|Chief Information Officer|
|24 April, 2016|
|Security Plan Recommendations|
The document shows a security plan that will be implemented to ensure that the data in the system and the systems themselves are secure from any unauthorized access that may affect the confidentiality, privacy and the integrity of the data that is stored in the systems. It also offers a good backup plan management process that will ensure that other than just backup the physical files the data that is stored in the systems is backed up in real time hence reducing the chances of data loss in case of any event that may compromise the data and the systems.
The document then provides a list of various technologies that will be implemented to ensure that the network is secure from harmful data and systems and unauthorized access and hence reducing the chances of compromise of then network. It also gives various measures including password management system, data backup processes and systems and also intrusion detection systems.
Security Strategy to be implemented
The security strategy that will be implemented will be aimed at improving the current security standards of the company and to help deal with the various short comings that have been identified in the Risk assessment that was carried out. There are different aspects of security that will be covered in the security plan so as to ensure that both the physical and the data security of the systems are ensured.
The executive management of the company will be responsible in ensuring that all the aspects of the security strategy are implemented including the various policies that have been set to ensure the security of the systems and the physical security of the backup disks. The executive management team will include the senior management of the organization, CIO and Business and functional managers within the organization.
The company will develop a data owner matrix that will be used to define the people who are responsible for the various types of data that will be stored in the systems. This will help in ensuring that the problem of non-repudiation is solved by ensuring that during the various audits that will be carried out, questionable activities on the data can be assessed and the people responsible identified. All IT assets will then be well documented and issued to specific people who can then be monitored and followed up in case there is any issue with the assets.
The information in the system shall be classified into either public or private or confidential information so as to ensure that different levels of security measures are implemented at each type of the information and hence offering appropriate level of privacy that will be required for each type of information. Public information will be available to everyone either within the organization or outside the organization, private information will be internal information that is only available to specific people within the organization while confidential information will be highly guarded information that will be available to a few people within the organization (Kim & Solomon, 2010).
Identity and access management will be carried out to ensure that before people are allowed to access the data stored in the system and the various physical data files locations, they are accurately authenticated before the authorization is issued to them. People who are authorized to access the data centers where the physical backup files are stored will be biometrically authenticated before they can be allowed access to these locations. In accessing the various databases, users will be issued with passwords that will be changing every 20 days to ensure that the authentication process is accurate and effective (Sharman, 2011).
The other aspect that will be handled is authorization. This allows users to be given authority to access various functionalities, data and locations within the systems. This ensures that before people can access data and systems they are allowed and given the necessary authentication details. It will also help in ensuring that before various systems can access the data they are given authorizations to access the systems. The various access rights that will be created will then be entered into the system so as to ensure that the rules of authorization created can be used to authenticate and assign the various privileges are assigned based on the responsibilities of the various resources.
In various instances where remote access of the various hardware and software items is required, secure, authenticated, centrally managed and permitted methods will be used. This will help in ensuring that as the remote access processes are being implemented to access the various offsite data centers, locations where the systems have been implemented and the various hardware locations, secure methods that cannot be compromised are used. When accessing sensitive data, the data will not be stored locally so as to ensure that the confidentiality and integrity of this data is maintained.
The other aspect of security that will be focused on is network security. The connection between the various hardware and software applications that are owned by the company with the outside environment will have to be secure so as to ensure that no damage is caused by attacks or access from unauthorized users. This will be achieved by implementing firewalls and various network filtering technology so as to ensure that no harmful materials access the network (Vacca, 2013).
A monitoring plan will also be implemented to ensure that there is constant monitoring of all the systems and the hardware applications to ensure that any security incidences that may arise are identified and rectified to reduce their impact on the IT systems. The monitoring plan will also offer a chance for the security management team to identify various arising issues that they may have to deal with as the systems grow and as more users are added into the system. This will be very useful in ensuring that any security vulnerabilities are identified as soon as possible (Kleidermacher & Kleidermacher, 2012).
The other aspect that will be well defined is backup and recovery process. From time to time, which will be defined in the backup and recovery plan, all data in the system will be backed up so as to provide information that will be used to recover the system in case of any compromise by helping return the system and data back to its original state. The backup process will ensure that all the data and the various files are adequately and systematically backed up. The records of all the data that is backed up and to where it is backed up should be maintained so as to ensure that it is easy to trace the data and recover the systems. Regular tests will be carried out to ensure that the backup process is well implemented and is going to work when need be.
In security the various locations where backup files are stored, physical security measures will be implemented to ensure that these locations are well secure. Areas with sensitive information will be restricted to many people and only people who are responsible for the various activities in the data centers will be allowed access. Various other physical security measures will be implemented including alarms and surveillance systems to detect unauthorized access, equipment control to ensure that all IT hardware equipment are safe. Various other physical security measures will also be implemented to ensure that the physical data files are secure.
In the achievement of the various IT security strategies that will be required in achieving the set standards of IT security, various technologies will be used to achieve this and various changes in the network structure so as to achieve high network security.
In the protection of the network, firewalls will be implemented in the networks to filter out harmful materials that may enter the network and which may compromise the system. The other network technology that will be used in ensuring that the whole network is well protected, network sniffers and intrusion detection systems will also be implemented so as to ensure that any unauthorized systems and any other harmful materials that may enter the network without authorized are detected before they cause any harm into the network and especially to the systems and data in the system (Singh, 2011).
Surveillance cameras and alarms will be used to achieve physical security of the offsite locations where data files which are used to backup data are stored. They will help in monitoring the activities that take place in these locations and notifying the relevant people responsible for the security of the places in case there is intrusion by unauthorized people. This will help in ensuring that the physical security of the data centers is ensured and also help in taking corrective measures to prevent future attacks for this areas.
To achieve the backup requirements of the data centers, modern data centers that will be used to store backup data will be created. Modern servers which can do not require disks to backup data will be used to backup data. These will also ensure that there is the automation of the backup process and hence ensure that the various human inefficiencies that lead to ineffective data backup are reduced and ensure that the timelines for backing up data are reduced and hence ensuring that the chances of losing data are reduced.
The other technology that will be used to ensure that high security standards are maintained is the use of secure channels of communication including VPNs which will ensure that the various systems that are integrated use virtual private networks to communicate hence protecting access of the data that is being carried in these channels from unauthorized access and hence protecting the integrity and confidentiality of the data.
Encryption will be used to ensure that all the data that is carried through the various networks and that is stored in the databases is protected using secure and private keys hence ensuring that the only people and systems that can access the data are the ones who possess the key that was used to encrypt the data. This ensures that only limited people and systems who are authorized are the only ones can access the data in these systems. This also ensures that in case the data is accessed by unauthorized users, they cannot be able to use the data to cause any harm as it is not in the language which can be understood (Raney, 2012).
Password management systems will be very useful in the management of the security of the data and systems. Most users do not use strong passwords and take long time to change their passwords hence affecting the strength of these passwords. This means that they have to either be reminded or policies created to ensure that this is changed. To ensure that such situations are avoided, password management system will be implemented to manage the passwords that are issued to the users and ensure that these passwords meet the set policies and they are often changed to ensure they offer effective
Kim, D. Solomon, M. G. (2010). Fundamentals of Information Systems Security. Burlington: Jones & Bartlett Publishers.
Kleidermacher, D. Kleidermacher, M. (2012). Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development. Philadelphia: Elsevier.
Mjølsnes, S. F. (2015). Technology and Practice of Passwords: International Conference on Passwords, PASSWORDS’14, Trondheim, Norway, December 8-10, 2014, Revised Selected Paper. Berlin: Springer.
Raney, M. J. (2012). Encryption. Indianapolis: Dog Ear Publishing.
Sharman, R. (2011). Digital Identity and Access Management: Technologies and Frameworks: Technologies and Frameworks. Pennsylvania: IGI Global.
Singh, B. (2011). Network Security and Management. New Dehli: PHI Learning Pvt. Ltd.
Vacca, J. R. (2013). Network and System Security. Philadelphia: Elsevier.