Data Classification Standards help Richman Investments to consistently define how this organization should handle and secure our various types of data. This report will focus on the internal use only data and how each of these domains are affected by these standards. Internal use only data refers to information that may or may not be confidential. It is imperative that our organization keep this information in house and away from the public and realize the Domains that need to be addresses with these rigid standards. The three standards that are at the top of the list for our company that will be directly affected are the User, Work Station, and LAN Domains. The following “internal use only” data classification standards should be applied here at Richman Investments. The User Domain is made up of the employees that have access to the organizations equipment and network and is the weakest link in any IT infrastructure, including the one here at Richman Investments.
The amount of social networking and the errors that are made by employees may end be detrimental to the network and cause data to be lost, tampered with, or stolen. The best way to avoid this would be to implement an Acceptable Use Policy (AUP). This will inform the employees what they can and cannot do with company information, resources, and equipment. Anyone that abuses the AUP will be held accountable for their actions. Employees must have their individual permissions for what they can and cannot do in order to make them accountable. It is the responsibility of the HR to check the background of each employee thoroughly and follow with regular evaluations. It is also important that security control audits are performed to secure the system against risks and threats. The Work Station Domain is important and is directly affected by the “internal use only” standard. The Work Station Domain is the place where the user can access the organizations network and all applications or data on the system.
This Domain requires tight security and access controls. The system will need to be hardened, meaning that all computers will need to have the latest software revisions, security patches, and system configurations. It is also important to only allow company approved devices in or around the workstation. Our most secure response to the threat of devices around the work stations would be to completely deactivate all CD, DVD, and USB ports. We could also enable automatic antivirus scanning for CDs, DVDs, and USB devices, but I would rather deactivate the ports and not have these available at the workstations. It is important that each user have their own login and password information that is not accessible to anyone else. It is the job of the desktop support group to enforce and define standards to ensure integrity of the workstations and data. Having logins and passwords for each employee will also ensure that no one outside or within the organization will be able to access any information on their workstations, thus eliminating those threats. The only individuals that will be able to access the network will be those that have been added to the system by an IT administrator.
The LAN Domain is a collection of computers that are connected to one another or to a common medium such as wires, fiber optic cables, or radio waves. The LAN domain needs strong security and access controls. The threats to this domain include unauthorized access to hardware closets, switches, database servers, wireless keys, and routers from unauthorized personnel. This is a security risk to the server. In order to ensure these risks are avoided, equipment closets and server rooms must remain secure at all times whether through lock and key, or access locks or key cards. Wireless contingencies will be in place to prevent leaks of keys such as changes to access and MAC address tables to verify devices that are authorized. If the device is not authorized, access will be denied. Employees must register all new devices with IT administrator and these devices will be monitored to ensure maximum security.
Backup and contingency plans will be in place for any mishap or disaster. This report has outlined three of the domains from the IT infrastructure here at Richman Investments and has shown security issues and how they will be addressed. Strict policies must be put into place to protect the “internal use only” data as well as the network for the organization. This will only come with complete compliance from all parties involved. If the policies are not followed, training and further action will be necessary to prevent any preventable risk to vital data within this organization.
