Department of Computer Information Systems, College of Business Administration, Georgia State University, Post Office Box 4015, Atlanta, Georgia 30302-4015, USA
Tel. +1 404.651.3880, Fax +1 404.651-3842, Internet baskerville@acm.org
These pages are for use of students taking the above course at the Georgia State University and are not intended for the general public.
1. Policy: "Concordia Casting will implement and maintain information security management
policies to protect their information assets, shareholders, employees, customers and trading
partners, and to ensure compliance with all applicable laws and regulations"
2. Rationale: "The Concordia Casting information security plan must deal with critical risks
and potential threats to its information asset in a manner commensurate with due care for
business continuity and achieving organizational goals, priorities, principles and strategies.
Security policies will be applied equally across the organization, and will strike a balance
between ease of use, relative cost, feasibility and availability of
resources."
Classification Policy
General Policy on Classification
1. Policy: All of the following policies should be applied company wide.
2. Objective: To ensure standardized policies are in effect for all
areas of the company.
3. Statement: Having uniform policy has the benefit of ensuring that
information and information systems are handled consistently throughout
the company.
4. As a general classification this works but these clasifications fail
to allow for cross classification by functional area. Each area of the
organization may need its own group classification which in turn would
limit access at the same level to users within its own group.
Information Sensitivity Classification
1. Policy: All data, no matter in what form of design, storage and dissemination
have to be classified into three standard data sensitivity categories:
1. Secret
Any information that is for use within the Company and unauthorized leak or release could expose the Company and its investors, creditors, business partners and customers to the risk of losing reputation, financial interest or competitive advantage. This information is available only to approved individuals
2. Confidential
Any information that is for use within the Company and unauthorized leak or release could expose the Company and its investors, creditors, business partners and customers to the risk of losing reputation, financial interest or competitive advantage. However this information is available to entire departments. (Note: It is here that departments can specify further level of classification in the individual policies)
3. Public
Information available for public consumption without any harm to the
company or it's business partners.
2. Objective: To adequately manage, protect and distribute all information
having varying degrees of sensitivity and criticality within an organization,
and to ensure that sensitive data is not to be released to unauthorized
people.
3. Statement: Users who authorized to access information with a given
sensitivity level should have corresponding level of security clearance
or authority. Also, there should have the security administrator to administer
this system, i.e., administering and registering user authorizations. And
there should be a manual that describes how to uses this system. Violation
of this regulation is subject to discipline.
Data Access Authorization Classification
1. Policy: Authorization is affiliated with the sensitivity level of
data and systems being accessed. As the data sensitivity rises so is the
need to a strict access authorization. Following are three different levels
of authorization that should be maintained throughout the Company:
1.1. High Authorization
Required for highly sensitive or secret data. Authentication should
be checked frequently and on an individual basis to guard against unauthorized
access. (Example: access to files or machines is checked at each access)
1.2. Medium Authorization
Required for highly sensitive or confidential data. Authentication should
be checked occasionally and (at least) on a group basis to guard against
unauthorized access. (Example: access to the company building may be checked
once a day)
1.3. Low Authorization
Required for unclassified confidential data.
2. Objective: To ensure that data and system are properly protected
according to their sensitivity level.
3. Statement: Proper disposal of passwords, ids should be followed.
Company's clients should be aware of when, how and under what circumstances
should they access data.
Equipment Classification
1. Policy: All Company equipment aquired or in-use by the company must
be classified into one of the following categories.
1.1. Mission Critical
Loss of this equipment would immediately halt of company operation.
(Example: Loss of all web servers at Amazon.com)
1.2. Highly Essential
Loss of this equipment would immediately hender company business, but
would not halt operation. (Loss of a commnication channel into the amazon.com
web farm)
1.3. Essential
Loss of this equipment would cause a henderance to company business
only if the loss was sustained for a prolonged period of time. (Example:
Loss of the internal e-mail system between employees at amazon.com)
2. Objective: To ensure that all company equipment is classified according
to it's business value
3. Statement: Classifying equipment based on its business value ensures
that the proper amount of security will be used to protect the asset
Virus Policy
Organizational definition of virus.
1. Policy: In so far as the company is concerned, the term "virus" is
defined as any unauthorized instructions (including "worms" and instructions
embedded in data) which are introduced into any company computer resources,
including, but not limited to hardware, software, networks, program files,
and data. The term virus and malicious software may be used interchangeable.
2. Rationale: Definition of the term "virus" is required to prevent
any confusion as to the meaning of the term as well as to establish a standard
by which offenses can be judged.
3. Examples: This can include code from external sources that copies
itself into company resources (traditional viruses or worms), or code written
by an employee that performs unauthorized actions such as capturing passwords.
General organizational policy on virus protection.
1. Policy: Precautions shall be instituted to safeguard, prevent, and
detect the introduction of malicious software into any and all of the organization's
computerized systems.
2. Rationale: Protection of company-wide computer resources is necessary
in order both to reduce the risk of the introduction of malicious software
and to safeguard against subsequent loss or damage. Regular system audits
should be a defined part of the detection procedures.
3. Examples: This policy will mandate creating a write-protected copy
of all writable software distribution media when it is received from the
vendor. Other procedures derived from this policy will address sources
from which software and hardware can be obtained (perhaps companies with
no operations in countries that are hostile to the US or with a big problem
with virsus creation), and will address how frequently IS auditors must
check for compliance with all virsus policies. This policy will have procedures
which stipulate specifically which company wide resources shall be safeguarded
through appropriate measures. Examples of resources include, but are not
limited to, networks, computers, servers and data. This policy will also
include a mandate, which prohibits the writing of software to be used on
company-wide resources, which uses too much of the system resources.
Computer resource policy on virus protection.
1. Policy: There shall be formal procedures to ensure the routine control
and monitoring of company-wide hardware and software for the introduction
and/or existence of malicious software.
2. Rationale: Routine monitoring of all company-wide system platforms,
including, but not limited to scanning of disks, scanning of e:mail accounts,
scanning of downloaded information, and system audits, is required in order
to proactively protect the organization's systems and to detect the introduction
of any malicious software.
3. Example : This policy will have procedures that stipulate what virsus
detection programs must be used to scan all disks, CDs, or files from other
sources (i.e. download, etc) being brough into the company (from any source).
It will also explain when complete scans of disks are required (perhaps
once a month or at system bootup).
Organizational virus recovery policy.
1. Policy: Company-wide measures, which include timely recovery plans
and pre-defined incident response practices, shall be implemented to restore
the integrity and availability of computer resources in the event of a
virus.
2. Rationale: Routine procedures should be in place for backing up data
so that copies are available in the event that a virus damages the integrity
of company data. Once the spread of a virus has been detected, the company
shall follow pre-defined incident response and mandatory reporting practices,
including locating and identifying the virus source, stopping the future
spread of the virus, identifying damage, rectifying the damage, and prosecuting
associated illegal activities to the fullest extent of the law. This policy
seeks to ensure that company data can be recovered in the event of a loss,
to contain losses, and to deter willful assault on the system.
3. Examples: Procedures will address how frequently backups must be
performed, the method of backup (target media, software used to perform
backup), the storage and retention if backups (including off-site locations,
how long to retain), protection and security of backup media, procedures
for identifying the source of the viruses (including conduct of interviews
with employees) once infested equipment has been identified, isolated,
and cleaned, etc. Procedures will also address the following: viruses must
be reported immediately, users shall not attempt to eradicate viruses once
discovered, the reporting of any software malfunctions is mandatory, and
the organization and maintenance of a company-wide virus response team.
Organizational penalty policy regarding malicious software.
1. Policy: Company-wide penalties shall be defined, and consistently
enforced in the event a virus is introduced.
2. Rationale: A company-wide policy is necessary to specify the penalties
associated with violation of the policy. This policy must specify appropriate
penalties based upon the employee's history of violations, nature of the
violation, and severity of the resulting damage. This permits consistent
punishment, and provides a deterrent to violation of the policy.
3. Examples: This policy shall have procedures which classify the type
of violation-- with malicious intent, willful but without harmful intent,
careless, accidental but while exercising due care. The procedures shall
explicitly define what punitive action will be taken. For example, for
the first careless violation, the individual might be orally reprimanded
by his/her superior. On the second careless violation, the sanction might
be a written reprimand in the HR file. The third violation might eliminate
eligibility for annual performance bonuses. Any violation with malicious
intent to destroy company assets (including information) might result in
dismissal and prosecution.
Vendor virus policy.
1. Policy: All vendors shall be obligated to prevent the introduction
of viruses into the company, and shall be held liable if they violate this
policy.
2. Rationale: On-site consultants shall be contractually compelled to
comply with the company's virus policies, and software purchased from outside
sources must be certified to be virus free. When a virus is introduced
because the consultant or software vendor failed to check for a virus,
they must be obligated to compensate the company for any loss.
3. Example: The procedures could establish a method of calculating the
amount of damage caused by an infestation-- perhaps a dollar amount for
each type of system that can be infected (critical OLTP database, non-critical
PC workstation, etc) which can be multiplied by the number of systems infected.
This amount could include the cost of personnel to recover the system,
the lost productivity of users, and lost sales or output for mission critical
systems. Procedures would also be needed to identify how evidence of the
source of the infection must be handled in order to protect the integrity
of the investigation and to facilitate successful enforcement of this policy
Policy on use of external resources.
1. Policy: Only company-owned and managed hardware, software, and peripherals
shall be connected to company computing resources (including networks).
2. Rationale: This policy seeks to prevent the introduction of a virus
from external resources that have not been adequately protected from infection.
This policy also helps ensure that only properly licensed software is used.
The actual procedures which implement this policy could include an exception
mechanism that permits the use of hardware or peripherals with the approval
of IS, which would ensure that the device is clean (i.e. reload the OS
on hardware from the original disks, scan any configuration diskettes for
peripherals, etc).
3. Example: The procedures would need to identify the official method
of procuring resources and how this procurement would be tracked. There
would need to be procedures which address who can make exceptions, and
under what circumstances. For example, the director of IS can authorize
the use of personally-owned hardware when that equipment does not have
updatable instructions, the owner is properly licensed to use that equipment,
and the license would apply while the company uses the equipment. Updatable
instructions might require a procedure which specified how the instructions
can be scanned for viruses, or verified against the original source to
ensure that the instructions (software) have not been modified. Examples
of "only company owned software which shall be connected to company computing
resources" would exclude games brought in from the employee's home computer
and loaded onto the company's computers.
Personnel Policy
Organizational Security Management
1. Policy: Concordia Casting will implement and maintain management
of information security through a committee made up of at least one appointed
information security representative from each department within the corporation;
this group will be managed by the manager of IT.
2. Rationale: In order for information security efforts to be successful
within the corporation, Concordia Casting must provide management of the
information security policies. For successful information security, it
is necessary to provide the personnel and management to carry out the following
functions: identifying needs for security policies, writing and implement
these policies, user awareness of information security policies, enforcement
of such policies and implementing any consequences as a result of a violation
of any information security policy.
3. Safeguards: This policy is intended to define the responsibilities
of the information security committee and to make certain that this committee's
existence is maintained, that the committee remains active and that it
performs the duties outlined by the policy and rationale.
Employee Notification of Security Policies
1. Policy: Each information security representative from the Management
of Information Security Committee will be responsible for making sure that
all company employees in his/her department receive copies of security
procedures, acknowledge in writing the receipt of these procedures and
sign an agreement to follow them.
2. Rationale: Notification of the policies and procedures to all employees
serves as an initial step in the process of enforcement of these policies.
The employees need to be made aware of the policies and procedures before
they can practice them.
3. Safeguards: The system will monitor the activity of each user and
a system-generated email will be sent to the user, who attempts to access
files and other data to which he or she does not have privileges. This
email would be sent thrice to warn the unathorised attempts of the users.
After 3 such emails disciplinary action may be taken against him/her. However,
every employee will be informed at the time of hire that their activity
could be monitored and that any attempt to gain unauthorized access could
lead to disciplinary action against them.
Use of Company Information for Non-Business Purposes
1. Policy: Company information and information resources (software,
hardware) is to be used only for official Company business.
2. Rationale: This policy is necessary to limit the Company's liability
and expenses, and to protect against use of information for purposes other
than was intended.
3. Safeguards: [Limited personal use is tolerated, but without this
policy, the company might find it hard to prosecute employees who abuse
their privileges.] Standardization of software on PCs may prevent or inhibit
someone from running their own publishing company or accounting service
from work. Monitoring print queues may catch undue usage on off-hours.
The implicit threat of dismissal would be the biggest deterrent.
Need-to-Know Access of Information
1. Policy: The Management of Information Security Committee shall be
responsible for granting computer and communication system privileges to
each system user depending upon need-to-know basis. Any requests for additional
communication system privileges should be made to Committee for approval.
2. Rationale: Concordia Casting wants to avoid employees from monitoring
the activities of other users, browsing the files in their account and
making unauthorized and inaccurate changes in the personal data of other
employees without their knowledge. The company wants to prevent employees
from accessing company information for which they are not authorized and
from disseminating this information either internally or externally.
3. Safeguards: The employees will be assigned different password depending
on their job responsibilities. The password of an employee will expire
immediately once they are no longer in the payroll system. The access rights
of employees whose job responsibilities change will be immediately reviewed
and changed by the committee accordingly .
Restriction on Disclosing Company Information
1. Policy: Company employees may not disclose any internal information,
except Public information, to third parties. Third parties may be given
access to non-Public information, only after written authorization has
been granted by Company management in whose department the information
originates.
2. Rationale: This policy is necessary to clarify employee responsibilities
in terms of the Classification Policies, and covers areas not addressed
elsewhere: a) employee actions after they have been granted access, and
b) disclosing information from another department. The general objective
is to minimize Company financial and employee personal risks.
3. Written permission is needed to fax, copy, tell, or otherwise give
non-Public information to third parties. That and the threat of prosecution
are general deterrents to violating the policy. Physical records (employee
records, R&D test results, product prototypes) may be locked to prevent
their leaving the site.
Confidentiality Agreement
1. Policy: Every Concordia Casting employee and contract employee shall
sign the standard Company Confidentiality Agreement upon hire. All third
parties, such as vendors, consultants, and inspectors, who may have access
to non-Public Company information must sign a similar standard Confidentiality
Agreement.
2. Rationale: This policy and the contract itself is necessary to give
the Company a sense of trust toward the employee and any authorized third
parties, and confidence in legal ability to prosecute violators.
3. Safeguards: The policy is intended to protect trade secrets, designs,
strategic plans, and other information vital to the Company's success from
falling into a competitor's hands. Having to sign such an agreement at
all is the biggest deterrent to violating it. The Company may enforce the
agreement by prosecuting violators, thus deterring future violations.
Password Policy
1. General policy. The computer systems and information resources of
the Concordia Casting Company can only be accessed with a combination of
valid user id and password by authorized employees, and other authorized
associates (eg. partners, vendors, consultants, and others who are currently
using the system). Due care must be exercised to ensure the proper use
and protection of an individual's password.
2. Locus of responsibility and sanctions. It is the employee's sole
responsibility to strictly follow the password policy and use the password
properly. An employee will be held responsible for security breaches as
a result of intentional disclosure of or mishandling of password. Failure
to adhere to password policy may cause an employee to be disciplined or
even fired.
3. Scenario. The Concordia computer systems contain both sensitive company
and employee information that must be protected. On the one hand,Passwords
provide a channel for legitimate use of the systems. On the other hand,
passwords are also the primary defense against any attempt of unauthorized
access. If an unauthorized person obtains a password, the person then has
significant privilege and power to use the system, which leaves the company
and employee information very vulnerable. Therefore, an employee must take
the responsibility to protect computer security by using password properly.
Failure to adhere to password policy may cause an employee to be disciplined
or even fired. Access of Concordia computer systems by outside businesses
are governed by the overall Corporate computer security policies. Specific
guidelines and procedures must be predetermined by the Corporate level.
Password policy for outside uses must be established to meet both the business
needs and security considerations.
4. Policy Specifics and Implementation Examples:
4.1 Keep personal password personal.
A password should not be shared with anyone for any circumstances. Users
having special information needs must contact Corcordia CIS department
for authorization and assistance.
Under no circumstances should a password be written down explicitly.
This is to minimize the possibility that the password might be made accessible
to others.
4.2 Choice of password.
A password should be chosen carefully so as to make it difficult to
be decoded. A combination of alphanumeric characters should be used. A
good password example: Xk1As7; a bad password example: jonhdoe, secret.
4.3 Change of password.
A new password is required periodically. For instance, system level
accounts should be changed once every month while less sensitive account
information should be changed every 3 months.
An old password will not be allowed for reuse regardless of time passed.
A record of previous
passwords and matching users will be retained to automatically deny
attempt to reuse old passwords.
4.4 Concurrent usage monitoring.
Any concurrent logging on multiple machines using the same password
is not allowed and will be denied. A user can only log in at one machine
at a time. Specific exceptions can be granted by IT department and security
personnel.
4.5 Security monitoring.
All access to the Concordia computer systems will be recorded and monitored
through a detailed password login program.
Employees are required to pay attention to the time last logged in so
as to detect possible intrusion. Employees are also required to report
any concerns regarding the use of password and any observation of suspicious
activities should be immediately notified to company officials.
Only three consecutive attempts will be allowed for logging in the system.
Then the employee must obtain clearance from the CIS department immediately
to set up a new password.
Data Communications Policy
Modems
Policy: Except for modems used by traveling salesmen (see the next policy),
on-site modems should be call-back modems located in a centrally administered
modem pool connected to a firewall. The call back phone list should be
short and verified. Discontinued or temporary numbers must be removed.
Justification: Unauthorized entry would have to come from just a few verified
phone numbers, not just anywhere.
No Firewall Bypasses
Policy: No electronic communication unit (i.e. modems, inter-net connections) that is access-able to the outside of the company, shall be able to physically bypass the firewall(s). Justification: "Back door entrances" that bypass the firewall entrances (such as modems in network connected desktop PCs behind the firewall) can render security and the logging
systems useless.
Downloading
Policy: Downloading of most files from the company to outside computers
(and large files in particular) must have the prior, electronic authorization
of the security department or will be disallowed by the firewall. The firewall
will have a list of files that are known to be unsecured (i.e. from the
PR department) and can be downloaded by anyone but other files will be
disallowed. It is the job of the firewall to spot and prevent attempts
to copy files and download the copies.
Justification: A request to download a big file is an inherently risky and suspicious request. It is impractical to control files after they have been downloaded to outside computers. Even assuming that the user really is "legitimate," the download computer may or may not secure the file adequately. In general, most of the PR department approved files for the public will be relatively
short.
Remote Editing
Policy: Real time (immediate) requests to delete or edit critical files
must be made from within the firm, never from the Internet or offsite locations.
If the real-time request originated from the outside (i.e. over a modem,
or the Internet) our firewall should not permit such a request. Remote
edit requests should be accumulated in a accumulation file and later processed
only after adequate scrutiny (i.e. people filling out an internet browser
form to change their phone number listing.)
Justification: While improper browsing violates our privacy policies,
data integrity is central to corporate survival. There is no way to be
truly sure that the remote user really is who he claims to be and so remotely
editing critical data is never really secure.
Requests for information
Policy: Personnel receiving requests for company news should refer the question to the firm's legal department without comment. This includes, but is not limited to, requests for news or comment by journalists and stock analysts. Even casual "cocktail party" talk about not-yet-released company news is a policy violation and will subject the violator to discipline.
Note that once published by the firm, company news becomes public domain.
Justification: The legal department gives the firm a centralized place
specifically intended to deal with rumors, business news and the press.
Even if untrue, mishandled information can cause bad publicity, drops in
stock price and rumors that take on a life of their own.
Disaster Recovery & Backup Policy
General Disaster Recovery Plan Policy for Business Segments
1. Policy: Each of the four business segments within the Concordia Casting
Company shall be required to file a detailed Disaster Recovery Plan with
the home office in Fort Wayne, Indiana.
2. Rationale: As a result of different areas of the country being subject
to varying degrees of weather and more inclined to encounter certain natural
disasters over others, each business segment should develop its own Disaster
Recovery Plan specific to their region and needs.
3. Example: The detailed Disaster Recovery Plan filed by each of the four business segments would include such things as the back-up site location, the location of the off-site storage for back-up tapes, the names and titles of the crisis management team, the established rules for disaster drill testing, and any additional recovery procedures necessary to continue daily
business activities.
Maintenance of Individual Disaster Recovery Plans by Business Segments
1. Policy: Each of the four business segments within the Concordia Casting
Company shall be required to continually monitor its environment and make
modifications to its Disaster Recovery Plan as necessary. Any such modifications
should be filed with the home office in Fort Wayne, Indiana on an annual
basis
2. Rationale: As a result of changing economic conditions as well as
other environmental factors, modifications may be necessary to ensure the
Disaster Recovery Plan will be both effective and efficient on a current
basis.
3. Example: One of the four business segments is faced with road construction
leading to the selected back-up site location. This particular business
segment should develop alternate routes to the back-up site location or
select a new back-up site location. These changes should be filed with
the home office at the end of the year.
Location of Back-up Site as part of Disaster Recovery Plan
1. Policy: For any business segment within the Concordia Casting Company which utilizes a mainframe computer system, a separate and complete back-up site must be maintained at all times. This site shall be classified as a "hot-site" and shall meet the requirements thereof to include, but not limited to, a complete and functioning computer system as well as other office
equipment necessary to continue daily operations with the only information
lacking being the back-up data.
2. Rationale: A segment which utilizes a mainframe computer system would
need to have a complete computer system separate from the segment's current
location in order to continue business in the event that the current system
is destroyed.
3. Example: One of Concordia's business segments requires the utilization
of a mainframe system to perform daily operations. This particular segment
would need a back-up site location equipped with a similar computer system
to ensure that daily business operations would not be brought to a halt
as a result of a disaster. This location would need to be completely functioning
with back-up data being the only link missing before business can be resumed.
Tape Back-up Policy
1. Policy: Each of the business segments within the Concordia Casting Company shall be required to perform daily tape back-ups of their computer system. Each segment shall be required to maintain two sets of tape back-ups. One set of back-up tapes shall be kept on hand at the segment's current location. The second set of back-up tapes shall be kept off-site at a
separate storage location.
2. Rationale: As a result of each segment performing daily tape back-ups,
if any information is lost it can be restored within a minimal amount of
time. In addition, by requiring a separate and complete tape back-up set
to be maintained at an off-site storage location, if the tapes at the current
location are destroyed then the information can still be restored to a
separate computer system and downtime will be reduced to a minimum.
3. Example: One of Concordia's business segments performs a back-up
of all computer data at the close of each business day. One set of back-up
tapes is filed at the on-site storage location. The second set of back-up
tapes produced is taken to an off-site storage location on a daily basis
to ensure that one set of data is always readily available in the event
of a disaster.
Crisis Management
1. Policy: Each business segment of the Concordia Casting Company shall maintain a crises management team consisting of a management lead and team members. The crises management team shall document procedures to ensure an accurate and speedy recovery from a crises. The team shall oversee the movement and procedures for conversion to the backup facility if
necessary. Each member shall represent a key functional area of the
Information Systems group. The management lead will be appointed by the
manager of each informational business segment.
2. Rationale: As a result of varying business needs, each informational
business segment will have differing needs with respect to implementing
recovery plans and procedures. These needs are best met by those with the
technical knowledge of each particular business segment.
3. Example: The Manager of the Eastern Regional Data Center appoints
the manager lead of its own crises management team. Each manager will select
his crises management team from the respective functional department of
the information systems group. This would include representatives from
the network support team and the mainframe computing teams to name a few.
Disaster drills
1. Policy: The crises management teams of each business segment will
implement a recovery plan testing program ensuring that the recovery procedures
are workable, backup materials are available, and that training of personel
takes place and is effective. Drills will be performed at a minimum semiannually
to determine the adequacy of the recovery plans and procedures.
2. Rationale: In light of rapidly changing business and technology needs,
each business segment will need to adapt and maintain drills that are specific
to the type of technology it is using, whether it is running a mainframe
or a local area network.
3. Example: The crises management teams will setup simulated system
crashes and monitor response times to bring the systems back on-line. In
addition the crises management teams will evaluate vendor support and response
times.
Recovery Policy
1. Policy: Each business segment shall document and file system recovery
strategies showing the selection of off site storage facilities, vendors
for replacement computer services, recovery facilities, and procedures
for handling restoration of key parts of the business. These strategies
and procedural documents will be posted at the home office in Fort Wayne.
2. Rationale: Alternative sources for computer services and off-site
storage need to be examined in order to be in a state of readiness if a
disaster occurs. Specifically, alternative sources for data processing,
voice communications, data communications, and command centers need to
be documented in case current vendors are unable to live up to the preparedness
standards set forth by each business segment.
3. Example: It is plausible that one business segment may have a regional
disaster and that their support vendors may be disabled by the same disaster.
Such an instance may be the result of hurricane or tornado. If such a disaster
were to occur, it would be necessary to have documents at a geographically
separate site to provide alternative support vendor lists.
Safeguards Design & Maintenance Policy
Safeguards
1. Concordia Casting is highly reliant upon its installed computing
technologies, and the information that they provide and store. Therefore,
safeguards must be in place to protect these systems at all times. Safeguards
shall address the risks of undesired disclosure, modification, and destruction
of information resources, whether accidental or intentional. The safeguards
shall also consider risks from both internal and external sources.
Risk Management Based Safeguard Design
1. Policy: Safeguard and security requirements must be risk management
based. Safeguards and corresponding requirements must be determined using
cost-benefit analysis, not solely based on minimum system requirements.
Additionally, the selection of safeguards must consider the costs of management
and administration. Risk management is the total process of identifying,
controlling, and eliminating or reducing risks that may affect data and
information resources. It includes the following:
A. Risk analysis (identify and analyze the risks)
B. Determination of the appropriate levels of resources necessary to protect the organization
C. Management decision to implement selected security safeguards based on the risk analysis, including accepting residualrisk, if necessary
D. Effectiveness reviews.
Compatibility
1. Policy: Compatibility. Safeguards must provide measures and solutions
which are fully compatible with existing and anticipated organizational
hardware and software configurations. Proposed safeguards that will require
modification of installed systems may be considered. Such safeguards must
be accompanied by plans that detail all necessary system changes, including
the anticipated costs and ramifications of making such changes. Before
purchase and implementation, a safeguard that requires any change to existing
systems must be approved by the Organizational Security Managment body
(which is outlined in the Personnel Policy section.)
Certification
1. Policy: Certification.
Certification primarily addresses software and hardware security safeguards, but may also consider procedural, physical, and personnel security measures employed to enforce organizational security policy. Comprehensive testing and evaluation of technical and nontechnical security safeguards will be used in support of the certification process. Such testing will establish the extent to which a particular system design and implementation meets
specified security requirements.
Safeguard Checklist
1. Policy: Safeguard Checklist.
An extensive checklist of technology-specific vulnerabilities and mediating
safeguards will be maintained. This checklist will act as a "living" document
relevant to current organizational technologies. The checklist must address
specific technical issues within at least 9 areas, composed of the following:
A. hazard avoidance
B. hazard tolerance
C. hazard mitigation
in each of the following areas:
I. computing hardware
II. electronic communications
III. data.
Safeguards & Decision Support
1. Policy: Safeguards & Decision Support.
A decision support system will be used to supplement analysis, design,
and maintenance of security safeguards. This system will augment human
professional security expertise in mapping probable vulnerabilities.
This page is maintained by Richard Baskerville