Docstoc

Beckert_ Price _ Rose_ P

Document Sample
Beckert_ Price _ Rose_ P Powered By Docstoc
					                                                                  BPR 1




    Beckert, Price & Rose, P.A Security Policy




A paper submitted to Webber International University

   in partial fulfillment of the requirements for the

     Masters in Business Administration degree




                                   By:             Renato Feoli

                                                   Patricio Misitrano

                                                   Group # 7

                                   Date:           10/25/04

                                   Course:         MBA 610

                                                   IS for Mgt.

                                   Semester:       Fall 2004

                                   Instructor:     Dr. Wunker
                                                                BPR 2


                           Table of Contents

Table of Contents ………………………………………………………………2

Body

 I.     Major Issues of a Network Security Policy …………..……………......3

 II.    Company Background ………………………………… ………….…10

 III.   Network Security Policy Recommendations …………………………11

 References →…………………………………………………………………..13

 Appendix

 A. → Copy of release letter

 B. → Copy of slide presentation
                                                                                    BPR 3


Major Issues of a Network Security Policy


       A Security Policy is a broad statement describing the objectives of the corporate

information system and the requirements of securing the information and resources on the

system. The policy provides a framework within which the company can work and

provide a secure environment for the network system and the information stored on the

network. The policy defines what needs to be protected and why; who has access to the

information and the level of access; how the security system prevents unauthorized

access to the data and other resources; how the data is backed up; what can and cannot be

done on the network system; general methods of providing a secure environment from

both internal attacks and external attacks; and punishment for authorized users who fail to

follow the policy. The policy should be a broad statement, not be too overpowering for

the employee, but flexible enough for the corporate system to change and grow within the

policy. (Colden, 2001; Etheridge, 2001; Gouldson, 2001; Maheshwari, 2001; McClure,

2001; Savage, 2001; Takahashi, 2001; and Wilbanks, 2001)

       A policy differs from a practice in the way that a policy is in a written statement

with specific purposes that everyone has to be ware off and obey according to the

organization. A practice is the customary or habitual way to perform act, actions, or the

process of doing something, which are not on a written statement. In the case of BPR, the

company only applies practices that are communicated to employees during staff

meetings. (The American Heritage® Dictionary of the English Language; P. Taylor,

personal communication, September 15, 2004)

       A network security policy is important to any organization because it provides a

concise and comprehensive strategy for tactical security solutions in relation to the
                                                                                   BPR 4


objectives of any business. The policy needs to clearly set a proper value to the

information assets, the policy also represents priorities, and must clearly state the

assumptions and requirements that drive the security activities of an organization. The

development of a proper security policy is hard, but it can help make difficult decisions

regarding information security programs up front, and further make the execution of

other programs easier according to the needs of the organization and policy. Once

implemented the policy it needs to be reviewed regularly assessed, in the case of any

ineffective sections or key missing points, the policy should be modified. (Palmer, 2001)

       Information security has become more important in the last few years. The

benefits of having a security policy are countless. One way to develop a network security

policy is to use the Web to automate the creation and management of the policy. If the

company needs to make any type of changes in a practical manner, the best way to do it

is by put the policy up on the intranet. The information gets out there much quicker than

distributing papers directly to employees. An information security policy framework

provides an organization with a summarized high-level and comprehensive strategy to

mold its tactical security solutions in relation to business objectives. (Palmer, 2001,

Yasin, 2001)

       Policies need to be clearly articulated and well-constructed to guard information

against a range of risks including industrial espionage, fraud, sabotage, errors and

omissions, and system unavailability. Besides developing a security network policy,

organizations of any size should regularly review and assess their current policy

implementation. By doing this, companies can identify any ineffective or missing point

within its information security program. (Wood, 2000, Palmer, 2001)
                                                                                      BPR 5


       Organizations of any size should protect their information. Public and privates

companies must safeguard all information regarding themselves, their personnel and their

clients. There are several ways that this can take place. Breaches in security could cause

terrifying effects, like it happened to a West Coast manufacturing company with 20,000

employees. When this breach happened at West Coast manufacturing, the media

informed of the possibility that the stolen information could be used for identity theft that

could be used in the application of fraudulent credit cards. Because of these breach there

was a notification process, in which some recommendations suggested individuals to

change their bank account numbers. Another way to protect important information would

be to develop an Asset Protection Policy that will define an organizations objectives with

regard to specific standards to provide the proper level of confidentiality, integrity, and

availability of information assets. (Palmer, 2001; Wood, 2000)

       This Asset Protection Policy will be a “superset” of more closely focused

policies, such as authorization and authentication that sometimes can come across in

other policy execution. Francis Juliano, chief technology officer of international business

auction house DoveBid, thinks that the security of most web servers is vulnerable

because most the security holes can not be repaired. Juliano recommends that whatever

activities are conducted on the server do not make a web server the front of a database if

very valuable information is stored on that database as in the case of credit card numbers.

One solution could be to put that database on a separate server, build a firewall in

between and limit the language spoken between the two computers. The most important

purpose here is to make sure that the Web server can't retrieve the entire database in one

data dump. (Luzadder, 2001; Palmer, 2001)
                                                                                     BPR 6


       User accessibility is also another aspect that must be addressed when developing a

network security policy. Changes in technology obliged organizations to confront a major

change from proprietary networks and systems architectures to open systems. Before to

the appearance of the open computing era, information or data was saved and managed

on mainframes and centralized clusters. Host based controls provided assurance that the

information was protected. However, the shift to internal and Internet-based TCP/IP

networks, as well as to distribute computing based on desktop PCs or remotely connected

laptops, diminished the success of conventional controls. Bob Forbes, executive vice

president and founder of Authentor Systems in Colorado, noted that outer shells are

getting more attention as well as the demand of access is on the rise. Forbes also

mentioned that organizations can not add more security and access at same moment.

Trends are moving towards behavior-based models. On the other hand, firewalls have

static rules, that don't focus on the type of information that users demand. (Luzadder,

2001; Palmer, 2001)

       Security system is an important issue, the development of a proper security policy

that takes into consideration all of the objectives and needs of an organization tends to

consume lots of time and be difficult to conduct. Security systems of a network policy

have different aspects and security needs to be addressed in various sectors. From the

various internet threats, to passwords for the levels of access ability that a user can have

access, to the privacy and security of information of the information in the network. The

policy does not need to be complex in writing, it needs to be easy to understand and cut

to the main point directly. The more complex the writing or technical terms used the most

likely people will misunderstand and misapplied the policy. When it come to who has
                                                                                   BPR 7


access to what information, management is responsible to take the proper security

measures to let which employees of the organization to have access to which information.

Management needs to set accessibility to users on a need to know basis, and match access

according to the needs to the employee. The creation of passwords is essential for

protection of information and access. Let the user develop a password with a minimum of

8 characters that needs to be changed in a determine amount of time or when an

employee leaves the company. It is not recommended to have passwords of 30 characters;

they can be hard to break for hackers but at the same time very hard to remember. By

having very long passwords the more likely employees will start writing down their

passwords on notes and be left in view of others, someone can copy the password to

access this accounts where other employees don’t have access. Each individual company

needs to allocate the proper amount of resources to develop a good security system. As

mention above there are various security issues that need to be addressed, company’s

need to work hard and be able to protect themselves from any possible threat. The threats

can come in many forms, that’s why companies need to be prepare for any situation and

have expert employees on hand when their is a security breach and be able to react fast to

minimize danger of the information on a network or work environment. The amount of

expert employees on hand to handle security all depends on the size of the company,

usually the larger the company the more resources are allocated to have this people on

hand, on the other side small companies that don’t have the sufficient funds regularly get

their help from outside experts when a security issue occurs. Once the network security

policy has been develop and implement in the organization, the persons in charge of

security needs to constantly be analyzing and responding to threats to the network, the
                                                                                  BPR 8


security systems also need to be tested to check the functionality and proper response

procedures, also regular scans to the network should be perform to check how well the

systems are in general. (Andress, 2001; Avolio, 2000; Ellis, 2003; Gartenberg, 2002)

       Physical assess control is an issue that has different points concerning the

protection of the resources and products that a company may posse. Companies need to

have proper control to which employees have access to any physical object that can bring

danger to a company if and unauthorized person has access. Companies should try to

allocate proper resources to provide high-tech physical and computer defenses to all of

the network systems. Among the most critical physical objects to have the most high-tech

physical defenses should be the server and backup tapes with there respective storage

facilities. (Forcht, Ayers, 2000/2001)

       Backups and recovery systems are the next issue to take into consideration.

Backups are one of the most important things to consider when dealing with information

that is stored in a network. Backups are essential to any business to protect their core

information from possible damage due to intentional sabotage from employees, or

external attacks from hackers, or damage by fires, any other man made disaster or natural

disasters. Companies should allocate the proper resources to purchase a good backup

system that best suits the company’s network structure to be ready in the case of an

emergency. Companies need to remember that to prevent emergencies has a lower cost

than find a solution at the last moment when an emergency occurs, that’s why companies

need to place attention to data backups. Backups should be performed each day according

to the needs of a business, and be stored with the proper physical access defenses.

Recovery systems are a part of the backup systems itself. The propose of the recovery
                                                                                    BPR 9


systems is to obtain information that has been lost of damage from the backups. For any

type of possible incident an organization may face there needs to be a plan to take care of

the problem to avoid wasting time. Recovery systems are very essential to any business

to be able to restore information in the case of an emergency, companies hope that this

case never presents but recovery systems are necessary to be able to restore systems as

fast as possible if an incident occurs. (Forcht, Ayers, 2000/2001; Gartenberg, 2002)

        Penalties are the last issue to take into consideration, companies need to develop

clearly documented policies that can be easily monitored and enforced. The policy must

include penalty provisions if policies are not followed. Penalties need to be develop

accordingly to the company and the degree of danger that can occur in the workplace.

The penalties need to cover from the minimum danger to the maximum danger that any

employee can develop. By having a good set of penalties that all employees have access

to read and be well aware of the risks and possible punishments that the employees may

have when they don’t comply with the policy is important. As a precaution, the company

employee in charged to the network security should make every employee sign a

disclaimer letter that states the employee has read the network policy and understands

each point. This letter should be given out each time the policy is updated. (Andress,

2001)
                                                                                  BPR 10


Company Background

         Beckert, Price & Rowse, P.A. was founded in

1980, and since then has been serving Central Florida

for over twenty years. Located in Winter Haven,

Florida, the firm is near the junction of Interstate 4 and

US27 which allows for quick accessibility from the

Orlando and Tampa areas. (e.g., para. 1, “Firm Profile,”

n.d.).

         Beckert,   Price   &   Rowse,     P.A.    provides

accounting and tax services for closely-held business

and individuals. BPR has eight experienced CPAs and

qualified employees that are committed to providing

close, personal attention to their clients. The firm has experience in dealing with a wide

gamut of complex issues and challenges as well as customary accounting and tax

services. BPR believes in the value of relationships and they view every client

relationship like a partnership. (e.g., para. 2 “Firm Profile,” n.d.).
                                                                                  BPR 11


Recommendations

       Develop a proper network security policy that defines what needs to be protected

and why; who has access to the information and the level of access; how the security

system prevents unauthorized access to the data and other resources; how the data is

backed up; what can and cannot be done on the network system; general methods of

providing a secure environment from both internal attacks and external attacks; and

punishment for authorized users who fail to follow the policy. . (Colden, 2001; Etheridge,

2001; Gouldson, 2001; Maheshwari, 2001; McClure, 2001; Savage, 2001; Takahashi,

2001; and Wilbanks, 2001)

       Physical assess control. Companies need to have proper control to which

employees have access to any physical object that can bring danger to a company if and

unauthorized person has access, also companies should try to allocate proper resources to

provide high-tech physical and computer defenses to all of the network systems. (Forcht,

Ayers, 2000/2001)

       Security systems, this important issue needs to take into consideration all of the

objectives and needs of a company with regard to their security of information.

Management needs to set accessibility to users on a need to know basis, and match access

according to the needs to the employee. The creation of passwords is essential for

protection of information and access. Let the user develop a password with a minimum of

8 characters that needs to be changed in a determine amount of time or when an

employee leaves the company and give a copy of the password to the IT manager.

(Andress, 2001; Avolio, 2000; Ellis, 2003; Gartenberg, 2002)
                                                                                   BPR 12


       Backups and recovery systems. Backups should be performed each day according

to the needs of a business, and be stored with the proper physical access defenses to keep

the risk of losing any information that is saved on a backup tape. (Forcht, Ayers,

2000/2001; Gartenberg, 2002)

       User accessibility. Companies need to set proper measures to what the employees

can do and save on the network and limit the size of their personal folders. Firewalls have

static rules, that don't focus on the type of information that users demand and in some

cases the type of information that is being demanded can me a threat to the network.

(Luzadder, 2001; Palmer, 2001)

       Penalties or punishment. Companies need to develop clearly documented policies

that can be easily monitored and enforced. All of the company employees need to be

aware of the policy and its consequences if the policy is not followed. The policy must

include penalty provisions if policies are not followed and properly enforce when there is

a violation. (Andress, 2001)
                                                                                   BPR 13


                                      References

Andress, M. (2001, November 19). Effective security starts with policies, InfoWorld.

       Retrieved August 23, 2004, from http://search.epnet.com.

Avolio, F. (2000, March 20). Best Practices in Network Security, Network Computing.

       Retrieved August 23, 2004, from http://search.epnet.com.

Colden, Damian. (2001, March/April). 10 Steps to Internet Security, Journal of Housing

       &    Community     Development.     Retrieved     September   15,   2004,     from

       http://search.epnet.com.

Ellis, C. (2003, Feb.). '7 Steps' for network security, Communications News. Retrieved

       August 25, 2004, from http://search.epnet.com.

Etheridge, Allan B. (2001, March). Can Information Assurance Efforts Be United,

       Security Management. Retrieved September 15, 2004, from http://search.epnet.com.

Forcht, K. A., Ayers, W. C. (2000/2001, Winter). Developing a Computer Security

       Policy for Organizational Use and Implementation, Journal of Computer

       Information Systems. Retrieved August 25, 2004, from http://search.epnet.com.

Gartenberg, M. (2002, June 24). Being Tough, Gentle With Data Security,

       Computerworld. Retrieved August 29, 2004, from http://search.epnet.com.

Gouldson, Tim (2001, May 4). The Reassuring Wisdom of Preparedness, Computing

       Canada. Retrieved September 15, 2004, from http://search.epnet.com.

Luzadder, D., Bryce, R., Gohring, N., Ploskina, B., Scanlon, B., Smetannikov, M., and

       Spangler, T. (2001, October 22). Feeling insecure, Interactive Week. Retrieved

       August 28, 2004, from http:\\search.hepnet.com.

Maheshwari, Anil. (1999, Spring). Database Security for the Web, Information Systems
                                                                                 BPR 14


       Management. Retrieved September 15, 2004, from http://search.epnet.com.

McClure, Dave. (2001, August). Guarding Your Gateway, Association Management.

       Retrieved September 15, 2004, from http://search.epnet.com.

(n.d.). Retrieved September 20, 2004, from http://www.bprcpa.com

Palmer, M. E. (2001, May/June). Information security policy framework: Best practices

       for security in the E-commerce age, Information Systems Security. Retrieved

       August 28, 2004, from http:\\search.hepnet.com.

Savage, Marcia. (2001, April 30). Guarding Databases, Computer Reseller News.

       Retrieved September 15, 2004, from http://search.epnet.com.

Takahashi, Richard. (2001, July 23). Security Belongs in Net Infrastructure, Not Outside,

       Electronic Engineering Times. Retrieved September 15, 2004, from

       http://search.epnet.com.

The American Heritage® Dictionary of the English Language

Wilbanks, Joan. (2001, May/June). Outsourcing Internet Security, Information Systems

       Security. Retrieved September 15, 2004, from http://search.epnet.com.

Wood, C. C. (2000, February 11). Get data safety policies on paper, American Banker.

       Retrieved August 28, 2004, from http:\\search.hepnet.com.

Yasin, R. (2001, January 08). Policy Management Hits the Web, InternetWeek. Retrieved

       August 25, 2004, from http:\\search.hepnet.com.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:8/18/2011
language:Malay
pages:14