Question:
Devise a security policy
Part 1:
Think about a business you are familiar with, one that uses networks and computers to support business functions. Create a list of ten important, specific items such as computers, disks, equipment, and information such as sales data, client data, and network configuration. Identify the threats these important items are subject to. Devise a security policy to mitigate that threat. Document your analysis process. Note that this information will be useful moving forward, so develop it fully at this time.
Part 2:
Read the following mini security policy. Assess this security policy in four major areas. What is missing, incomplete, inaccurate, or ill advised?
Acme Security Policy
Each document should have a footer or header identifying the level of sensitivity. Suggested sensitivity levels are unrestricted and client sensitive.
Email clients should enable SSL encryption both for POP and SMTP. That way regardless of where we work, our email traffic will not expose any data to network eavesdropping techniques. If client confidential data must be emailed amongst Pixel Inc. consultants, the file should be encrypted, perhaps using a cross-platform product such as PGP Desktop 9.0 or S/MIME, so that data cannot be read from email servers along the way.
File servers with shared folders should have access controls enabled to only members of the authorized group. Shared folders should also be encrypted so that physical theft of the server, its hard drives, or the backups will not compromise data confidentiality.
Periodic backups will be made of server hard drives and stored offsite in a secure location such as a safety deposit box. Access to the backups will be shared.
Only a select few consultants under contract to Pixel Inc. will be given the file server Administrator account password.
Laptop computers will not automatically login the administrator and each account will be password protected. Local folders containing client sensitive data should be encrypted so that theft of the laptop or its hard drive will not compromise data confidentiality.
Portable storage devices such as USB and Firewire disk drives or flash disks and thumb drives may be used to store client sensitive documents if they're stored in encrypted folders or drive images.
Laptop computers will have screen savers enabled with password protection. Users will switch on their screen saver to lock the computer when they walk away from it.
Passwords should be chosen wisely, i.e., common dictionary words would not be used.