Information Security Policy – Bloom Design Group Axia College IT/244 Executive Summary Write 3-4 paragraphs describing the goals of the security plan, assumptions, and project constraints. ASSUMPTIONS: There are sufficient resources and timeframes needed to complete this project. Appropriate Bloom Design Group staff will be available to inform all employees of the security precautions. The project will conform to the requirements set forth by The Sarbanes-Oxley (SOX) Act of 2002.
All employees, business associates and vendors will be made aware of the security policies set forth in this document that must be carried out until further notified.
The security standards set forth to carry out this plan have been trialed and proven accurate for this policy. CONSTRAINTS: Project goals, time frames and deadlines must all be met in order for the security plan to work effectively. This project is depending on the shared resources of the company, financial or otherwise. The project must comply with SOX Act of 2002 and any other City, State and Federal laws that apply.
Dealing with offices that are geographically dispersed could hinder coordination and communication. Procedures must be put in place to educate and inform all employees, business associates and vendors affected by the standards set forth in Bloom Design Group Policy. Introduction Overview of the company and the security goals to be achieved. The Bloom Design Group is a company that offers interior design services to businesses and individuals throughout the world. Bloom has a corporate office in New York and a second office in Los Angeles.
The company’s Web site features a virtual decorating tool, which offers clients the chance to play with different color and design schemes. This tool allows their clients to get an idea of what a design project would look like once it is completed, before actually making color and design decisions. The Web site also gives interior designers access to their client files and company style guides, as well as the ability to electronically process orders for design materials and furniture. The designers use a secure login and a password to gain access to the Web site and its features.
The company’s workforce spends all its time working remotely and accessing the corporate network using a secure VPN. The Sarbanes-Oxley Act affects corporate operations by creating new standards for corporate accountability as well as new penalties for acts of wrongdoing. It changes how corporate boards and executives must interact with each other and with corporate auditors. It removes the defense of “I wasn’t aware of financial issues” from CEOs and CFOs, holding them accountable for the accuracy of financial statements.
The Act specifies new financial reporting responsibilities, including adherence to new internal controls and procedures designed to ensure the validity of their financial records. Physical Security Policy Security of the facilities Physical entry controls – 1. Restricted Areas / Work Areas 2. Escort Requirements / Visitor Control 3. Fences, Gates, Turnstiles, Mantraps 4. Security Guards / Dogs 5. Badging 6. Key and Combination Locks – All doors entering or exiting the building and all secured areas should have a key or combination lock installed. 7.
Lighting – High security areas should have some type of lighting as a deterrent, such as streetlights, floodlights or searchlights. Security offices, rooms and facilities The users will have distinguished usernames that will be issued by the IT department, and the password must meet the restrictions presented in the access control policy. Prior to being issued a mobile network device, all users will sign paperwork identifying the company asset number they are being charged with and their acknowledgement to the understanding of the rules governing the device’s use.
Motion detectors, Sensors, Alarms and Security Cameras – Strategically placed devices detect peculiar movements within the interior building space. 1. Smart Cards – a smart card resembles a credit card but carries a semiconductor chip with nonvolatile memory and logic. Unlike a security access card with a magnetic strip, the smart card has many uses, including building access control and storing value for consumer purchases. 2. Perimeter intrusion detectors – Metallic foil tape placed on doorframes or windows using contact switches that set off an alarm when the switches are disturbed. . Power – Backup power sources such as diesel generators act like a personal reserve and kicks in when the main source of power is interrupted. 4. Fire – Fire detectors placed throughout all buildings, as well as a sprinkler system in place to come on automatically in the event of a fire. 5. Heating, Ventilation and Air Conditioning – Uninterrupted ventilation, heating and air-conditioning systems are critical environmental controls due to computers being particularly sensitive to the smallest changes in humidity and temperature.
Isolated delivery and loading areas Lighting – High security areas should have some type of lighting as a deterrent, such as streetlights, floodlights or searchlights. Key and Combination Locks – All doors entering or exiting the building and all secured areas should have a key or combination lock installed. Security of information systems Workplace protection Unused ports and cabling Network/server equipment Equipment maintenance Security of laptops/roaming equipment Access Control Policy User enrollment Identification Authentication
Privileged and special account access Remote access All new employees must be registered for access through the IT department. Whenever a new employee needs to be granted access, that employee will report directly to the IT department to get access configured. At this time, the IT department will provide a short training session on the policies governing the use of the computer network. Should the situation arise where an employee’s termination is imminent, the IT department will be informed to prepare the user’s account for termination.
Clients registered to use the web site will be added to a single workgroup governed by the principle of least privilege. Employees will identify themselves to the computer network using the user name assigned to them by the IT department. Authentication will consist of a fingerprint scan and a password that meets the following criteria: six to ten characters in length, at least one upper case letter, one lower case letter, and at least one special character or numeral. Microsoft TechNet (2005) defines a weak password as: No password at all.
The Authentication will contain your user name, real name, or company name: Employee passwords must not be written down anywhere, and these passwords will expire every three months. New passwords cannot match passwords that have been used within the last year. This password policy will pertain to all computers on the Bloom network; even clients who register on the web site must abide by the password policy. The Director of Information Security will have sole discretion over the creation of privileged and special user accounts, with the CIO having access to all user accounts for security purposes.
Network Security Policy Network access Network security control devices In addition to the recommendations listed above, the Separation of Duties principles should be employed to determine who is allowed entry into the computer room, as well as defining the type of entry that will be permitted. To implement these principles, it is necessary to define three separate environments; one for software developing, one for end users access and one for v assurance testing applications. System security administration personnel (rather than the programmer) will promote software from environment to environment when it as been approved for use, thus effectively employing the Separation of Duties principles. 10 recommendations for establishing a secure computer room within this company’s facility: 1. To make sure that the server for the Bloom Design Group is secured. 2. The company’s files need to be kept secure, therefore to keep the server secured, there should be locks applied to the room or a swipe card entry should be attached to the door/area where the server is. 3. A surveillance camera should be put in place to thoroughly secure the area where the serve is located. . Secure the transport layer – hardware based accelerators are the preferred way to secure the transport layer while maintaining high performance for transactions via the Internet 5. Implement XML filtering will allow managers to set rules that can be structured around network level information and message content with customers making purchases online 6. By encrypting message fields Bloom Design Group can keep the information transmitted via the electronic communication safe from hackers and intruders 7.
Company policy for registering to the remote website should encourage users to use strong passwords to help fight against unauthorized access. 8. Bloom Design Group does most of their work remotely using a secured VPN; therefore the infrastructure of security has already been established for this company as it pertains to the use of the internet and file sharing within the company and its clients. A secured VPN makes it possible to protect the public data that the clients and the interior designers share via the internet. 9.
Using a trusted computing base (TCB) function in the Bloom Design Groups information system will provide reliability, effectiveness, and security due to the fact that it has gone through formal testing and validation. 10. With the Bloom Design Group, there will be different layers of security. Customers on the internet will only be allowed certain access. Then move to the different layers of management for different security purposes. References American Psychological Association. (2001). Publication manual of the American Psychological Association (5th ed. ). Washington, DC: Author. http://gbr. pepperdine. edu/031/sarbanesoxley. html
Cite this Information Security Policy – Bloom Design Group
Information Security Policy – Bloom Design Group. (2018, May 25). Retrieved from https://graduateway.com/information-security-policy-bloom-design-group-essay/