or internet popup
sites, it is their responsibility to report this at once to the company’s IT
technician. If caught in time the technician can control the situation by
removing the security breach and putting an additional policy in position to
prevent it from happening again.
Disposing paper. Each organisation should invest
in a secure destruction service. Office paper shredding machines do not
guarantee that paper files will be destroyed properly therefore this service
guarantees that all paper documents will get disposed of correctly by shredding
all the documents locked in a container.
Access rights. This allows users of different
levels within an organisation to have different permissions for access rights.
For example, an employee who deals with the financial part of an organisation
should not have the same access rights as an IT technician. Permissions are
important to have within an organisation as it protects sensitive data from
being accessed by unauthorized persons.
Your organisation has an e-mail server that processes
sensitive emails from senior management and important clients. What should be
included in the security policy for the email server? Keziah.
A Security Policy should be implemented to ensure the proper
use of email. The policy outlines certain standards that the server must
follow. This is especially imperative when senior management are sending
sensitive emails to important clients. The following rules should be included
in a security policy for the email sever to ensure the safe sending of sensitive
emails within the organisation.
should be used. Emails sent on the server must follow symmetric key
Symmetric key cryptography is an encryption structure which allows
the sender and receiver of an email to share a single, identical key that is used to encrypt and
decrypt the email.
Passwords to access emails must be encrypted. File
encryption must be implemented or secure email used.
The company email system must be initially
configured to require login credentials to identify a user when they wish to
access their email account. The email server must also be protected against
The server must protect applications where sensitive
emails are stored and sent to/from through security controls.
server shall use SMTP authentication to control user access.
SMTP authentication allows the
users to identify themselves to the mail server they intend to send email from.
This allows the server to ensure emails are only sent by legitimate users.
Secure Socket Layer (SSL) and Transport
Layer Security (TLS) encryption shall be implemented to secure the connection
between the email provider and company devices.
The email server shall operate current virus protection
according to the Virus Protection Policy.
Logs must be configured according to the Audit Trail
Policy. Events to be logged must ensure that attacks, breaches, and
inappropriate use can be detected.
Policy compliance rules should be outlined within the
policy to ensure employees are aware of what will happen if anyone does not act
according to the policy. For example:
Employees who violate
this policy may be subject to disciplinary action, up to and including
termination of employment.
Read the UCL and Harvard university security
policies 1, 2. Compare and critique the policies suggesting
improvements/updates, as appropriate. Keziah,
Fiona and Shannan.
After considering both the UCL and Harvard University
security policies, they are both reasonably different. On first glance, UCL
policy seems to be more technical and bombarding in comparison to Harvard’s
clear outline of points, which should be followed. The use of less technical
wording in Harvard’s security policy enhances understanding for the end-user,
making it more likely for end-users to follow the point’s outlines.
The two universities have slight differing policies on
reporting a suspected breach or breach of device. While UCL request concerns
are reported immediately, Harvard requests this be brought to the attention of
Information Security staff promptly or as soon as possible. It may better if a
sense of urgency like within the UCL document was pushed in the security policy
from Harvard. If a system is at risk of a security breach it is better for this
to be established early to limit damage, therefore if this urgency is not
outlined, end-user may be more relaxed in reporting such events which may be
harmful to the system and confidential information.