The thrust of the Computer Security Plan

The thrust of the Computer Security excogitate part of the Business Plan is to ensure that the schooling systems to be deployed by the company forget be in line with of the strategic mission and vision of the company. In beau monde to insure that the information technology theme and re themes will meet the necessity requirements of every strategic, tactical and operational invention, the company decided to start on the right footing by adapting the standards contained in the ISO/IEC 177992005 or specific bothy know as the discipline Technology Security Techniques Code of Practice for Information Security Management. By purchasing the ISO 17799 Toolkit, the company mint follow the roadmap for a more secure information systems environment, implement the policies contained in the toolkit, and eventually capture ISO 17799 certification to add more value to the consulting business.Specifically, the company will ab initio address the following areas that require immediate atte ntion1.User authentication methods and policies This will be based on department 11.1.1 of ISO 17799 wherein, An access suppress form _or_ system of government should be established, documented, and reviewed based on business and security requirements for access. Access control rules and rights for each user or group of users should be surpassly stated in an access control policy. Access controls are both coherent and physical and these should be considered together. Users and service providers should be given a clear statement of the business requirements to be met by access controls.2.Desktop policies This will be based on scratchs 11.3.2 Unattended user equipment and 11.3.3 Clear desk and clear maskingland policy wherein, Users should ensure that unattended equipment has appropriate protection. All users should be make aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protectio n. Users should be advise to terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver log-off mainframe computers, servers, and office PCs when the session is finished secure PCs or terminals from unauthorized use by a key lock or an equivalent control. A clear desk policy for papers and removable reposition media and a clear screen policy for information impact facilities should be adopted.3.Remote user authentication methods and policies This will be based on Section 11.4.2 User authentication for external users of ISO 17799 wherein, Appropriate authentication methods should be utilise to control access by remote users. Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, or a challenge/response protocol. Possible implementations of such techniques can be put together in various virtual insular network (VPN) solutions. Dedic ated private lines can also be used to provide assurance of the source of communitys. Dial-back procedures and controls, e.g. using dial-back modems, can provide protection against unauthorized and unwanted connections to an organizations information processing facilities. This type of control authenticates users trying to establish a connection to an organizations network from remote locations.4.Password policy This will be based on Section 11.3.1 Password use of ISO 17799 wherein, Users should be required to follow trade good security practices in the selection and use of passwords. All users should be advised to keep passwords confidential avoid keeping a paper or software record of passwords, unless this can be stored securely and the method of storing has been authorize change passwords whenever there is any indication of possible system or password compromise select quality passwords with sufficient minimum continuance which are easy to remember non based on anything in dividual else could easily guess or obtain using person relate information not vulnerable to dictionary attacks free of consecutive identical, all-numeric or all-alphabetic characters change passwords at regular intervals or based on the do of accesses, and avoid re-using or cycling old passwords change temporary passwords at the first log-on not include passwords in any automated log-on process, not use the same password for business and non-business purposes.5.Communication process for e turn on, secure wedge exchange via email This will be based on Section 10.1.1 Documented operating procedures of ISO 17799 wherein, Operating procedures should be documented, maintained, and made available to all users who need them. Documented procedures should be prepared for system activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling management, and safety. Operating procedures, and the documented procedures for system activities, should be treated as formal documents and changes authorized by management. Where technically feasible, information systems should be managed consistently, using the same procedures, tools, and utilities.To further manage the information technology infrastructure and resources, the plan calls for the adoption of the best-of-breed approach by way of making certain that the grammatical construction blocks of information security (Shaurette 2002) are fully exploited. These building blocks include the optimal use of security policies, authentication, access control, anti-virus/content filtering systems, virtual private networking (VPN)/ encoding methodologies, vulnerability services consulting, intrusion protection system, and public key infrastructure (PKI)/certification authorities (CA)/digital signatures systems. This is considered to be the first step towards determination a techniq ue for modeling and evaluating the security of a system (Stjerneby 2002).