Академический Документы
Профессиональный Документы
Культура Документы
Gennie Diamond
Jim Bryant
Executive Summary
The goals of this information security policy will be to state the principles and guidelines
for protecting the confidentiality, integrity, and availability of sensitive information and
resources for XYZ Energy. This policy will set forth requirements for securing the network’s
policies in the areas of physical security, access control, and network security.
Assumptions of the security plan defines physical security at each site for the
environment around the network including entry control at each facility, the need and
responsibilities of security staff, and issues around security in common areas. Information
system security defines workplace protection and guidelines for storage, protection, and
Access control policies address user enrollment and all network access privileges, along
with identification and authentication process policies. Finally, network policies are defined for
granting and managing network access while still protecting sensitive company data.
Project constraints can include, but are not limited to, availability of resources needed to
provide appropriate security for each defined security goal; time restraints for meeting these
goals; issues relative to having multi-site facilities; and employee accountability for protecting
Introduction
the United States. With 50 fully operational plants, only two locations serve as backup cold
facility sites. The two backup sites, located in Orlando, Florida and Cincinnati, Ohio, are
responsible for maintaining the network operations for the entire company.
For protecting the company’s network and computer systems, a secure environment is
employee information, and government data. To achieve this, security goals need to be in place
in three specific areas that include: (1) physical security, (2) access control, and (3) network
security. This policy addresses and sets requirements for each of these vital areas.
IT 244 Information Security Policy 4
The physical security policy focuses on various security measures surrounding the
Each of the 50 XYZ Energy plants needs a secure environment for maintaining the
company’s information – especially the two sites housing the entire network operations. Security
goals need to be effective deterrents against potential threats from both outside and inside
Physical Entry Controls. Entry into any facility requires entry access control. Having
multifactor authentication methods will achieve this goal and can include controls such as
methods (badges, keys, or smart cards); intrusion detection devices (motion detectors or alarms);
or biometric technology (fingerprint or iris scanning devices). Areas closest to the company’s
network operations systems will require higher levels of security where choice of controlled
Security Offices, Rooms, and Facilities. To enforce security and maintain a controlled
environment, a small privately owned security force needs to be on each site. The security
offices, rooms for holding areas and security monitoring, and additional facility requirements
responsibility of the security staff will be to handle processing of identification badges, provide
visitor and employee clearance, and assign approved levels of authentication and access control.
supervisor.
Isolated Delivery and Loading Areas. These areas are generally unsecured and
IT 244 Information Security Policy 5
frequently used with few restrictions in place for gaining access. This is an indication that
delivery and loading areas need to maintain a secure distance between common areas and that of
the more highly restricted locations near network operations to ensure continued protection of
XYZ Energy’s information systems. This can be addressed in five important areas of control.
protection) or shortfalls (unqualified management or staff) could jeopardize the overall security
of sensitive information. It is vital that employees have general knowledge of security policies to
protect against unauthorized access of data and equipment and to prevent hardware theft.
Providing common areas for visitors will allow restrictive access to e-mail and for handling
Unused ports and cabling. All unused ports and cables must be secured or disconnected
when not in use. Provisional policies need to be in place for special use of ports or external
devices for any visitors to the site, such as employees frequently traveling between site locations,
Network/server equipment. A secure room or closet with restricted access is needed for
storing network and server equipment. Locked at all times, access is to be granted to information
technology (IT) personnel only by using a two-factor authentication method. Access policies for
additional personnel, such as maintenance staff, will also need to be in place. A controlled
environment is needed to protect the equipment from the elements or accidental damage, servers
need to be bolted in locked server racks, and all windows and doors need to be locked to prevent
unauthorized access, theft, or intentional vandalism. Vulnerable devices such as hubs and routers
IT 244 Information Security Policy 6
personnel with appropriate training. Because these employees will be in highly restricted areas
with access to sensitive material and equipment, stringent background security checks and
available for employees of XYZ Energy traveling between plants, laptops are frequently used to
access corporate information while visiting a site. All information technology equipment,
(specifically laptops, mobile, and roaming devices), need to remain secure from unauthorized
access or potential theft. Because of the company’s databases contain sensitive employee and
prompting a user name and password in addition to using a biometric device or smart card.
IT 244 Information Security Policy 7
To provide protection for XYZ Energy’s information network, this policy addresses
User Enrollment
assigned delegate. Based on the new user’s job specifications or functions, policies will mandate
the level of access to resources and services the user will be granted.
Identification
containing a name, initials, or other characters, in addition to a password, uniquely identifies the
individual accessing the system. User names for XYZ Energy will consist of the user’s first
initial and last name with the password consisting of a maximum of 12 characters containing at
least two numeric characters. Passwords will expire 60 days from implementation.
Authentication
authentication. The temporary password assigned to a user will authenticate system privileges.
Once identified, the user is required to change the password to one only the user will remember.
Based on the level of security, additional authentication may also be required. If access to
methods of authentication will be required, such as biometric devices for fingerprint analysis.
and is based on the user’s position, job responsibilities, and the type of information that needs to
be accessed. From the Chief Executive Officer (CEO) of XYZ Energy to the user’s department
IT 244 Information Security Policy 8
head, access privileges are evaluated and applied according to granted access control policies.
Remote Access
requires additional control mechanisms because of using insecure networks (like the Internet) to
connect into the company’s corporate area network (LAN). User accountability of online
activities requires defined authentication processes for allowing connection without jeopardizing
client/server protocols and software in addition to the use of appropriate virtual private network
(VPN) cryptography will enable user remote access to the server. Network administrators
require remote access privileges to maintain all user and network infrastructure security whether
Goals of this policy will address network security and provide guidelines for protecting
Network Access
Restricted user access controls will provide security measures for transmitting and
receiving communicated data through the network. Network privileges are granted based on
policies established for each user’s level of security and are divided into four specific controls.
The controls are: (1) employees dependent of files, services, and resources to handle job
performance; (2) medical staff to allow access to employee health data and company resources;
(3) federal employees to have access to the government database; and, (4) other approved users
This policy will set standards and protocols for devices maintaining security of data
exchanged between outside hosts into the network infrastructure. Firewalls, the devices used to
prevent unauthorized access from external sources, will consist of a packet-filtering router
situated between the network and Internet to protect the infrastructure, as illustrated in Figure 1.
the source, destination, port number, and protocol types” (Axia College, 2006, p. 269, para. 5).
References
Axia College. (2006). Week Six reading: Chapter Ten, Access Control Systems and
website.
Axia College. (2006). Week Six reading: Chapter Twelve, Telecommunications, Network, and
website.
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/PacketFilter/