The thrust of the Computer Security Plan

The thrust of the Computer Security Plan part of the Business Plan is to batten down that the study systems to be deployed by the follow will be in line with of the strategic mission and vision of the connection. In order to insure that the teaching technology infrastructure and resources will meet the requisite requirements of every strategic, tactical and operational plan, the company decided to start on the right footing by adapting the standards contained in the ISO/IEC 177992005 or specifically known as the Information Technology Security Techniques Code of Practice for Information Security Management. By purchasing the ISO 17799 Toolkit, the company give the gate follow the roadmap for a more secure information systems environment, implement the policies contained in the toolkit, and eventually obtain ISO 17799 certification to add more value to the consulting business.Specifically, the company will initially address the following areas that require immediate attention1 .User authentication methods and policies This will be based on Section 11.1.1 of ISO 17799 wherein, An access arrest insurance policy should be established, documented, and reviewed based on business and security requirements for access. Access control rules and rights for each social functionr or group of users should be clearly tell in an access control policy. Access controls are both logical and physical and these should be considered together. Users and service providers should be given a clear literary argument of the business requirements to be met by access controls.2.Desktop policies This will be based on Sections 11.3.2 Unattended user equipment and 11.3.3 Clear desk and clear screen policy wherein, Users should check up on that unattended equipment has appropriate protection. All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Users shou ld be counsel to terminate active academic sessions when finished, unless they burn be secured by an appropriate locking mechanism, e.g. a password protected screen saver log-off mainframe figurers, servers, and office PCs when the session is finished secure PCs or terminals from unauthorized use by a key lock or an equivalent control. A clear desk policy for cover and removable storage media and a clear screen policy for information processing facilities should be adopted.3.Remote user authentication methods and policies This will be based on Section 11.4.2 User authentication for external users of ISO 17799 wherein, Appropriate authentication methods should be used to control access by remote users. Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, or a challenge/response protocol. Possible implementations of such techniques can be found in various virtual private network (VPN) solutions. Dedicated private lin es can also be used to provide assurance of the source of connections. Dial-back procedures and controls, e.g. using dial-back modems, can provide protection against unauthorized and unwanted connections to an organizations information processing facilities. This type of control authenticates users trying to establish a connection to an organizations network from remote locations.4.Password policy This will be based on Section 11.3.1 Password use of ISO 17799 wherein, Users should be required to follow good security practices in the selection and use of passwords. All users should be advised to keep passwords confidential cancel keeping a paper or software record of passwords, unless this can be stored unwaveringly and the method of storing has been approved change passwords whenever there is any indication of possible system or password compromise select quality passwords with sufficient stripped-down length which are easy to remember not based on anything somebody else could ea sily guess or obtain using person associate information not vulnerable to dictionary attacks free of consecutive identical, all-numeric or all-alphabetic characters change passwords at regular intervals or based on the number of accesses, and avoid re-using or cycling old passwords change temporary passwords at the first log-on not include passwords in any automated log-on process, not use the aforesaid(prenominal) password for business and non-business purposes.5.Communication process for email, secure file exchange via email This will be based on Section 10.1.1 Documented operating procedures of ISO 17799 wherein, in operation(p) procedures should be documented, maintained, and made available to all users who need them. Documented procedures should be prepared for system activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handli ng management, and safety. Operating procedures, and the documented procedures for system activities, should be treated as formal documents and changes authorized by management. Where technically feasible, information systems should be managed consistently, using the same procedures, tools, and utilities.To further manage the information technology infrastructure and resources, the plan calls for the adoption of the best-of-breed approach by way of making authentic that the building blocks of information security (Shaurette 2002) are fully exploited. These building blocks include the optimum use of security policies, authentication, access control, anti-virus/content filtering systems, virtual private networking (VPN)/ encoding methodologies, vulnerability services consulting, intrusion protection system, and public key infrastructure (PKI)/certification authorities (CA)/digital signatures systems. This is considered to be the first step towards finding a technique for modeling and evaluating the security of a system (Stjerneby 2002).