Case Discussion Questions 1. What is a security policy and why does an organization need a security policy? A security policy is a set of rules and processes that an employee must follow when accessing or manipulating an organisations network or data assets. These policies also document what to do in a situation if it does occur.An organisation needs these type of policies to:Establish a set of rules on how information security is approached.To identify and prevent the compromise of a system and its information such as data misuse, networks and workstations.To adhere to an organisation’s ethical and legal responsibilities – there is legislation put in place to protect the customers’ data. If a company abide by these responsibilities, they may be penalised in the form of a fine or a temporary ban on providing services, ultimately putting the services they provide at threat.To engage employees – security is the responsibility of everyone within the company – from the end user, Security Administrator to IT professionals.To dictate who gets access to what – some employees will require higher privileged access in the system compared to others. For example, an end user in a HR department will need access to resources for HR, but won’t need access to User Account Control. Whereas this may concern Security Administrators etc.An example of one of these policies includes restrictions on who can access what data in order to stop confidential data being viewed by people that don’t actually need to see it.This can be classified with the CIA Triad which documents the security requirements as confidentiality (Ensure that sensitive data is only obtainable to those supposed to use it), integrity (Data is altered only in a specified and approved manner) and availability (Information is accessible when needed).2. Come up with an example of your own of an issue, which could be caused by missing security policies? An issue that could occur as a result of a missing policy is unauthorised access by an individual through a company’s employee account. This could happen when a policy documenting how passwords need to be made strong with the use of unique characters and certain length and changed after a certain time period is missed. The policy may look something like this;”All passwords must be kept private and have a unique set of characters in order to make them less susceptible to attack. Passwords must also be changed every three months to avoid them being easily guessed and mustn’t be too similar to the previous password used. All passwords must contain at least one lower-case letter, upper-case letter and a number to ensure that they are more unique”This issue could lead to an individual masquerading himself as this said employee and giving themselves access to the whole network and to any and all data that it holds. This would allow for eavesdropping or changing information to their advantage, putting the integrity of data at risk and stealing data for their own personal gains..3. What are the basic things that need to be explained to every employee about a security policy? At what point in their employment? Why? (List at least 4 things). (For example, how to handle delicate information)Security is the responsibility of everyone within the company. Any opportunity for a hacker to further gain knowledge of the security can result in further opportunities developing. For example, if an employee writes down their password and leaves it at their desk, or throws it away in a non-confidential waste bin, the hacker could then try to snoop around and try to figure out their username. Usernames may be generic too (e.g. first letter of first name, followed by surname), so if the hacker is aware of a few usernames, he may be able to figure out that username and password combination. A way of preventing this may be to use 2 Factor Authentication, as the hacker won’t be able to sign in unless they had the physical device used to authenticate the user. Four basic things that should be explained to an employee about a typical security policy are:How to properly maintain your ID, and password, as well as any other accounting data.How to respond to a potential security incident, intrusion attempt, etc.How to use workstations and Internet connectivity in a secure manner.How to properly use the corporate e-mail system.The security policy should be explained to an employee before they are let anywhere near a system. Not knowing any of the rules and procedures and proceeding to access the system could lead to the network being compromised and important data being corrupted all through an uninformed employee.The security policies could be completed before any employee even signs a contract as it allows a potential employee to review what they are getting into and along with this shows how serious the company are about their security protocols. A signature from the employee once they have read and understood the policy will create an agreement of cooperation between the employee and the organisation that the policies will be followed. After the initial explanation of the security policy it should be reviewed with employees at regular intervals during their employment. This keeps the security policies for the organisation fresh in the employees head and again reaffirms the level of seriousness it is to the organisation. An added benefit of this is that it allows for any newly introduced policies to be taught and enforced. To really check the knowledge of employees a test could also be given with a required pass rate.4. Your organisation has an e-mail server that processes sensitive emails from senior management and important clients. What should be included in the security policy for the email server? A security policy for an e-mail service for an organisation should be thorough and be applied to all employees at every level. There are many security errors, cost impacts and performance implications that can affect a company without properly thinking through all scenarios. A security policy for this server should include:Encrypting Email for ConfidentialityThe sensitive nature of the emails being sent through the server means that encryption should be applied to every message sent. This will stop any eavesdropping across the network, especially if sending outside the organisation where security could be more lenient.Digitally Signing EmailBy having employees use digital signatures it provides authentication that the email is from the person who sent it. This will reduce the possibility an employee will be caught out from a fraudulent email as they will be looking for the signature. The procedure also creates a tamper evident seal that will fail if an email has been changed in anyway.Emails only allowed to be sent to known associates of the organisation The email server is set up for senior management and important clients meaning that the email address used to contact them can be established as secure and any other email addresses can be treated with more suspicion. This policy can also be paired with restricting sending emails to and from personal email accounts as these are unsecure.Archiving Email All emails should be kept for a certain length of time before being deleted. This allows for recovery of information and encase any security incidents do occur through the email system it can be traced back. It also takes the stress off the main email server as archived emails can be stored cheaply on other servers.Screening EmailsAll emails should be put through some sort of screening software to look for anything that could do damage to the organisations network or reputation. This could include swear words, malware or the email address from suspicious people.Limiting the Size of EmailBy limiting the size of all emails going through the server it reduces the amount of space needed and will improve performance overall. This will also reduce the likelihood of a denial of service attacks as without the limit hackers can send emails with large attachments using all available resources on the server. Over time this will have a significant cost impact as less servers will be needed for storage purposes.5. Read the UCL and Harvard university security policies 1, 2. Compare and critique the policies suggesting improvements/updates, as appropriate.Harvard University’ Security policy consists of ‘Data Classification Levels’, unlike UCLs security policy. Harvard University have took the approach to classify their data based on:Level of sensitivityLevel of valueLevel of criticality to the University.The classification of such data will help in developing baseline security measures to protect their data. To the right, you will see the 5 different levels of data classification for Harvard University. The higher the level, the greater the required protection. Normally, data is classified into 3 different sensitivity levels/classifications.Public data: This would be level 1. This data is public because the unauthorised alteration or disclosure of that data would result in little/no harm to Harvard University.Private data: This would consider level 2 and 3. This data, if disclosure or altered, could result in some harm. This data isn’t public, or restricted and as such it makes sense to treat it as private data.Both University’s security policies are divided up into sections however Harvard university’s security policies are all simply laid out with each having a link to a more in-depth version for the selected policy that are split into separate sections to describe the policy in regards to different scenarios (e.g. for users, for devices, for servers). This allows for a user to easily find and jump to a specific security policy they want to read up on and makes the security polices as a whole appear less wordy, where as UCL have their security policies all listed on the same pdf file with each section being shown as lengthy paragraphs and would be difficult for someone to easily jump to a certain policy and so I think UCL could benefit from having their security policy written up in a similar fashion to how Harvard university have written theirs.At the end of the UCL’s list of their security policy, they have a revision table which lists all the changes/updates made to the document that includes; which section that the edit was made, the date that the change was made, and if the change had been checked and approved. Also includes the latest date that the document had been checked for revision, the date of the next planned revision would be and a list of committees/groups who were responsible for approving the changes made to the security policies.