QUESTION
Assignment 2: Security Plan – worth 35% of the overall mark for the unit
1. The Security Plan assignment , involves the design of a security plan based on a given case study.
The word limit should be no less than 3,500 words with an upper limit of 4,000 words excluding attachments.
2. The learning objectives of the Security Plan Assignment are for you to recognise the threats that exist in your current or future work place. The complacent and lackadaisical approach many organisations have towards the security of their information holdings is common. You have, through your research, the opportunity to identify the threats, outline security guidelines and develop a robust and pragmatic training programme. You should develop a plan that you would regard as helpful to you, the information user, as well as protecting your organisation’s information environment. Use your imagination in combination with a wide-range of material you glean from your research – have fun!
3. You are required to complete and submit a security plan based on the following scenario:
a) You are the recently appointed head of a security team responsible for protecting the information holdings of a business organisation of some 600 staff. The organisation is housed in a detached, multi-storeyed building located in the central business district of an Australian city.
b) The security team is responsible for overseeing the security of information from deliberate and accidental threats. A recent audit of the information security management system found it to be deficient in some key areas, notably incident response, disaster recovery and business continuity, social engineering exploitation of personnel, an apparent lack of personnel awareness of the various threats to information, and poor password security. These issues were identified as needing urgent remedy.
c) Technical systems were found to be reasonably effective in maintaining database and document management security, and were well serviced by the IT team.
4. Management has directed you to undertake some security analysis and planning to improve the organisation’s security of information. You are tasked to:
a) Identify and describe the organisation’s physical, human, and electronic information holdings that may be at risk.
b) Identify and describe the actual and potential physical, human, and electronic threats to the organisation’s information holdings.
c) Design a security plan that describes counter-measures that will manage the threats that put the organisation’s information holdings at risk
d) Develop a comprehensive information security education and awareness programme for use by management, staff members and contractors).
5. Use the marking sheet as a possible template to prepare your security plan.
SOLUTION
The security Plan creates guidelines to ensure the safety of the organization from any kinds of risks, which might evolve due to changing technology and business needs. The importance of publishing and downloading to the relevant external parties and should be effectively communicated to the employees too (Richard, T., 2008).
Security is a very complex and combines various factors out of these factors few factors must be present all the time to ensure proper safety of any organization. Other factors can be added later as and when required or according to the need. These entire factors together combine together to formulate a foolproof security plan for any organization.
In order to make the Security plan effective it is very essential to implement it at individual, organizational and inter-organizational level. A good Security Plan consists of policies safeguarding all the corporate assets be it Physical, Human or Electronic assets.
Security planning of many organizations is many a times seen to be lost between “We need security” and “Is my coffee ready yet?” All the organizations are well aware of the fact that they need security Planning but they lose deep insight and seriousness into the planning.
In this report, we are going to analyze the various physical, human or electronic holdings that are at possible risk due to snag in securities of the organization, which has human base of 600 employees and is stationed in a detached, multi-storied building, which is located in the central business district of an Australian city( Hicks, (2003), p 1).
After analyzing the potential risks, we are going to find out the potential and actual threats that are possible to the physical, human and electronic holdings of the organization. Once the risks and the threats are analyzed it will help in designing a security plan to cover all the counter measures that can be or should be taken to manage the physical , human and electronic threats and protect the organization from future risks to its holdings.
Based on the findings we need to develop a comprehensive information security education and awareness programme to educate the management, staff and contractors about security. The security education programs and the awareness generating program’s should contain a range of innovative and tested processes aimed at enhancing security and a description of measures used to test the efficacy of the plan.
Why do we need a Security Plan?
In order to protect the main and important resources that include the major risk bearing storage facilities it is very essential for the organization to ensure state and national security and that is why it needs security planning. For public health and safety, economic growth and to maintain our ways of living smooth we need security planning.
Any kind of security violation can result in serious ramifications for the organization as well as the government and the cascading effects can be very perilous which might go far beyond the targeted sector and physical location where the incident took place. (Curran, R. Security Planning)
In the same manner, any kind of terrorist or criminal infringement can have catastrophic outcomes and result in major property loss, destruction and several grim economic effects. This will directly affect the morale of the public that would be ravaged and they will lose confidence on our ability to guard them.
Security Plan: A scheme or method written or not which makes clear the vision, direction and arrangements of any organization in order to when, what and how it wants to attain its needs for security is called a security plan (Swanson, Hash, & Bowen, (2006), p 4-5). The plan gives us guidelines to achieve security measures using following steps:
- Identifying the risks
- Identifying the threats
- Identifying the organizational security needs
- Setting the meaningful security priorities
- Forecasting the possible threats
- Focusing on possible effects and consequences
- Identifying the constraints to meet the organizations security obligations
Risk Analysis of Organization
A risk analysis helps in analyzing and finding the most probable threats to an organization and once the threats are found we check out the related vulnerabilities of the organization to these identified threats. Today most of the systems in any organization depend upon the technology and automated systems and any kind of disruption in them even for few days can result in heavy financial loss and can lead to the threatening of survival of the organization. SO in order to maintain continuous flow of the operations in any organization it needs to create awareness in its management about the potential disasters, which might arise any time. The management should be capable enough to reduce the intensity of disruptions of the major functions of the organization and should be capable enough to recover the operations as quickly as possible to start the work machinery successfully.
Organizations Physical Holdings at risk
Physical Holdings mainly comprise of the assets, which are at risk in the organization. Therefore, it is the duty of the employees, consultant and the contractors to protect the tangible as well as non tangible assets of the organization. The physical risks, which might arise, can be damage to the multistoried building, damage to the building and the assets of the building due to internal or external fire, any kind of seismic activity can cause damage to the building and the internal assets too (Physical Risks, 2011). Except for the property, that is the multistoried building the other physical assets like the office furniture and electronic gadgets installed in the company are also at risk due to any kind of security breach. Physical risks cause great damage to the working condition in any organization and they are at high risk too. (Wold & Shriver, 1997)
The physical assets includes each and every physically present in the office building like:
- Laptops, desktops, electronic gadgets like printers, air conditioners or vending machines installed in the office premises
- Table chairs, stationary items, decorative pieces, paintings etc.
It is mostly found that the physical holdings are generally ignored or considered of little concern by the management. For example if an employee working late in the office steals a laptop the fancy firewall systems would not be of any use here. Just for example in a company more than $10,000 worth of computers were stolen by an employee who used his electronic card to enter the building and disarmed the alarm system to break in. Even a single piece of paper, which has some information or empty letterhead, is the physical holding, which is at risk in an organization (Clifton & Bishop, 2003)
Physical assets do not just include the office premises or the buildings it also covers the other properties that are owned by the organization or any warehouse for storing inventory which it has rented. They are also at potential risks from various natural calamities and risks.
Organizations Human holdings at risk:
Human holdings are the staff, management and the contractors, which are at work or associated with the organization. Here the human holdings that are at risk is the 600 staff member working in the multi storied building. All the departments ranging from lower to the upper hierarchy are at risk due to any kind of security problem. The human holdings include even a peon or office boy to the CEO of the company working in the office. All the human force at every level of the multistoried building is the human holding of the organization, which can be at risk due to any kind of security problem.
Organizations Electronic holdings at risk:
Electronic holdings are all the data’s and the electronic machinery, which is the property of the organization. Most of the organizations are trying to be paperless, so even the minutest information related to the company is electronically stored in the organizations database and that is the electronic holdings of the company, which is mostly insecure most of the times. The hackers or the software engineers who want to do any harm to the organization can easily carry this information in the form of pen drive or any undetectable electronic gadget form to harm the organization.
Potential Threats for an Organization
Physical Threats
Mainly the physical threats are associated with accidents or natural calamities, which cause physical harm to the property of the organization and thus result in the disruption or normal working of the organization. This may include external and internal fire, internal and external flooding, seismic activity, volcanic eruptions, earthquakes, tidal wave or typhoon.
Therefore, if the Australian city is located near the ocean there are chances of tidal waves or internal or external flooding in the organization. Then as per the analysis done in the organization regarding eth security concern it has been found that the organization has very poor in disaster recovery and incident response. This is a major concern for the organization. As Australia has been facing the problem of flood in major areas, recently so if the city is situated in any such area then it will also face problems due to flood and floods can damage the working and the physical assets (Wold & Shriver, 1997).
The physical threats are the attacks, natural disasters or the accidents, which cause the risk to the physical holdings of any organization. Thus, a security plan is essential to find out the potential risks to the physical holdings due to these physical threats. Some of the major or common physical threats that have been identified are listed (Clifton & Bishop, 2003):
- Natural disaster
Flood/ falling water
Earthquake
Fire
Other environmental conditions (Dust, explosion (terrorist attack), electrical noise, heat/ humidity or lighting.
- Power loss
Uninterrupted power supply
Surge protectors
- Accidents ( due to food and drinks)
- Terrorist attacks ( Breeding, 2003).
Human Threats
These are the risks or the security concerns which are caused by human beings ;like robbery, bomb threats, embezzlements, burglary, terrorism, civil disorder, explosion, chemical spill, sabotage, war, radiation contamination , biological contamination, vehicle crash, computer crimes like hacking etc., hazardous waste, vandalism, extortion and airport proximity or internal or external work stoppage like strikes by internal workers associations etc.
In case of this organization the major threat due to human can be any kind of disaster , or explosion or computer related crimes or any other environmental hazard as the building is located in the central business area. If the factories are around then there are chances of chemical spills or radiation contaminations too (Clifton & Bishop, 2003):
Electronic Threats
These are majorly known as technical threats too like power failure or fluctuation in power can damage the computers or the laptops in the buildings or any other electronic gadgets. Excessive heating, ventilation, or air conditioning failure is also a major threat, which is electronically controlled and if left undetected can cause major problem to the human holdings as well as the physical assets of the company.
Malfunction or failure of CPU or the central processing unit will cause the electronic database of the company at risk, as there are chances of it getting lost. Same way any snag in the software that might result in the failure of the system software due to corrupt virus or nay other problem can also be very hazardous for critical information stored in the database. Failure of any application software as if the password application software fails any theft can be committed very easily so it is a major threat to the organization because everything is technology driven.
Telecommunications failure or any other failure in communication will also result in major problems, which will result due to electronic threats. Gas leaks or nuclear fallouts are also important and heavy toll taking electronic threats because it can cause major problems for the organization by damaging the human assets of the company.
Security plan with counter measures
There are many factors, which should be included in a security plan to be effective and can counter the specific risks, as physical counter measures should be able to counter the physical risks, which are probable due to potential physical threats. In the same way after assessing the risks means the physical, human and electronic risks, what we need to do is to pick the best and mix all the ideas to prepare a most reliable security plan with counter measures for safeguarding the organization as well as the staff’s interests. In order to design a perfect security plan it is very important for the whole staff to know and respect the organizations, mission, mandate and objectives in detail. An organizational statement for the security policy is also mandatory. The security should be able to cut across all the dimensions and the aspects of everyday work conducted in the organization like contact assessment, risk assessment, security evaluation and incident analysis(Brock, 1999).
Physical Counter Measures
Physical counter measures are the main safety measures, which are required to safeguard the physical assets of the company. Asset protection however should be addressed at the recruitment stage only and should be effectively monitored when the individual is employed in the organization. It should be the duty of the employees, contractors and the consultants to protect the tangible as well as non tangible assets of the company against any harm or destruction(Peltier, Domain 10).
In case of any real or suspected threat to the corporate assets, the employee should inform their immediate manager before it turns into a bigger security threat for the organization. Like if, there is any smoke or the employee smells fire then he/ she should immediately inform their manager, before it turns out to be a bigger fire and cause havoc in the organization.
The organization should protect their physical assets by developing:
- Back up or off site backups
- Cold site / hot site concept should be implemented. Cold site: is the alternative facility with power and cooling where the computing system can be installed to start immediate operations in case of any problem. Hot site: is the another alternative facility which has been installed with ready to use systems for computing in case of any disaster or natural problem to the main physical assets of the organization.
- Theft prevention This can be best done by using guards, locks or electronic cards to prevent access to any physical property of the company. This can also be done by giving allotting cabinets or locks to the employees to keep everything in the company premise itself thus reducing the portability of any information.
This can also be done by installing a device, which detects exit of any material or information from the organization premises as they use in libraries.
- Disposal of Sensitive media through Shredders which should not just shred papers but diskettes, tapes and ribbons carrying any information
Human Counter measures
Incident management is what the employees should know and should be given extensive training about incident management (Menninger, 2004). Prevention and reaction protocols should be developed in the organization. The personnel must be trained effectively in them. Like they should be taught about natural disasters so that they should be well prepared in advance for them. They should know how to handle personal injuries, attacks (including sexual attacks). The organization should take them on field trips and inform them about landmines etc. Employees and the management should be trained in reaction protocols like medical and psychological emergencies. They should be taught about fire safety through safety drills in the company.
In case of human counter measures in order to protect, the employees and their families form any kind of threats they should be insured and well trained in self-defense skills. These training programs should be devised by the organization and the employees should be trained time to time(Benson, 2000).
The employees should know that if there is a robbery or theft what they should do, report it immediately. They should know about evacuation techniques or should be trained in medical assistance technique so that in case of any physical injury to them or their colleagues they can be of help with first aids.
Electronic Counter measures
This is the major theft, which happens these days as the most sensitive data’s or strategies and planning schemes are stored electronically by the organizations. Therefore, it becomes even more imperative for the company to work towards their protection. Here we have found that the organization lacks the password security, which is most important to secure the sensitive and important data of the organization. That is why sanitization of the data is very important.
- Sanitizing of the data is compulsory means it should be completely erased by using proper disposal techniques. Erasing and deleting is not just enough to sanitize the data. The data should be overwritten several times to dispose it off in the right manner.
- Use degaussers in order to destroy the magnetic fields and it is the fastest way to neutralize any disk or magnetic tape (Clifton & Matt Bishop, 2003).
Developing a Information Security Awareness and Education Programme
We need a comprehensive Information security awareness and education programmed in order to give physical security, electronic security, Information technology security, training and frame proper policy and procedures to keep our staff, management and contractors safe( Scalet,2011). This can be best done by:
- Facilitating planning
- Exchanging ideas
- Effective coordination between employees and management
- Building awareness
A security plan should be such that the policies and the programme should safeguard not only the assets of the organization but the employees, community and the environment around the organization( Lanz , 2003). It should reduce rather remove any chances of security breaches in the organization. It should improve the organizations’ relationship with the community and should offer an efficient and secure mechanism to control the organization. (Curran, R. Security Planning, Police Security Services branch, South Africa Police) For any kind of awareness and education programme related to security the most important thing is participation, because without it nothing can be worked out.
- A dedicated security infrastructure should be developed by designing a Security Infrastructure policy.
- Settings, which have standardized configuration, can help in implementing the information systems in safe and secure manner, for this, we need a consistent Systems configuration policy.
- Security Training Policy is desired in the organization, which will help the organization and the employees the implications of their actions about security. This way intentionally or unintentionally they will not breach the information security system.
- Account Management policy will guarantee the security of the whole management system, so the breach in any security of accounts can cause very huge damage to the organization thus any illegal access to the information system can be avoided.
- Since the organization is facing major problems with the password security, the password policy is an efficient way to tackle this problem. Passwords are the primary form, which is used for user authentication, which allows any user to access the information system or the physical premises of the organization. Thus, the organization must ensure that it must create and use the passwords with as much security as they can. Any breach in the password security should be treated with grave punishments.
If there are not any strict guidelines for password, management it is quite common that the passwords will be created very easily and this will allow the users to get access to any information or the office premises by breaking or decoding them. This will cause major threat to the physical, electronic as well as human holdings of the organization.
- Creating an authentication, Identification and Authorization policy will help in giving a restricted access to few people who are just authenticated through identity verification. The employees can be given electronic key cards to access the information or enter the office (Develop and deploy security policy, Infotech research group, pp 21-41).
- Data protection policies will give greater amount of security especially to the sensitive data and for this purpose system, based mechanisms are advisable for use to protect the data (Develop and deploy security policy, Infotech research group, pp 21-41).
- Physical access policies like giving access to restricted areas to just few upper management people and giving proper identification cards will help in securing and not compromising with the security of the organization and the confidential information (Develop and deploy security policy, Infotech research group, pp 21-41).
- Incident Response Policy will train the individuals in tackling any kind of grave situations, which arises without panicking (Develop and deploy security policy, Infotech research group, pp 21-41).
The efficiency of these measures and policies should be tested repeatedly through Mock Drills, which will help the employees in learning how to safeguard their physical assets and to counter natural problems or calamities. They should be taken for field training or land mine trainings, which will help them in knowing about the potential risk.
In order to ensure that all the employees are well aware of the information security policies and processes they should be trained properly about the security requirements, processes that are related to their specific jobs, and they should be taught about the appropriate use of facilities and IT systems. This should be done before they are officially granted permission to access the facilities and IT systems.
The employees should be asked to give in writing an acknowledgement that they will follow and have completely understood the read all the Information security policies of the organization.
The employees and contractors should refresh the training in security every year and should be taught about some new measures once every year, so that they learn the latest defense mechanisms too. A background check of all the employees is very necessary to ensure any kind of internal attack risk is not there. The employees should be surety bonded by the contract so that the organization gets secured from acts of disloyalty, fraud etc.
Thus by using the following developed information security plan and creating awareness amongst the employees and the management the organization can avert various dangers and risks very easily. Since the technology department of the organization is very well managed it would be very easy to implement the security plan effectively all through the organization and in all the levels of hierarchy.
GE88
But you can order it from our service and receive complete high-quality custom paper. Our service offers essay sample on “Information Security” that was written by professional writer. If you like one, you have an opportunity to buy a similar paper. Any of the academic papers will be written from scratch, according to all customers’ specifications, expectations and highest standards.”