Information Security Policy and Risk Assessment

Introduction

With the increasing scope of operations for the Construction Company UK, it is becoming extremely important to implement company policies aimed at streamlining the execution of organizational activities. In the context of CCUK, there is dire need to implement policies related to the concept of Network Security, because it is a vital element of the company’s operations in terms of overall and operational management.

The implementation of network security policy at CCUK aims at outlining clear roles and responsibilities of the various network security personnel in the company. In addition, the policies should aim at outlining the direction and the commitment required from the various personnel within the organization. In general, the network security policies serve as an information management strategy that plays a significant role in the organization (Christos 2007).

In this regard, the network security policy is an integral component of the corporate information security policy that outlines the company’s values and principles regarding the security of the information in the company. An important aspect of an information policy is that it should entail the various specific standards, and procedures. This paper outlines the network security policy to be implemented at the CCUK, with the main objective of streamlining the execution of the company’s operations and fostering information security (McCabe 2007).

Current Risk Assessment at the CCUK

Risk assessment is an important stage during the implementation of the policies since its serves as a justification for implementing the stipulated organizational policies. In the context of CCUK, network security is an integral element of the overall company structure, ranging from the top management level to the lower level management and other external entities that have a direct and indirect impact to the company (Clarke 2001). There are various risk factors associated with lack of proper network security strategies in the company, which are outlined in the following section.

The first risk associated with lack of proper network security policies is that there will be no integrity in the organization’s information. Protecting the company information is the responsibility of the CCUK corporate governance strategy. This implies that the company should implement appropriate network security policies outlining the various duties and responsibility of the personnel within the organization. The access to the company’s information is an important organizational activity that should not be subject to issues such as lack of information integrity and unsecure data access strategies (EC-Council 2010).

The second risk that the company may face due to network insecurity is there will be management issues. The CCUK significantly relies on its network to administer various company operations and record keeping. This implies that information security is an important aspect to the organization because data manipulation to their database is done on an online platform. Therefore, if the organization fails to implement appropriate network security strategies and policies, the management of the company’s operations will be significantly affected largely. In addition, prevalent network insecurity in the company will hinder the overall CCUK productivity (Frye 2007).

The third probable risk that is likely to affect the company due to lack of network insecurity is loss of data and information. With the ever-increasing numbers of external malicious hackers and internal network users, lacking effective network security policies and strategies poses the risk of loss of information that the company may deem as being top secret. Leakage of such information will affect the publicity and corporate image of the company, since it will expose the company’s information that should have never reached the public.

The fourth risk that the CCUK may face to due to lack of effective network security policies and strategies is that it will affect the overall productivity, profitability and efficiency in the execution of the company’s operations. This is because the effectiveness of the management and operational practices in the company significantly rely on the Information Technology infrastructure deployed at the company. Any threat to the security of IT and its relevant applications impedes the effectiveness of the organization, which in turn influences the productivity and profitability of the company.

In addition, to upbeat the competitive nature of the construction market in UK requires the use of up to date management and operational practices integrated with information technology. This denotes how significant network security policies are important to the organization, implying that failure of implementing effective network security policies poses a great risk to the effectiveness and overall productivity of the company (Harrington 2005).

Another risk that may affect CCUK due to lack of implementation of proper network security policies is that key stakeholders and other individuals who play a significant role in the daily running of the company will not have trust in the company’s ability to maintain the credibility and confidentiality of its their information.

For instance, information may leak concerning the details of the employees and their respective salaries, this will in turn affect the way the relationship between the company and other members who are vital for the existence of the company (Hummel 2009). In addition, any confidentiality breaches due to ineffective network security policies may subject the company to legal issues, which may ultimately affect the company’s credibility and its relationship with both external and internal stakeholders. Such a tainted relationship does provide a good environment to foster the company’s growth.

An overview of the above risks depict that information security is vital for the success of the company. This implies that one of the company’s urgent requirements is the implementation of network security policies and strategies aimed at fostering information security and reducing the possible risks that may hinder the company’s growth (Hazel 1997). Therefore, the network security policies to implemented are justified and aims at ensuring that the company does not fail in realizing its goals and objectives due to ineffective network and information security policies (Dhillon 2001b).

Scope of the network security policies

The scope of the policies identifies the various members of the organization who will be affected during the implementation of the network security policy. In addition, it describes the context in which the various parties will be affected by the policies (Hurst 2008).

The network security policies will affect almost every staff in the company because every member has a desktop computer that utilizes network applications such as CISCO voice systems. In this context, staff members will have to adhere to the network security policies during their working hours, with a particular emphasis on times at which the staff members are using computer application that utilize the network. In addition, the network security policy will be applicable to the engineering staff in the field because their laptops have blackberry services through which they can access their work e-mail. The network security policies will be applicable during their working hours, and especially during the times, which they will be using network services such as accessing the work mails (Landoll 2011).

The policy will also be applicable to the top-level management of the company. In this context, top-level managers will make sure that the company staff members follow the outlined network security policies at all times. The top management should also lead by accepting the implementation of network security policies (Maiwald 2003).

The information security managers and network personnel of the CCUK will also be affected by the policies. This is mostly during their routine check-up on the company’s network to determine the overall information level of the CCUK’s network. In addition, the information and network security team of the company will be affected during the implementation of the network security policies at the company (Singh 2009).

Legislations and regulations applicable

This section describes any legal and regulatory issues that may arise during the implementation of the network security policies. In this context, there will be regulatory procedures regarding the implementation of network security policies, failure to comply by the various affected parties will result to dire consequences as outlined in the network security policies. Therefore, a full support from the executive board and the management team of the company is required during the implementation of network security policies (Tipton 2009).

It is of ultimate significance that the affected staff members of the company put into consideration the importance to the organization and themselves, behind the implementation of the network security policy. As such, their due cooperation is a required in order to facilitate the realization of goals and objectives of the implemented policies (Wim 2002).

Roles and responsibilities

The roles and responsibilities applicable during the implementation of network security policies should be in line with the scope of the policies. The following are the proposed roles and responsibilities following the implementation of network security policy.

The CCUK executive board has the responsibility of ensuring that the implementation of the network security policies is effectively managed. With respect to this, the following are the responsibilities of the manager in charge of network security at the CCUK:

1. Developing and maintaining the network security policies and strategies
2. Making sure that the network security policy has attained the required documentation, with detailed instructions to be followed in the due course of its implementation.
3. Making sure that the documented policy is up to date concerning its relevance with the business requirements of the organization.
4. Making sure that the implemented policy and the updates that may follow are relevant and that the relevant departments are informed of the policy updates

In addition, all the staff members have the responsibility of ensuring that they adhere to the network security policy, and that they must report to the network security manager in cases of network security breaches.

Policy statements

Network security is one of the essential elements that significantly determine the effectiveness of a computer network. Network security, whether physical or logical, is an essential element of any computer network. Network security forms the benchmark of network reliability and stability (Slay & Koronios 2006). Network security is primarily implemented to curb security threats such as denial of service, unauthorized access and confidentiality breaches. This implies that effective network evaluation techniques should be deployed to determine the level of network security and its vulnerability to potential network threats.

Presently, effective approaches to controlling security breaches could entail the use of network intrusion systems and the deployment of appropriate ethical hacking approaches that can be used to investigate the levels at which the network can identify potential threats and deploy appropriate control measures (Kenyon 2002). With respect to this, the following are the network policy statements to be implemented at the CCUK.

Network vulnerability testing and penetration testing

In order to enhance the reliability and reduce the vulnerability of the CCUK network, the information and network security department have the responsibility of carrying out a vulnerability analysis of the CCUK network on a bimonthly basis using network penetration testing tools (Meyer 2003). The main objective behind the implementation of network penetration tools is to evaluate the vulnerability of the computer network. Problems concerning network security can be categorized into four basic areas: issues involving authentication, secrecy, and issues dealing with no repudiation and primarily controlling integrity (Deal 2008).

The above network concepts are imperative in determining the effectiveness of a computer network towards handling the various computer network threats. In its broadest sense, authentication involves determining who has access to a computer network and the associated network resources. Network penetration entails simulation of the potential attack by malicious software or attacker, which may be based on either hardware or software oriented (Peltier 2005).

Authentication

Access to network resources is an integral element of ensuring network security. Authentication servers to make sure that only required personnel have access to network resources according to the rights and provisions granted to them basing on their duties and the responsibilities at the company level. In this regard, the following are the outlined authentication protocols to be implemented in the CCUK network, with the main object of ensuring network security (Bordetsky & Hayes-Roth 2007).

1. The IT department and the network security personnel in the CCUK have all the rights to access the network, but only for the correct reasons, which in this case is determined by their intent to monitor and deploy appropriate network security strategies.
2. The staff and employs will only be allowed to access the company’s network resources such as the CCUK Ethernet within the company premises and business locations. Login names and authentication passwords will be provided in order to enhance confidentiality of their information. As such, the policy strictly prohibits telecommuting approach to conducting work, unless the employee uses secure access points identified by the Information and network security department.
3. The executive board and top-level managers have the responsibility of ensuring that the various staff adhere to this policy and should take appropriate action on employees reported to be violating the protocols of authentication.

Timeliness

The timeliness of an information system depends on the ability of the various parties to respond or prevent any incidences relating to confidentiality breaches. With these regard, every staff member of the CCUK who is liable to using the services provided by the network has the responsibility of reporting such cases to the information and network security department. As such, the department has the responsibility of taking appropriate corrective action, while the executive board has the liberty to enforce the outlined consequences that the individual must face because of his actions that lead to privacy and confidentiality breaches. The implementation of timeliness will entail the following processes:

1. Establishment of incidence response desk at the CCUK, through which the staff members can report their confidentiality breach incidences.
2. Creating awareness of the dire consequences to parties involved in confidentiality breach cases.
3. Development of multiple authentication processes as one progress above the information security level. For instance, access to the company’s server room will require more than one authentication steps.
4. Development of secure password systems that is less susceptible to the up to date password cracking methodologies. Staff members are liable for any case that involves issuance of the authentication information to other people.

Corporate governance and information security

Information security is one of the major responsibilities of the executive board and top-level management (Zhang 2002). As such, the executive directors have the responsibility of ensuring that information security is an integral part of the company’s corporate governance. In this context, the executive board and the company’s top management have to ensure that the deployment of network security policies and strategies will foster the realization of the company business goals and objectives, and pose minimal risks and threats to the overall execution of the company’s activities (Hawker 2000). The following process outlines the roles that corporate governance should play in ensuring effective network security policy.

1. The policy should be able to mitigate risks identified by the company’s management
2. The policies requires to be in line with the business objectives
3. The network security policy should maximize the company’s value to potential stakeholders.
4. The policies should comply with regulation and base on internationally accepted standards and up to date business practices.

Physical security

Physical security is an important aspect of network security. Therefore, the CCUK security personnel have the responsibility of ensuring that there are adequate securities to hardware that are vital in the company’s information system such as network and file servers. In addition, there will be limited access to network facilities (Dhillon 2007).

Contingency plans

The information and network security department of the CCUK has the responsibility of ensuring critical processing is done within the required time scale. Disaster recovery plan in the company’s network shall entail the frequency and the various types of network security testing strategies, so that various parties in the company should know what is required of them to ensure network security (Senior 1997).

Network security strategies

The information and network security department has the responsibility of implementing various network security strategies that are software oriented. With respect to this, the department must deploy network-hardening approaches such as firewalls and routers within the company’s network. Other vital strategies include encryption, backing up of important company information and adoption of secure network standards (Tamara 2005).

Human Resource commitment towards network security

The effectiveness of implementation of any company policy depends on the commitment of the staff, ranging from the top-level management to the lower level staff members. Technologies approaches such as firewalls and use encryption are not effective unless the company staff show some level of commitment towards their effective usage. In this regard, the staff members of the CCUK are required to demonstrate their commitment towards the realization of network security for their company (Lacey 2009).

References

Bordetsky, A., & Hayes-Roth, R., 2007, Extending the OSI model for wireless battlefield networks: a design approach to the 8th Layer for tactical hyper-nodes, International Journal of Mobile Network Design and Innovation (IJMNDI), volume 2, issue 15. pp 5-12.

Christos, D.,2007, Network security: current status and future directions, New York: John Wiley and Sons.

Clarke, S., 2001, Information systems strategic management: an integrated approach, London: Routledge.

Deal, R., 2008, Cisco Certified Network Associate study guide (exam 640-802,. New York: McGraw-Hill Professional.

Dhillon, G., 2001, Information security management: global challenges in the new millennium, Hershey, London: Idea Group Publishing.

Dhillon, G., 2007, Principles of Information Systems Security, New York: John Wiley and Sons.

EC-Council, 2010, Network Defense: Security Policy and Threats, New York: Cengage Learning.

Frye, D., 2007, Network security policies and procedures, London: Springer.

Harrington, J., 2005, Network security: a practical approach, New York: Academic Press,.

Hawker, A., 2000, Security and control in Information systems, New York: Routledge.

Hazel, K. (1997). Good practice in risk assessment and risk management 2: protection, rights and responsibilities. Washington: Jessica Kingsley Publishers.

Hummel, S., 2009, Network Design Process – Effective Network Planning and Design. Web.

Hurst, N., 2008, Risk assessment: the human dimension, New York: Royal Society of Chemistry.

Kenyon, T., 2002, High-performance data network design: design techniques and tools. New York: Digital Press.

Lacey, D., 2009, Managing the human factor in information security, New York: Wiley.

Landoll, D., 2011, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessment, New York: Taylor & Francis.

Maiwald, E., 2003, Fundamentals of network security, New York: McGraw-Hill Professional.

McCabe, J. D., 2007, Network analysis, architecture, and design. San Francisco Calif: Morgan Kaufmann.

Meyer, M., 2003, Mike Meyers’ A+ Guide to PC Hardware, New York: McGraw-Hill Professional.

Peltier, T., 2005, Information security analysis, Boca Raton, Fla: Aurbach.

Senior, B., 1997, Organizational Change, New York: Pearson Inc.

Singh, P., 2009, Network Security and Management, New Delhi: PHI Learning Pvt. Ltd.

Slay, J and Koronios, A., 2006, IT security and risk management, Milton, Qld: John Wiley.

Tamara, D., 2005, Network+ Guide to Networks, Boston: Cengage Learning.

Tipton, H. (2009). Information Security Management Handbook, Volume 3. New York: Taylor and Francis.

Wim, G. (2002). Information systems evaluation management. London: Idea Group Inc (IGI).

Zhang, L., 2002, Network design, London: Springer.