Justin W Christopherson
Old Dominion University
CYSE – 300: Introduction to Cybersecurity
Dr. Joseph Kovacic
28 January 2024
Security Policy: Design and Implementation
Setting up a strong security policy for a corporate information system requires investigation into what works and how it is implemented. While there are a few considerations for a strong policy, this paper will primarily focus on five important issues. The issues in question are: Physical security, confidentiality, integrity, availability response to security incidents. This will be an attempt at building a strong information system security program.
Physical Security
One of the most overlooked aspects of information system security is not the technical aspects of securing the data on the servers. The most important aspect in my opinion is the physical security of the corporation office. This can be incorporated into a security policy by way of adding a vetting process and then issuing a security badge for building entry. Once access to the building has been setup, the next step would be to secure the server rooms, this can be done by ensuring there is no alternate access to the server room other than the intended doors. In addition to this, pointing cameras at the access doors, will help keep out people without proper authorization. Finally, with all the other aspects applied, adding a cipher lock door would increase the security posture overall.
CIA Triad
Another aspect of a strong information system security is the incorporation of the aspects in the CIA triad. This triad is a combination of confidentiality, integrity, and availability. Confidentiality is defined by the National Institute of Standards and Technology (NIST) as “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” Incorporating confidentiality into a security plan would require coming up with a tiered plan defining what data is considered confidential and who has access to it. Once it has been established who has the correct access to the classified data and what tier the data is, it’s time to incorporate integrity. Integrity is defined by the NIST as “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” This is taking the information that has been considered confidential and sending it to the individual workstations throughout the office from the server. Once this is involved, the data needs to be verified to be authentic and has not been tampered with. This can be done with the inclusion of checksums to verify the data has not been tampered with and procedures that would require each individual person to verify their identity. This would be done using an authentication system that verifies both the sender and receiver.
Security Incident Response
Despite all the procedures put in place there is always someone that wants to take what does not belong to them. The way a corporation responds to a security incident can make or break them. The first step that should be taken is the notification of all pertinent people. After this an investigation needs to ensue, this would require them to check all the logs for any communications and data transferred between terminals and the servers as well as any external communications. Once they find out committed the crime, management needs to come up with a plan on how to proceed with the offender. This could include legal action against the offender, updating the security policy, and possibly having a third party conducting another investigation.
Conclusion
In the end setting up a corporate information security system involves a lot of moving parts that require attention to detail. Without physical security anyone with access to the building will have access to the servers. Without the inclusion of the CIA triad the data would never be tiered, and everyone would have access to everything. They could release proprietary information outside the company, and if the company does not verify who is receiving the data, they might as well just throw pamphlets out airplanes with all their trade secrets. Finally, if a corporation doesn’t know how to respond to a security incident they would not last very long at all due to the frequency of attacks in the corporate sector.
References
Cybersecurity Best Practices. Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA. (n.d.). https://www.cisa.gov/topics/cybersecurity-best-practices