1. What is a security policy and why does an organization need a
security policy? Moya Feehan
“A security policy is a written document
identifying the rules and procedures for all users accessing the organisations
servers and resources 1.” Security policies may vary from business to
business depending on how each values their information and their perspectives
on risk tolerance. The document is often described as a living document that is
continually adapted with the evolving organisations and it’s
Security policies essential in any organisation,
as they establish rules for what the user should and should not do, define
consequences of violation, establish stance on security to minimise risk for
the organisation and they ensure proper compliance with regulations. Security
policies benefit companies as they risk data loss or leakage, protects
organisation from hackers, and protects the property of the company from
2. Come up with an example of your own of an issue, which could be
caused by missing security policies? Joseph Sally
policies are put in place in order to protect a system and its data. If
policies are missing or if a policy is compromised then many issues can arise.
For example in a computer network all equipment and devices connected to the
network must be secure both physically and digitally. Data stored on the system
must maintain its integrity and specific data must require authorisation to be
accessed, therefore passwords must be put in place with the purpose of
regulating and monitoring access to the system. Without the use of passwords
any user could access the system and possibly see personal or confidential data
stored on the system and without a way to easily distinguish a user’s level of
access they may also be able to edit or destroy the stored data. Passwords must
be regularly changed and multiple unsuccessful login attempts should lock a
user from the system, both of these policies will help reduce unauthorised
access to the system.
transmissions to and from the system must also be protected. Therefore the
transmissions must be encrypted to prevent people from viewing the transmission
and potentially intercepting confidential data.
software used in the system must be written securely to avoid users breaking
into the system. The software used must avoid leaving any backdoors which would
allow users to sneak past any security precautions and accessing parts of the
system or data that they should not be allowed to see. The programmer coding
the system must be cautious when using third party software as if that software
is not thoroughly checked and tested as it may contain malicious code. This
malware could potentially leak data from the system and/or damage the system
in the system must also be secure and kept in good condition. Policies must be
put in place encourage this. Important system hardware for example the systems
data servers must be kept in a safe and secure location. This location may
require some sort of password or identification to access. This helps prevent
someone doing physical damage to the system or potentially stealing some
equipment. The equipment must also be kept safe from various other
environmental threats such as temperature, dust and radiation as these all can
cause damage to the equipment. To mitigate some of these damages the equipment
must be regularly maintained.
people with access to confidential information with regards to or stored on the
system must be trained in protecting such information. These people must know
never to talk about any of this confidential information with someone without
the authorised access to said information. All users must protect and not share
their passwords to the system as this may lead to other users without the
correct authorisation to access the system. Also all users must protect
portable devices connected to the system as once again if the user was to lose
their device it may lead to someone access the system without permission.
are the basic things that need to be explained to every employee about a
security policy? At what point in their employment? Why? (List at least 4
things). (For example, how to handle delicate information) Catherine McAvoy
“Everyone in a company needs to understand the importance of
the role they play in maintaining security 1.”
purpose of a security policy is to ensure that there are measures in place to
protect the information within an organisation. Therefore the security policies
should be explained to all employees whether they are part time or full time at
the start of their employment with sufficient training given. Follow up
training should be given at regular intervals such as monthly meetings or
awareness posters to keep the security policies fresh in the employee’s mind.
an organisation you want to protect and adhere to the Information Security
objectives and these need to influence the security policies as seen in 2.
Confidentiality – Only users authorized to view
information should be able to access it. The organization should also ensure
employees can control the information collected and stored about them and what
information can be disclosed to certain individuals.
Integrity – Assures that information and programs
are not to be corrupted or modified and only changed in an authorized manner.
System integrity ensures that the system will only perform its intended
function and be insulated from deliberate or unauthorized manipulation.
Availability – Ensures the system and information is
available for authorized individuals when they need it.
there are basic things that need to be explained to every employee.
first objective is how to handle sensitive information. This means that
confidential data is not made available or disclosed to unauthorized
individuals, protecting the Confidentiality security objective 3. Firstly
when training employees, they should be made aware of how important data
confidentiality is and then provide training such as how to destroy documents
through use of confidential waste bins or lockable document storage
cabinets. Failure to protect sensitive
information might result in loss of client information which would have a negative
effect on the organisation’s reputation.
employees should be trained in how to properly maintain their ID, password etc.
They should follow good password practices and change them routinely. There
should be no sharing of the employee’s user ID and password and the employee’s
should be made aware that it is their responsibility to safeguard their own
account. The organisation should also have clear guidelines of what employees
can install and download onto their work computers. This will allow their
computers to be less vulnerable to attack.
should know how to respond to potential security incidents. They should be
educated on how to spot and report phishing and how to check if there is
suspicious links in emails or webpages. There should also be training in what
malware is and how to spot malware in order to have a quick response if they
suspect their device has been infected 4.
employees should be trained on how to properly use the corporate email system
within the organisation. This includes how to use the organisation’s spam
filters preventing unwanted, harmful emails. Employees should also be
instructed they are not allowed to use their work emails for harassment, chain
letters or any other non-business use.
organization should write security policies with business input and check
security policies regularly to see if they are still relevant and up to date.
They should also ensure that the correct tools are in place to fulfil the
4. Your organisation has an e-mail server that
processes sensitive emails from senior management and important clients. What
should be included in the security policy for the email server? Moya Feehan
A mail server in simple terms, can be seen as
the computerised equivalent of your everyday mailman. Every email sent, passes
through a series of mail servers along its way to its intended recipient.
When sent, the message looks like it instantly is sent and received, however
unknown to a lot of users, there is actually a complex series of transfers that
take place. Emails are used in everyday life and is often the primary form of
communication within an organisation. The misuse of this electronic server can
cause many legal, security and privacy risks. So understanding the appropriate
use of emails is very important for users. Email legal, security and risk
policies put in place by companies are to make users aware of what is
acceptable and unacceptable, when using the specific email system.
Looking at the policy created by SANS Institute
for the Internet community, it is a basic template for email policies that can
be used freely by any company. There are numerous email policies found here,
however the main security related ones are as followed. “Company email account
should be used primarily for company business related purposes; personal
communication is permitted on a limited basis, but non-company related commercial
uses are prohibited 1.” This will prevent the spread of viruses through
personal email accounts into the company system, as well as keep all the
documents from a company secure and within that system only. “All company data
contained within an email message or an attachment must be secured according to
the Data Protection Standard 1.” Like the previous policy, this will help prevent
against viruses spreading as the data contained will have been checked and
secured. As well as these policies that may protect against viruses and keep
your data secure, you should also include a virus scanning policy in the off
chance viruses get in through normal messages. The policy should read “The
Company will scan every email message that passes through its server to check
for computer viruses, worms or other executable items that could pose a threat
to the security of the network. Infected email should not deliver to the user.
Administrators will have procedures in place for handling infected email
messages 2.” Finally you should also include an encryption policy so that
messages intercepted, are still secure in that they cannot be read unless you
know the encrypted code. A policy for this could read “Information sent to
users outside of the company will be encrypted prior to its transmission. The
use of encryption will be consistent with the company’s encryption policies
Other policies such as chain mail or spam,
forging emails and giving out passwords would also be included. The data is
sensitive and specific clients can’t afford to be receiving numerous irrelevant
emails clogging up their inbox and possibly making them miss important messages.
Passwords must also not be shared in case the emails are hacked.
Securing your email server in today’s modern day
society is very important, as users become more complacent and assume the
computer will be safe without adding your own encryption, or being aware of
spam mail (viruses). In the case of sensitive data within an organisation all
users must be made fully aware of the working policies and try to follow it on
a daily basis.
5. Read the UCL and Harvard university security
policies 1, 2. Compare and critique the policies suggesting
improvements/updates, as appropriate.Catherine McAvoy
is an important asset to UCL and Harvard University therefore security policies
are vital to protect against threats which may result in financial loss,
reputational damage or exposure to liability for the university. As a result, both
security policies “formally define a policy creation and policy maintenance
practice 1” by creating and distributing their security policies through
clearly define 7 security objectives that have to be adhered to. These are outlined at the start of the policy
document along with information regarding who the policies apply too and why
information security needs to be outlined within the document.
Harvard University outline 15 policy statements in order to protect
“information that is critical to teaching, research, and the University’s many
varied activities, our business operation, and the communities we support,
including students, faculty, staff members, and the public 2.” In both
security policies, the purpose of why the policy has been created is stated at
the start. In UCL’s document there is context included in Section 1 about why
and how the information is used in the University. In contrast, it is harder to
find the policy statements outlined from Harvard University and it only gives a
general introduction compared to UCL which is more detailed.
University is an organisational security policy which has been issued by senior
management 1. It sets out high level authority and describes data
classification levels in range of breach of security and level of impact.
Within each level, it gives the data types and how to comply with each of the
data type’s security requirements. For some data types it outlines what the
users, devices, servers and paper/physical records have to do in order to be
the other hand, UCL have created a system-specific security policy. The policy
objectives address particular security concerns for example “ensure that
information is disposed of in an appropriately secure manner when it is no
longer relevant or required 3.”
Information Security Policy from Harvard University does not follow any
security governance whereas UCL is approved by a governing body (Information
Services Governance Committee) throughout the policy. UCL outlines roles and
responsibilities, breaches in security and how procedures are dealt with the
appropriate Head of Department or governing body. Therefore to improve the
standard of the Information Security Policy within Harvard, Security governance
should be implemented to effectively coordinate the security activities in the
a good security policy “should survive for two or three years 1” and it
should be reviewed and approved at least annually. In UCL there is a Revision
History document and the document is reviewed regularly up until 17th
of June 2016. However Harvard have no Revision History details noted and it is
unclear if the information is up to date. An improvement of the policy could be
to keep a history of changes to the security policy to ensure that it is kept
up to date and relevant and users are confident in this.
policies are not too specific in their security objectives. The statements are
short and concise and easy to understand. Harvard’s policy statements are
high-level and there are clear with simplistic instructions on how to comply with
each policy whereas the UCL security policy document has technical terms and users
without a technical background might find it hard to follow. However as the UCL document is more technical,
supporting reference documentation is included outlining terms that have been
used in the document which is particularly useful for non-technical users. A
good security policy “must be written technology-independent 1” therefore UCL
should review the language used in the security policy document to make it more
high level for non-technical users, reducing the need for the supporting
have documentation to explain the data classifications which is necessary as
the requirements are grouped by the data classification levels however it does not include any related documentation on
underlying methods and technologies. The security policies Harvard have
outlined also do not make any reference to any legislations or laws in place
for protecting information whereas UCL have “worked in compliance with legislation
and UCL policies, and by adherence to approved procedures and codes of practice
3” including all the supporting policies such as UCL Computing Regulations
and UCL Data Protection Policy. This allows users to understand the importance
of protecting the information and how detrimental it could be if security was
jeopardized. Therefore, it would be beneficial if Harvard used supporting
documentation which might be helpful to users in understanding why certain
requirements are necessary in the University.
security policies use “forceful, directive wording 1.” Strong directive words
communicate the requirements efficiently whereas weak directive words such as
should, may or can suggest an option of not following the policies 4. UCL use
these words throughout the security policy document whereas Harvard use them
less frequently. Thus, an improvement of Harvard documentation could be to use
stronger directives to ensure the user knows importance of the requirement being
a good policy “develops sanctions for non-compliance 4” which outlies and
enables actions when policies are not followed. UCL states what should happen
in a breach of security as well as ‘Policy Awareness and Disciplinary
Procedure’ that outlines to users when there is a violation of security. On the
other hand, Harvard makes no reference to procedures or actions when policies
are not followed therefore to improve the policy, sanction outlines should be
put in the documentation.
both policies differ in terms of structure and details. UCL use a
straightforward approach summarising the main objectives, who is responsible
for security measures and details on what to do in case of a security breach.
Alternatively Harvard focus on the different levels of security and outlines
different data types the users may have. From this they outline the procedures
on how to comply with their security policies and the instructions are clear
and easy to follow.
M.Rouse “Security Policy” May, 2007.
Online Available: http://searchsecurity.techtarget.com/definition/security-policy
Accessed Jan. 16, 2018.
W.Deutsch “Security Policies
Every Company Should Have” Dec, 10, 2017. Online Available: https://www.thebalance.com/effective-security-policies-394492
Accessed Jan. 23, 2018.
“Training Your Employees on Information Security Awareness” Dec, 11, 2015. Online. Available: https://www.symantec.com/connect/blogs/training-your-employees-information-security-awareness
Accessed Jan. 19, 2018.
Lecture, Topic: “Introduction to Network Security – Part 2” School of
Electronics, Electrical Engineering and Computer Science, Queens University
Belfast NI Jan. 12, 2018.
4 Rapid 7, “Security Awareness
Training” Rapid 7 Online.
Accessed Jan. 20, 2018.
1 Sans Policy Team, Consensus Policy Resource Community. Sans
Institute, 2013 E-Book. Available: https://www.sans.org/security-resources/policies/general/pdf/email-policy
Accessed Jan. 18, 2018.
2 Anon, “Email Security Policies,” Help Net Security, 2012 Online.
Available: https://www.helpnetsecurity.com/dl/reviews/157870264X.pdf Accessed
Jan. 19, 2018.
1 Dr.S.Scott-Hayward. Class Lecture,
Topic: “Network Security Administration – Part 1” School of Electronics,
Electrical Engineering and Computer Science, Queens University Belfast NI Jan.
2 Harvard University, “Information
Security Policy” Harvard University
Online. Available: https://policy.security.harvard.edu/ Accessed: Jan. 18,
3 London’s Global University, “UCL
Information Security Policy”, UCL Online.
Available: https://www.ucl.ac.uk/informationsecurity/policy Accessed: Jan. 18,
4 Harold F. Tipton and Steven Hernandez
CISSP, Official (ISC)2 Guide to the CISSP
CBK, Second Edition. California, USA. 2010.