According to Ben-Ari & Dolev (2011), for many organizations around the world, computer security is of great concern especially with the increasing number of vulnerabilities that systems are exposed to in a connected environment. It is, therefore, important for the security administrators of organizations to provide guidelines that direct the provision of information to the users on how to use computers safely and protect the organizations databases from the unauthorized access. Every security administrator should thus come up with policies and guidelines that will guide the operation of computer activities at the organization. All policies and guidelines need to be aligned with the national standards, which are set by various regulating bodies. This handbook provides procedures and guidelines for the Security Administrator and users of the database at New Eden Technologies. It gives guidelines on development and maintenance of safe environment and policies that guide the user’s activities in this environment.
Network Architecture and Security Considerations
The architecture of the network to be used at New Eden Technologies will be directed by the need to facilitate effective communication and storage of data. As a technical institution, New Eden Technologies will use current technology in network architecture available in the market.
Security Administrator will ensure that maximum utility is observed while providing security management designs that facilitate secure communication management (Ben-Ari & Dolev, 2011). Network architecture will be in line with the existing best practices in network configurations such as the IEEE standards of network architectures. The Security Administrator will be responsible for understanding the prevailing best practices in the area of security management and will propose the ways to New Eden Technologies on the best security systems available in the market. As part of the responsibility, he/she will be mandated with likeminded networking industry players to provide New Eden Technologies with cutting edge security systems to its data.
Security Administrator will be responsible for designing a considered security layer especially in areas concerning security issues, network identity, IPsec VPNs, and service denial implementations procedures. Similarly, the administrator will understand the various security design considerations which are used commonly with security applications like DNS, e-mail, and websites.
The security administrator will be responsible for evaluating the existing technologies that are in existence on the management and use of wireless devices. At New Eden Technologies, IEEE 802.11 standard technology shall be used with client devices including access points (APs), laptops and smart phones which logically connect a distribution system with client’s devices, typically the organization’s infrastructure of wired network. There will be a consideration of the wireless switches to act as intermediaries between the access points and the distribution system management (Ben-Ari & Dolev, 2011). The system will have standardized security configurations for common wireless local area network components including the client devices and access points. Consideration will be placed not only on the wireless components of the system, but also on how the security of external components is affected. A strategy should be implemented to separate internal wireless components from interacting with external components, since this can lead to the exposure of information to the devices that are not authorized to access the system.
The security administrator will formulate policies to outline the forms of dual connections that may be admissible in wireless environment and those that are not admissible. Measures to enforce these policies through the appropriate security controls should also be outlined. Security Administrator will ensure client’s devices and access points in a wireless environment are always configured in conformity with the existing policies of maintaining wireless security. Furthermore, the security administrator will be responsible for performing both attack monitoring and vulnerability monitoring to support client devices and access points in the wireless connection.
Remote Access Security
Remote access security shall be overseen by the administrator of security at New Eden Technologies and will be focused on providing a solution to the identified problem. Security Administrator is responsible for allocating remote access rights to individuals depending on the type of work they are doing. However, certain factors will be assessed before the implementation of the remote access. These factors include the measures taken to encrypt the system from attack and terminal emulation (Tipton & Nozaki, 2011). The administrator will be responsible for ensuring that sent data between communicating devices in remote environment is encrypted to avoid reading of intercepted data.
The administrator will also be responsible for ensuring that remote access is successfully and securely accessed. He/she will carefully evaluate employees' need to connect remotely and give access rights. Remote accessibility will be based on the genuineness of the need to access the network remotely.
Since all users may not need to have access to all the resources, the security administrator will implement permissions to allow different users to have different levels of remote access. The security administrator will also control access through the remote access policy, deny or allow access by the users.
The remote access security will also outline the number of users that can log into the system and even regulate the amount of time one can access the network remotely. This will be helpful in controlling the use of the organization’s resources.
Laptop and Removable Media Security
Laptops and other certified removable media may be used in the storing and transferring information for convenient purposes. They may be used to store sensitive information that can be harmful to the organization if left in the hands of unauthorized people. All laptops and removable media shall be under the care of the respective users and the loss will be credited to the user. Additionally, it is important that laptops are encrypted to protect the information in case of theft or loss (Newman, 2009).
Laptop and other removable media shall be used upon the certification by the organization and for the specified purposes. It is important that the laptops and removable media are securely encrypted and centrally managed. Encryption shall be done according to the policy that guarantees safe transfer of sensitive and confidential information without the risks of exposure. The kind of software used in encrypting laptops shall be approved by the organization and be in conformity with the standards as set out by National Regulating body (Tipton & Nozaki, 2011). In general security of laptops and removable media shall facilitate the following:
- Easier encrypting and decrypting of data without the need of an installed client
- Laptop security shall enable access to encrypted data on trusted access points
- Management of security policies in a transparent manner
- Enable easier sharing of encrypted data among the staff
Vulnerability and Penetration Testing
Vulnerability and penetration testing shall be distinguished so as to give the security administrator the better opportunity to identify them as they occur. Vulnerability scanners and other tools must be used in testing for vulnerabilities within the shortest time possible. Vulnerability and penetration testing shall all be done against internal and external network devices. Vulnerability and penetration must also return a report detailing vulnerability type, severity level, technical explanations and remedial instructions.
The following steps shall be followed during the vulnerability and penetration testing: assessment of the system, application of vulnerability scan, manual penetration test, and reporting to the organization’s management on the findings of the tests and recommendations made by the security administrator.
The security administrator will undergo regular training on the emerging vulnerabilities to the system and formulate modern ways of protecting the system from the attacks. He/she will ensure that security roles and network security elements are up to date and well maintained. It is also the responsibility of the security administrator to ensure that network infrastructure like routers and switches together with firewalls, content filtering, and intrusion detection systems are in a good condition to avoid the system from hacking (Stavroulakis & Stamp, 2010).
According to Stavroulakis & Stamp (2010), the physical security administration involves ensuring the safety of personnel, property and classified information through the implementation of security procedures in compliance with the rules and regulations that are laid down by regulating bodies and the organization. The Security Administrator will be responsible for setting out the minimum requirements for the facilities and buildings where the machines are going to be kept. This will range from the basic furniture configuration to the use of locks and secured rooms to hold machines that may contain sensitive information. It is important that the security administrator carry out a regular user education to refresh the users of the system on the new methods of caring for the system to avoid an unauthorized access or even a loss of information. The Security Administrator will also define who has the access to computers that act as the servers or which have a limited access.
Stavroulakis & Stamp (2010) observes that physical security aims at providing mechanisms such as perimeter markings and warning signs to keep away the intruders from the system. It must also be possible for the Security Administrator to distinguish authorized and non-authorized people who want to access the system. Strong wall, safes and door locks are among the measures that shall be undertaken to prevent intrusion attempt to the database at New Eden Technologies. Similarly, there shall be the mechanisms such as the use of alarms to monitor and detect threats to the database. Incidence response policy will provide the guidelines on how to respond to the cases of physical insecurity of the equipments and databases at New Eden Technologies.
In addition to the above, the administrator will formulate policies in regard toprotection criteria, physical protection and crime prevention.
Guidelines for Reviewing and Changing Policies
As the computing environment changes, the Security Administrator will be responsible for reviewing policies and guidelines to conform to the new standards in the market. These changes shall be conveyed to the users through the public access point which users in the system shall be encouraged to visit regularly. However, the Security Administrator will make efforts to bring to attention all new practices in the computing environment to ensure that New Eden Technology remains relevant in the provision of secure connection services on its network.
The Security Administrator of New Eden Technologies will be responsible for assigning all the staff a user account that will be managed from the central server. The user accounts must conform to the IEEE 802.11 standards and will encompass the following domains: user’s name, the server’s configuration record and one password (Tipton & Nozaki, 2011). Any user of the system will thus be prompted to submit their user’s names as a way of authenticating their specific configuration record.
This policy is intended to specify the characteristics that system users at New Eden Technologies will require as a way of maintaining security of the system. Therefore, the users of the network are solely responsible for acquainting themselves with this policy and observing the above principles on the creation and/or renewal of their user’s passwords for their user’s account. In case an individual fails to observe the principles or to provide his/her password to other users, he/she will be treated in accordance to New Eden Technologies disciplinary policy.
The policy aims at enabling a secure environment in the operation of New Eden Technologies to prevent unauthorized access to the database contained on the organizations systems. Another aim is to ensure that the responsibility is upheld in the handling of the organization’s document and database to create an environment of trust (Kuo & Beland, 2005).
The passwords used shall not be easily identifiable and shall not include the following;
The full name of the user’s name and the name that he or she uses for e-mail or either of their derivatives.
Single word in any language
Any fact associated with the user such as a pet's name, date of birth, phone number, and social security number among others.
The above list is not exhaustive and the users shall exercise precaution whenever they are choosing the password to use. The users of the system will, however, have the discretion to choose any password as long as it does not fall into the above category. The users will be prompted to renew their passwords after a period of one month (Kuo & Beland, 2005). The Security Administrator will, upon the consultation with organization management, set minimum standard on the kind of passwords to be used on the system.
The minimum standards shall be in tandem with the national minimum standards as set up by the regulating bodies.
Procedures and Guidelines
According to Freedman (2003), the following guidelines must be observed when using passwords on the network
- Writing down of the password is prohibited.
- Passwords shall not be sent through e-mails.
- Non-encrypted documents shall not be used to store passwords
- Passwords shall remain personal and confidential.
- Passwords shall not be communicated through the phone.
- Never reveal or hint at your password on a form on the Internet.
- All suspicious cases regarding passwords must be reported to the Security Administrator.
- Remember password features shall not be used on public computers.
- Use only trusted and secure web browsers
The Security Administrator reserves the right to reinforce the observance of the procedures and guidelines as set out in this handbook. Notably because password security is critical to the security and everyone in the organization and employees that do not observe the guidelines as laid down in the policy will likely be subjected to punishment as defined by the Security Administrator (Freedman, 2003).
This password policy will be applicable to the staff at the New Eden Technologies who are employed currently at the organization and the ones in future. All employees and workers on contract shall be subjected to different policy as outlined by the security administrator. If the employee is leaving for any other reason, he/she must submit the details of their accounts to the Security Administrator.
A breach to the procedures and guidelines provided for the use of passwords will attract punishment that ranges from denial of account use to legal prosecution depending on the intensity of the loss resulting from the breach (Mann & Mitchell, 2000). The security administrator in consultation with the management of New Eden Technologies decides on the punishment to be meted on the offenders.
Review and Change Management
The users can change their passwords as frequently as possible provided that standards are observed and followed. However, the system will automatically prompt users who have not reviewed their passwords for a period of one month. Furthermore, any delay in reviewing the password may lead to the closure of the account and this will require the services of the Security Administrator to reactivate the account (Mann & Mitchell, 2000).
Acceptable Use Policy
All the staff at New Eden Technology will be required to accept the terms and conditions on the use of the security procedures and guidelines as set in this handbook before assigning users with user accounts by the Security Administrator. Acceptable Use Policy is aimed at providing a linkage between the users of accounts and the organization (Crothers, 2001). This policy binds all the existing and future users of New Eden Technologies and is subject to review by the organization without prior notice
This policy is intended to minimize risks exposed organizational resources and data by establishing the acceptable privileges of data users. The policy also set out the minimum threshold at which a user can bend to while still enjoying the use of security system without any inconveniences.
Crothers (2001) observes that Acceptable Use Policy aims at protecting the interests of New Eden Technologies while safeguarding the security of the data in the system. Since New Eden Technologies will be dealing with the customers online, the Acceptable Use Policy will also ensure that the customers visiting the website do not access information that is confidential to the organization.
The national acceptable standards used by the security administration are used as the minimum standards at New Eden Technologies (Crothers, 2001). Additionally, this Acceptable Use Policy encompasses the emerging technologies and those that are yet to be discovered. This is important because the technology is very much dynamic and it is important for the organization to be protected from any imminent exploitation that may arise from the use of its network
Procedures and Guidelines
A contravention of the policy shall prompt the Security Administrator to do either of the following:
- Deny the user involved rights to access the network
- Suspend the account of the user involved
- Completely and permanently terminate the account of a user
- Charge the user for administrative costs incurred in rectifying their accounts
- In more serious cases, bring legal action against a user of an account
The system users shall be expected to ensure that the procedures and guidelines in the use of the system are strictly observed and followed (Crothers, 2001). A breach of any of these procedures will attract punitive measures that will be decided upon by the Security Administrator. The decision of the Security Administrator as to the punishment is final and not appealable. The organization has the responsibility to ensure current and update policy to meet the existing standards.
Review and Change Management
The Acceptable Use Policy is subject to change by the management of the organization without the prior notice to the users. It is upon the users to acquaint themselves with new developments as stipulated in the policy. However, the Security Administrator will from time to time bring to the attention of the staff at New Eden Technologies the new requirements in the Acceptable Use Policy (Crothers, 2001).
Incident Response Policy
It is the policy of New Eden Technologies to offer awareness and training to the users of the network. This will be done on a regular basis and in accordance with the problem at hand. This policy, therefore, makes it mandatory for all new users to attend approved user security awareness and training session before being granted the right to access any databases on the New Eden Technology database. The Security Administrator will be responsible for implementing the awareness and training policy to all the staff at the organization. In the spirit of this policy, ignorance shall not be used as a defense in case of a violation (Bidgoli, 2006).
The purpose of the New Eden Technology User Awareness and Training Policy is to ensure that the staff maximally uses resources at New Eden Technologies and to ensure efficient and secure use of electronic resources provided by the organization. It helps in addressing security issues related to the safety and integrity of information maintained on New Eden Technology computerized database (Bidgoli, 2006). However, the policy does not cover the intellectual and copyright issues on the design and implementation of the security administration.
The objective of this policy is to bring all staff at New Eden Technology in understanding of the computerized system use and, thus, assist in using and maintaining the services of the organization. Through this policy, all users at New Eden Technologies will receive adequate training and the relevant literature to enable them to protect information resources at the organization (Wells, 2004).
All standards as laid down by the organization shall be followed while implementing this policy. However, the national standards shall be used as the minimum standards in the implementation of the system. The security administrator will be responsible for formulating the minimum standards that are in tandem with the requirements of the users.
Procedures and Guidelines
The Security Administrator will be responsible for preparing, maintaining, and distributing information security manuals that concisely describe procedures and the policies guiding the sharing of information at the New Eden Technology. Every user will be mandated to attend an annual computer security compliance seminar and pass the associated examination.
The Security Administrator will develop and maintain the communication process to bring to attention of the users the information regarding the new security program connected with the use of computers, information on security issues available in bulletin as well as the relevant items used to ensure security.New Eden Technology shall provide define procedures in the handling of incidences in the security as they occur.
The reporting of an incidence will follow the prescribed channel, unless the incidence guarantees attention of the higher authority (Crothers, 2001). However, a detailed report of the incidence must be submitted to the concerned authority regardless of whether the incidence was solved at the initial stage or not. The Security Administrator will be responsible for compiling a comprehensive report of all incidences on the specified period that then shall be used during user education and training.
User Awareness and Training Policy
All staff will undergo a user awareness and training session before they start using the computers at New Eden Technologies and as per the need. Additionally, the Security Administrator will organize the regular training in relation to the needs of the staff and as per changes in technology (Bidgoli, 2006).
The objective of this policy is to bring the staff at New Eden Technologies up to date with the technology, guide their usage, and protect the system from the wrong use. It is intended to bring out the best from the staff while safeguarding organizational information.
The objective of this policy is to enable New Eden Technologies to safeguard its information while maximize the staff. It is also aimed at enabling the organization to practice better security management, which is in tandem with the national standards of information security.
User awareness and training shall be implemented according to the requirements of the users. It will also be carried out in a specified period of time and in line with the new technology and information on the market. The security administrator will set up minimum requirements for the users to attain before using the system.
Procedures and Guidelines
All staff at New Eden Technologies will be required to attend user awareness and training sessions. New staff will also be trained. The Security Administrator is responsible for organizing the training through experts in all areas that concern security of information in the organization (Stallings et al., 2011).