IT 244 Information Security Policy 1

Information Security Policy

Gennie Diamond

Axia College of University of Phoenix

IT/244 – Intro to IT Security

Jim Bryant

October 10, 2010

 IT 244 Information Security Policy 2

Executive Summary

The goals of this information security policy will be to state the principles and guidelines

for protecting the confidentiality, integrity, and availability of sensitive information and

resources for XYZ Energy. This policy will set forth requirements for securing the network’s

confidential information and data communications infrastructure, in addition to defining detailed

policies in the areas of physical security, access control, and network security.

Assumptions of the security plan defines physical security at each site for the

environment around the network including entry control at each facility, the need and

responsibilities of security staff, and issues around security in common areas. Information

system security defines workplace protection and guidelines for storage, protection, and

maintenance of hardware and network equipment.

Access control policies address user enrollment and all network access privileges, along

with identification and authentication process policies. Finally, network policies are defined for

granting and managing network access while still protecting sensitive company data.

Project constraints can include, but are not limited to, availability of resources needed to

provide appropriate security for each defined security goal; time restraints for meeting these

goals; issues relative to having multi-site facilities; and employee accountability for protecting

the company assets and network operations.

 IT 244 Information Security Policy 3

Introduction

XYZ Energy, a nuclear-powered generating company, has various locations throughout

the United States. With 50 fully operational plants, only two locations serve as backup cold

facility sites. The two backup sites, located in Orlando, Florida and Cincinnati, Ohio, are

responsible for maintaining the network operations for the entire company.

For protecting the company’s network and computer systems, a secure environment is

required to prevent unauthorized access or loss of proprietary information, resources, sensitive

employee information, and government data. To achieve this, security goals need to be in place

in three specific areas that include: (1) physical security, (2) access control, and (3) network

security. This policy addresses and sets requirements for each of these vital areas.
 IT 244 Information Security Policy 4

Physical Security Policy

The physical security policy focuses on various security measures surrounding the

environment of the computer and networked systems.

Security of the Facilities

Each of the 50 XYZ Energy plants needs a secure environment for maintaining the

company’s information – especially the two sites housing the entire network operations. Security

goals need to be effective deterrents against potential threats from both outside and inside

sources. Physical security addresses three important areas of control.

Physical Entry Controls. Entry into any facility requires entry access control. Having

multifactor authentication methods will achieve this goal and can include controls such as

perimeter security devices (gates, locks, fencing, or turnstiles); recognized identification

methods (badges, keys, or smart cards); intrusion detection devices (motion detectors or alarms);

or biometric technology (fingerprint or iris scanning devices). Areas closest to the company’s

network operations systems will require higher levels of security where choice of controlled

entry will be determined by the level of security required in each area.

Security Offices, Rooms, and Facilities. To enforce security and maintain a controlled

environment, a small privately owned security force needs to be on each site. The security

offices, rooms for holding areas and security monitoring, and additional facility requirements

such as cameras and intrusion detectors needs to be strategically located. Additional

responsibility of the security staff will be to handle processing of identification badges, provide

visitor and employee clearance, and assign approved levels of authentication and access control.

Administrative responsibility of all security processes needs to be handled by a security

supervisor.

Isolated Delivery and Loading Areas. These areas are generally unsecured and
 IT 244 Information Security Policy 5

frequently used with few restrictions in place for gaining access. This is an indication that

delivery and loading areas need to maintain a secure distance between common areas and that of

the more highly restricted locations near network operations to ensure continued protection of

the company’s assets.

Security of Information Systems

Preventative security measures need to be in place to provide continued protection of

XYZ Energy’s information systems. This can be addressed in five important areas of control.

Workplace Protection. Unsecured situations (workstations without user password

protection) or shortfalls (unqualified management or staff) could jeopardize the overall security

of sensitive information. It is vital that employees have general knowledge of security policies to

protect against unauthorized access of data and equipment and to prevent hardware theft.

Providing common areas for visitors will allow restrictive access to e-mail and for handling

business without interfering or jeopardizing the network.

Unused ports and cabling. All unused ports and cables must be secured or disconnected

when not in use. Provisional policies need to be in place for special use of ports or external

devices for any visitors to the site, such as employees frequently traveling between site locations,

federal officials auditing government data, or for sales representatives.

Network/server equipment. A secure room or closet with restricted access is needed for

storing network and server equipment. Locked at all times, access is to be granted to information

technology (IT) personnel only by using a two-factor authentication method. Access policies for

additional personnel, such as maintenance staff, will also need to be in place. A controlled

environment is needed to protect the equipment from the elements or accidental damage, servers

need to be bolted in locked server racks, and all windows and doors need to be locked to prevent

unauthorized access, theft, or intentional vandalism. Vulnerable devices such as hubs and routers
 IT 244 Information Security Policy 6

need to be locked in the server room or stored in locked closets.

Equipment maintenance. Maintenance of equipment will be performed by authorized

personnel with appropriate training. Because these employees will be in highly restricted areas

with access to sensitive material and equipment, stringent background security checks and

screening is essential. Specific policies need to be in place for maintenance tasks to be

performed and a predefined schedule needs to be established for each.

Security of laptops/roaming equipment. Because remote access is currently not

available for employees of XYZ Energy traveling between plants, laptops are frequently used to

access corporate information while visiting a site. All information technology equipment,

(specifically laptops, mobile, and roaming devices), need to remain secure from unauthorized

access or potential theft. Because of the company’s databases contain sensitive employee and

government data, a minimum of a two-factor authentication process needs to be in place, such as

prompting a user name and password in addition to using a biometric device or smart card.
 IT 244 Information Security Policy 7

Access Control Policy

To provide protection for XYZ Energy’s information network, this policy addresses

access guidelines to the company’s information and resources.

User Enrollment

Entry of new users will be controlled by the information technology supervisor or an

assigned delegate. Based on the new user’s job specifications or functions, policies will mandate

the level of access to resources and services the user will be granted.

Identification

Users are identified based on specific credentials of identification. A user name

containing a name, initials, or other characters, in addition to a password, uniquely identifies the

individual accessing the system. User names for XYZ Energy will consist of the user’s first

initial and last name with the password consisting of a maximum of 12 characters containing at

least two numeric characters. Passwords will expire 60 days from implementation.

Authentication

System access will require verification of user identification as a means of

authentication. The temporary password assigned to a user will authenticate system privileges.

Once identified, the user is required to change the password to one only the user will remember.

Based on the level of security, additional authentication may also be required. If access to

employee and government information databases is part of a user’s responsibility, further

methods of authentication will be required, such as biometric devices for fingerprint analysis.

Privileged and Special Account Access

Special privilege considerations and access to the system is determined by management

and is based on the user’s position, job responsibilities, and the type of information that needs to

be accessed. From the Chief Executive Officer (CEO) of XYZ Energy to the user’s department
 IT 244 Information Security Policy 8

head, access privileges are evaluated and applied according to granted access control policies.

Remote Access

Access to the network from remote connections or telecommunicating from home

requires additional control mechanisms because of using insecure networks (like the Internet) to

connect into the company’s corporate area network (LAN). User accountability of online

activities requires defined authentication processes for allowing connection without jeopardizing

LAN connections. Guidelines established for network administrators to maintain appropriate

client/server protocols and software in addition to the use of appropriate virtual private network

(VPN) cryptography will enable user remote access to the server. Network administrators

require remote access privileges to maintain all user and network infrastructure security whether

on or off the facility.

 IT 244 Information Security Policy 9

Network Security Policy

Goals of this policy will address network security and provide guidelines for protecting

XYZ Energy’s network operation systems and infrastructure.

Network Access

Restricted user access controls will provide security measures for transmitting and

receiving communicated data through the network. Network privileges are granted based on

policies established for each user’s level of security and are divided into four specific controls.

The controls are: (1) employees dependent of files, services, and resources to handle job

performance; (2) medical staff to allow access to employee health data and company resources;

(3) federal employees to have access to the government database; and, (4) other approved users

(such as sales representatives) for limited access to basic company information.

Network Security Control Devices

This policy will set standards and protocols for devices maintaining security of data

exchanged between outside hosts into the network infrastructure. Firewalls, the devices used to

prevent unauthorized access from external sources, will consist of a packet-filtering router

situated between the network and Internet to protect the infrastructure, as illustrated in Figure 1.

Figure 1. Packet-filtering Router Firewall.

Note. From Mateti, 2008.

The packet-filtering firewall will identify and provide control of traffic “by examining
 IT 244 Information Security Policy 10

the source, destination, port number, and protocol types” (Axia College, 2006, p. 269, para. 5).

Once validated, network authentication for access can proceed.

 IT 244 Information Security Policy 11

References

American Psychological Association. (2001). Publication manual of the American

Psychological Association (5th ed.). Washington, DC: Author.

Axia College. (2006). Week Six reading: Chapter Ten, Access Control Systems and

Methodology. Retrieved October 5, 2010, from IT/244-Intro to IT Security course

website.

Axia College. (2006). Week Six reading: Chapter Twelve, Telecommunications, Network, and

Internet Security. Retrieved October 9, 2010, from IT/244-Intro to IT Security course

website.

Mateti, P. (2008). Packet-filtering. Retrieved October 9, 2010, from

http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/PacketFilter/