Security Program Design
Information security for any organization is a continuous process that requires a perfect design to ensure its effectiveness in protecting an organization’s information systems. Due to the ever-evolving technology, new security threats and risks arise every time. Without a proper plan, organizations can be victims of data breaches and information systems breakdowns. The security design for the security program at Data System Solutions will consider several components that will be included in the program. The design explains the important logical hardware, software, and operating systems that work together to secure the computer systems.
Stakeholders in the Security Program
It is impossible to develop and implement a security program without the support of the executive leaders in the organization. There is a variety of important stakeholders in the security program. The design of the security program should include the identification of major stakeholders and their responsibilities in the security program. For the security program at Data Systems Solution, the following stakeholder will be included in the program.
- Executive management. The success of any initiative in an organization depends on the support level by executive management. The participation of senior managers in the information security program is crucial to its growth and implementation. The senior management should be the driving force behind the implementation of security programs. Every policy in organizations requires support from corporate governance and information security policies are no exception. The top management is at the core of the development process of the program at Data Systems Solution.
- ICT specialists. ICT specialists play a crucial role in the development, implementation, and evaluation of security programs. The ICT specialists that will be involved with the security program include the system administrator, systems designer, IT department personnel, information security professionals, and technical computer specialists.
- Human Resources. Since all policies in the organization should meet standard organizational practices, the human resources need to be involved in the security program. The human resource will align security measures with organizational standards and practices. They will be responsible for training employees and ensuring they follow the laid down security regulations.
- Legal and regulatory. The primary reason for developing security programs is to protect organizations from individuals who want to exploit company resources. While doing so, individuals may break the law. Thus, the legal team will act to advise the organization to develop legally binding security policies. Again, the legal and regulatory team ensures that the security policies meet federal standards concerning the security and privacy of data.
- User community. An organization’s information systems are used by several users. Apart from the employees, some end-users use the systems to access company services and information. The security program will put in mind the security of end-users and the risks they pose to the company.
- Business unit representatives. The security program should be aligned to business objectives and goals of the company. The role of the business unit representatives is to ensure that important company resources are protected by the security program. They have a clear understanding of the vulnerable resources of the company.
- Public relations. The public relation team within the organization will be responsible for coordinating communication with the public in case of cyber-attack or data breaches. They have the skills to communicate disasters without hurting the company reputation.
Security Program Objectives
The process of defining the program objectives is a crucial step in the design of the security program. The objectives and goals will act as a foundation for evaluating the performance of the program. After the implementation of the program, it will be gauged to determine if objectives were met. Data Systems security program will have the following objectives which are based on the risks and vulnerabilities exhibited by the information systems:
The first objective is to protect the company’s information systems from unauthorized access by hackers and other malicious individuals. Unauthorized individuals can gain access to the system due to the weak authentication mechanisms currently in place. Secondly, the security program is expected to protect the company’s computer networks from malicious employees. Sometimes, employees can have negative intentions towards the organization and can intentionally erase important data from the computers or leak customer and sensitive company information to the public or competitors. Lastly, the program seeks to secure information systems from physical damage.
Security Measures
Since risks and threats come in different forms with different timings. The security measures that will be implemented by the program will be based on the type of risk. Some risks can be countered using more than one method. The following security measures will be implemented under the security program.
Access Control
Access management controls comprise all security mechanisms that limit access to an organization’s information systems. It regulates who is allowed to view or use resources in a computer network. The Data Systems Security program will implement two types of control access measures; logical and physical access controls.
- Physical Access Control
Allowing unauthorized people to physically access company premises can sometimes pose risks to company computers. People with negative intentions need to be kept away from the company buildings and other physical resources. In some cases, certain employees should be limited from accessing certain areas of the company, which are used to store data and hold computer networks hardware. To limit the access of unauthorized individuals, the company will deploy trained security personnel at the company’s entrance points. The security agents will open the gates for authorized people only and deny access to suspicious individuals. The company will also deploy electronically controlled access systems. The electronic systems will depend on user credentials, access card readers, auditing and reports to monitor access to restricted areas by employees and visitors. Access to data centres will be limited to only employees who work there and no outsider will be allowed to access them. All rooms within the company will have doors with locks so that those who work in specific rooms will be required to lock them whenever there is no one left in the office room. The main doors will be made of steel and will be manned by a security guard to monitor those who enter and leave the building. Surveillance systems will also be installed to monitor the movement of people within the company premises.
- Logical Access Control
Following the introduction of the physical access control measures, it is important to integrate them with logical control measures. Within a computer system, logical access control is required to restrict unauthorized individuals from viewing, using, and sharing computer resources. Logical access control is responsible for restricting access to information, processes, applications, and systems. Logical control measures are embedded inside operating systems, applications, and databases.
Authentication is one of the logical access control measures that will be enforced. Before accessing a computer or application in the computer, users will be required to provide a correct password. All employees will be assigned unique usernames and passwords. Password will control access to computers, databases and applications.
Apart from the security offered by passwords, the security program will also include the use of token authentication. This process will involve providing computer users within the company with security tokens. With the tokens, users are given numbers that change after a while. Applications will prompt users to give the token than compare it with internal mechanisms to ensure they are correct. If they are correct, users will be allowed to log in to the system or application.
Lastly, two-factor authentication will be used to provide extra security to computer systems. Two-factor authentication will be used for web-based employee’s accounts. Any login attempt using a different device will require the account owner to verify using a mobile phone or email. It will ensure workers do not access other employee’s accounts.
Training and Awareness
Awareness and training policy is another crucial component of the security program. Training and awareness aim to equip computer systems users with necessary information systems security requirements and responsibilities. The success of the security program greatly depends on the ability of users to work collectively to protect the computer networks. Although technical information security measures are vital in protecting computer systems, they cannot be efficient by themselves to protect the systems. The effectiveness of security measures requires awareness and full support of all employees.
A significant proportion of cyber-attacks and data breaches are as a result of careless or malicious employees. The majority of employees think that the security of data and computer networks is the responsibility of personnel in the IT department. In reality, it is the responsibility of all employees to secure computer networks in the organization. Hackers capitalize on small mistakes by employees to cause damages of great magnitude. For example, employees who share their office passwords with friends or family expose the company to unauthorized access to its computer systems. Again, using public Wi-Fi to access web-based company accounts can also expose the company to hackers.
The importance of awareness and training programs is to instil workers with a culture of responsibility towards protecting computer systems in the company. Everyone should be part of the security process. The awareness policy imposes a security obligation on all staff. It equips employees with ways to identify risks and how to respond proactively to prevent attacks. It also outlines the important steps that should be undertaken in case of an emergency. The awareness training will be done using e-mails, computer-based training, notices, and posters. Since new threats emerge every time, awareness and training will be continuous processes. All new employees will be required to undergo information security induction classes. The continuity of the training process serves to maintain consistent levels of awareness. All employees will be required to complete certain hours of training every year. The awareness policy will also include motivating employees to fulfil their security obligations in the company. The security program will deploy a system that evaluates the compliance of employees to set security measures.
Cryptography
Commonly, data and information need to be transferred from one user to another in the organization. In the world of internet, most transfers are done using the internet. Despite the use of authentication, data in transit can be accessed by unauthorized persons. To prevent such a case happening, data encryption and decryption is necessary to protect the data. All the data that need to be transferred in the company should be encoded. Data in storage should also be encoded. The encryption process ensures that unauthorized people cannot read the data even if they manage to access them. All computers will be equipped with programs designed to encrypt and decrypt data. The company will employ the public key encryption method since it’s simple and secure. With the encryption process, data under transit and in storage will be secure. Data can only be read and understood by the right people who have the private key which allows them to decrypt the data.
Firewalls
Firewalls protect information systems against intrusion by hackers. Since most of the functions of the information systems happen over the internet, firewalls will be essential for preventing unauthorized people from access the networks. Firewalls examine incoming and outgoing electronic data in the network and compare every request to set rules and allows request that meets the rules while denying those that do not meet standards. It then prevents suspicious requests. It is important in protecting against worms.
Additionally, firewalls control the type of information that is sent out from company computers. Information that is classified confidential is prevented from being transmitted without authentic permission. Identity theft is also prevented using firewalls.
Anti-viruses
Antiviruses will be installed in the computer systems of the Data Security Solution Company. The antiviruses will scan data files, applications, and programs for malware and computer viruses. Files that are suspected to be containing viruses are shielded from entering the computer systems and those that are already within the system are deleted. Since hackers are constantly at work to enhance their hacking technologies, antiviruses need to be updated frequently to ensure they can detect and prevent new viruses.
Virtual Private Network
VPN will be used in the company to allow secure connections. The VPN is essential for creating a secure connection between the company’s computer networks and other networks over the internet. With the VPN in place, internet privacy is guaranteed. The VPN encrypts connections and protects private online activities.
Backups
Although the security measures can work well to prevent data loses, unauthorized access, and data breaches, data loses might sometimes occur. In the case of data breaches and loses, the company should have a way to recover lost data. Backups allow the company to retrieve lost data and original files in case the computer network is attacked and files corrupted. The company will install backup systems and instil a culture of regular backup of data and processes among all employees. Data that will be backed up using removable storage devices will be encrypted to ensure they are not usable in case the disks are stolen. Cloud-based backups will also be used in the security program.
Physical security Against Natural Disasters
Natural disasters come about without a warning. They can cause severe damage to company information systems. There is a need to have security measures that can help avoid or reduce the impacts of natural disasters when they happen. Data Systems Solutions will put in place the following measures to deal with natural disasters.
First, the company will always back up data and process. The backup will ensure that data can be retrieved even after a disaster happens. Secondly, the organization is creating a recovery plan that will be deployed after disasters. There will be different recovery plans depending on the nature of the disaster. Adequate firefighting equipment will be installed within the company premises to be used in case of a fire breakout. Power drops and blackouts can cause data to lose. To avoid data loses due to blackouts, power backups will be installed and employees will be encouraged to have a culture of backing up data frequently.
Data Classification Policy
For effective data protection, the data should be classified based on its importance and sensitivity. By classifying data, it will be easy to determine who access certain types of data. Data will be classified into three groups. The first group will be restricted data, which is very crucial for the survival of the company. Unauthorized access to restricted data has a high-risk level. Highest levels of security controls should be applied to protect the data.
The second category of data is private data. Disclosure of such data has a moderate risk level. The data will be protected using moderate security controls. The last group of data is public data, which can be disclosed to the public without causing any negative impacts on the company.