Developing a Computer internet Security Policy
You have been hired as the CSO (Chief Security Officer) for an organization. Your job is to develop a very brief computer and Internet security policy for the organization that covers the following areas:
- Computer and email acceptable use policy
- Internet acceptable use policy
Make sure you are sufficiently specific in addressing each area. There are plenty of security policies and guideline templates available online for you to use as a reference or for guidance. Your plan should reflect the business model and corporate culture of a specific organization that you select.
Explanation & Answer length: 5 pages.
Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc. Chapter 7 Security Opening Case • What are some important lessons from the opening case? • How long did the theft take? How did the theft likely occur? • How long did it take Office of Personnel Management (OPM) to detect the theft? • How damaging are the early reports of the data theft for the OPM? © 2016 John Wiley & Sons, Inc. 3 How Long Does it Take? • How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? A. B. C. D. E. Several seconds Several minutes Several hours Several days Several months A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! The record is 2,982 which is 11 years! © 2016 John Wiley & Sons, Inc. 4 Timeline of a Breach – Fantasy
• Hollywood has a fairly consistent script: • 0: Crooks get password and locate the file • Minute 1: Crooks start downloading data and destroying the original • Minute 2: Officials sense the breach • Minute 3: Officials try to block the breach • Minute 4: Crooks’ download completes • Minute 5: Officials lose all data Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf © 2016 John Wiley & Sons, Inc. 5 Timeline of a Breach – Reality Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf © 2016 John Wiley & Sons, Inc. 6 IT Security Decision Framework Decision Who is Responsible Why? Otherwise?
Information Security Business Leaders Strategy They know business strategies Security is an afterthought and patched on Information Security IT Leaders Infrastructure Technical knowledge is needed Incorrect infrastructure decisions Information Security Shared: IT and Policy Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users SETA (training) Business buy-in and technical correctness Insufficient training; errors Evaluation of business goals and technical requirements Over- or underinvestment in security Shared: IT and Business Leaders Information Security Shared: IT and Investments Business Leaders © 2016 John Wiley & Sons, Inc. 7 How Have Big Breaches Occurred? Date Detected Company What was stolen How November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained September 2014 Ebay
#2 Small but unknown Cross-site scripting September 2014 Home Depot 56 million credit card numbers 53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability January 2015 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees Anthem Blue Cross © 2016 John Wiley & Sons, Inc. 8 Password Breaches • 80% of breaches are caused by stealing a password. • You can steal a password by: • • • • Phishing attack Key logger (hardware or software) Guessing weak passwords (123456 is most common) Evil twin wifi © 2016 John Wiley & Sons, Inc. 9 Insecurity of WiFi– a Dutch study • “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.” • Had WiFi transmitter broadcasting “Starbucks” as ID
• Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops • He also saw passwords and could lock them out of their own accounts. • The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.” © 2016 John Wiley & Sons, Inc. Slide 5-10 Other Approaches • Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site) • Third parties • Target’s HVAC system was connected to main systems • Contractors had access • Hackers gained contractors’ password • Malware captured customer credit card info before it could be encrypted © 2016 John Wiley & Sons, Inc. 11 Cost of Breaches • Estimated at $145 to $154 per stolen record • Revenue lost when sales decline • Some costs can be recouped by insurance © 2016 John Wiley & Sons, Inc. 12 Can You be Safe? • No, unless the information is permanently inaccessible • “You cannot make a computer secure” – from Dain Gary, former CERT chief • 97% of all firms have been breached • Sometimes security makes systems less usable © 2016 John Wiley & Sons, Inc. 13 What Motivates the Hackers? • Sell stolen credit card numbers for up to $50 each • 2 million Target card numbers were sold for $20 each on average • Street gang members can usually get $400 out of a card • Some “kits” (card number plus SSN plus medical information) sell for up to $1,000 • They allow opening new account cards • Stolen cards can be sold for bitcoin on the Deep Web © 2016 John Wiley & Sons, Inc. 14 What Should Management Do?
• Security strategy • Infrastructure • Access tools * • Storage and transmission tools * • Security policies * • Training * • Investments * Described next © 2016 John Wiley & Sons, Inc. 15 Access Tools Access Tool Ubiquity Advantages Disadvantages Physical locks Very high • Excellent if guarded • Locks can be picked • Physical Access is often not needed • Keys can be lost Passwords Very high • User acceptance and familiarity • Ease of use • Mature practices • Poor by themselves • Sometimes forgotten • Sometimes stolen from users using deception or key loggers Biometrics Medium • • • • • • • • • Can be reliable Never forgotten Cannot be stolen Can be inexpensive © 2016 John Wiley & Sons, Inc. False positives/negatives Some are expensive Some might change (e.g., voice) Lost limbs Loopholes (e.g., photo) 16 Access Tools (continued) Access Tool Ubiquity Advantages Disadvantages Challenge questions Medium (high in banking) • Not forgotten • Multitude of questions can be used • Social networking might reveal some answers • Personal knowledge of an individual might reveal the answers • Spelling might not be consistent Token Low • Stolen passkey is useless quickly • Requires carrying a device Text message Medium
• Stolen passkey is useless • Mobile phone already owned by users • Useful as a secondary mechanism too • Requires mobile phone ownership by all users • Home phone option requires speech synthesis • Requires alternative access control if mobile phone lost Multi-factor Medium authentication • Stolen password is • Requires an additional technique useless if one of the two fails • Enhanced security • Temptation for easy password © 2016 John Wiley & Sons, Inc. 17 Storage and Transmission Tools Tool Ubiquity Advantages Disadvantages Antivirus/ Very high antispyware • Blocks many known threats • Slow down operating system • Blocks some “zero-day” • “Zero day” threats can be threats missed Firewall High • Can prevent some targeted traffic • Can only filter known threats • Can have well-known “holes” System logs Very high • Can reveal IP address of attacker • Can estimate the extent of the breach • Hackers can conceal their IP address • Hackers can delete logs • Logs can be huge
• Irregular inspections System alerts High • Can help point to logs • Can detect an attack in process • High sensitivity • Low selectivity © 2016 John Wiley & Sons, Inc. 18 Storage and Transmission Tools (continued) Tool Ubiquity Advantages Disadvantages Encryption Very high • Difficult to access a file without the key • Long keys could take years to break • Keys are unnecessary if password is known • If the key is not strong, hackers could uncover it by trial and error WEP/WPA Very high • Same as encryption • Most devices have the capability • Provides secure wifi connection • Same as encryption • Some older devices have limited protections • WEP is not secure, yet it is still provided VPN Medium • Trusted connection is as if you were connected on site • Hard to decrypt © 2016 John Wiley & Sons, Inc. • Device could be stolen while connected • Sometimes slows the connection 19 Security Policies • • • • • • Perform security updates promptly Separate unrelated networks Keep passwords secret Manage mobile devices (BYOD) Formulate data policies (retention and disposal) Manage social media (rules as to what can be shared, how to identify yourself)
• Use consultants (Managed Security Services Providers) © 2016 John Wiley & Sons, Inc. 20 SETA (Security Education, Training, and Awareness) • Training on access tools • • • • • Limitations of passwords Formulating a password Changing passwords periodically Using multi-factor authentication Using password managers © 2016 John Wiley & Sons, Inc. 21 SETA (Security Education, Training, and Awareness) • BYOD • Rules • How to follow them • Social Media • Rules • How to follow them • Cases from the past that created problems © 2016 John Wiley & Sons, Inc. 22 SETA (Security Education, Training, and Awareness) • Vigilance: Recognizing: • • • • Bogus warning messages Phishing emails Physical intrusions Ports and access channels to examine © 2016 John Wiley & Sons, Inc. 23 Classic Signs of Phishing • • • • • • • • • • Account is being closed Email in-box is full Winning a contest or lottery Inheritance or commission to handle funds Product delivery failed Odd URL when hovering Familiar name but strange email address Poor grammar/spelling Impossibly low prices Attachment with EXE, ZIP, or BAT (etc.) © 2016 John Wiley & Sons, Inc. 24 Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc. Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc. Chapter 10 Information Systems Sourcing © 2016 John Wiley & Sons, Inc. 2 Kellwood Opening Case
• Why did Kellwood outsource? • Why did Kellwood decide to backsource after 13 years? • What was the result? © 2016 John Wiley & Sons, Inc. 3 Sourcing Decision Framework © 2016 John Wiley & Sons, Inc. 4 Sourcing Options Domestic Insourcing Outsourcing Domestic in-house production Domestic outsourcing Company produces its products domestically without any outside contracts Offshore Offshore in-house sourcing Company uses services supplied by its own foreign-based affiliate (subsidiary) Company uses services supplied by another domestic-based company Offshore outsourcing Company uses services supplied by an unaffiliated foreign-based company Figure 10.3. Different Forms of Sourcing. (Source: http://www.dbresearch.com/ servlet/reweb2.ReWEB?rwsite=DBR_INTERNET_EN-PROD) © 2016 John Wiley & Sons, Inc. 5 INSOURCING A firm provides IS services or develops IS in its own inhouse IS organization © 2016 John Wiley & Sons, Inc. 6 IT Outsourcing • With IT, there is equipment and personnel involved • Equipment and facilities are sold to outside vendors • Personnel might be hired by outside vendors • Services are hired from the vendors
• Common length of agreement: 10 years © 2016 John Wiley & Sons, Inc. 7 Insourcing drivers and challenges Insourcing Drivers Insourcing Challenges Core competencies related to systems Inadequate support from top management to acquire needed resources Confidentiality or sensitive system components or services Temptation from finding a reliable, competent outsourcing provider Time available in-house to develop software Expertise for software development in-house © 2016 John Wiley & Sons, Inc. 8 Economics of Outsourcing • Benefits: • Sell equipment, buildings (large cash inflow) • Downsized payroll – outsourcer hires employees • Costs: • Services provided for a fee • Fixed costs usually over 10-year term © 2016 John Wiley & Sons, Inc. 9 Drivers and disadvantages of outsourcing Drivers Disadvantages • Offer cost savings • Offer service quality • Ease transition to new technologies • Offer better strategic focus • Provide better mgmt of IS staff • Handle peaks • Consolidate data centers • Infusion of cash • • • • • • Abdication of control High switching costs Lack of technological innovation Loss of strategic advantage Reliance on outsourcer Problems with security/confidentiality
• Evaporation of cost savings © 2016 John Wiley & Sons, Inc. 10 Decisions about How to Outsource Successfully • Decisions about whether or not to outsource need care and deliberation. • Requires numerous other decisions about mitigating outsourcing risks. • Three major decision areas: selection, contracting, and scope. 1. Selection: find compatible providers 2. Contracting: 1. Try for flexible management terms 2. Try for shorter (3-5 year) contracts 3. Try for SLAs (service level agreements on performance) 3. Scope – Determine if full or partial outsourcing © 2016 John Wiley & Sons, Inc. 11 Offshoring • Short for outsourcing offshore • Definition: • When the MIS organization uses contractor services in a distant land. (Insourcing offshore would be your own dept offshore) • Substantial potential cost savings through reduced labor costs. • Some countries offer a very well educated labor force. • Implementation of quality standards: • Six Sigma • ISO 9001 © 2016 John Wiley & Sons, Inc. 12 Selecting an Offshoring Destination • About 100 countries are now exporting software services and products. • What makes countries attractive for offshoring? • • • • • • • • High English language proficiency. Countries that are peaceful/politically stable. Countries with lower crime rates. Countries with friendly relationships. Security and/or trade restrictions. Protects intellectual property Level of technical infrastructure available. Good, efficient labor force
• Once a country is selected, the particular city in that country needs to be assessed as well. © 2016 John Wiley & Sons, Inc. 13 Selecting an Offshoring Destination • Countries like India make an entire industry of offshoring. • Software Engineering Institute’s Capability Maturity Model (CMM). • Level 1: the software development processes are immature, bordering on chaotic. • Level 5: processes are quite mature, sophisticated, systematic, reliable • Indian firms are well known for their CMM Level 5 software development processes, making them desirable © 2016 John Wiley & Sons, Inc. 14 Offshore DestinationDevelopment Tiers Carmel and Tjia suggest that there are three tiers of software exporting nations: • Tier 1: Mature. • • Tier 2: Emerging. • • • Brazil, Costa Rica, South Korea, and many Eastern European countries. Tier 3: Infant. • • United Kingdom, United States, Japan, Germany, France, Canada, the Netherlands, Sweden, Finland, India, Ireland, Israel, China, and Russia. Cuba, Vietnam, Jordan, and 15 to 25 others. Tiers: based on industrial maturity, the extent of clustering of some critical mass of software enterprises, and export revenues. The higher tiered countries have higher levels of skills and higher costs. © 2016 John Wiley & Sons, Inc. 15 Farshoring
• Definition: sourcing service work to a foreign, lowerwage country that is relatively far away in distance or time zone. • Client company hopes to benefit from one or more ways: • Big cost savings due to exchange rates, labor costs, government subsidies, etc. • For the US and UK, India and China are popular • Oddly, India and China also offshore to other locations © 2016 John Wiley & Sons, Inc. 16 Nearshoring • Definition: sourcing service work to a foreign, lower-wage country that is relatively close in distance or time zone. • Client company hopes to benefit from one or more ways of being close: • geographically, temporally, culturally, linguistically, economically, politically or from historical linkages. • Distance and language matter. • There are three major global nearshore clusters: • 20 nations around the U.S., and Canada • 27 countries around Western Europe • smaller cluster of three countries in East Asia © 2016 John Wiley & Sons, Inc. 17 Captive Centers • An overseas subsidiary that is set up to serve the parent company. • Alternative to offshoring or nearshoring. • Four major stategies that are being employed: • Hybrid Captive – performs core business processes for parent company but outsources noncore work to offshore provider
• Shared Captive – performs work for both parent company and external customers. • Divested captive – have a large enough scale and scope that it could be sold for a profit by the parent company. • Terminated Captive – has been shut down, usually because its inferior service was hurting the parent company’s reputation. © 2016 John Wiley & Sons, Inc. 18 Backsourcing • When a company takes back in-house, previously outsourced, IS assets, activities, and skills. • Partial or complete reversal • Many companies have backsourced such as Continental Airlines, Cable and Wireless, and Halifax Bank of Scotland. • 70% of outsourcing clients have had negative experiences and 25% have backsourced. • 4% of 70 North American companies would not consider backsourcing. © 2016 John Wiley & Sons, Inc. 19 Backsourcing Reasons • Mirror reason for outsourcing (to reduce costs, increase quality of service, etc.)
• Costs were higher than expected • Poor service • Change in management • Change in the way IS is perceived within the company • New situations (mergers, acquisitions, etc.) © 2016 John Wiley & Sons, Inc. 20 Crowdsourcing • Definition: • Taking a task traditionally performed by an employee or contractor, and • Outsourcing it to an undefined, generally large group of people, • In the form of an open call. • Used by companies to increase productivity, lower production costs, and fill skill gaps. • Can be used for a variety of tasks. • Companies do not have control over the people doing the work. © 2016 John Wiley & Sons, Inc. 21 Partnering Arrangements • Strategic networks: arrangements made with other organizations to offer synergistic or complementary services • Example: The Mitsui Keiretsu contains over 30 firms spanning many industries. The members use each others’ services and don’t compete: Toshiba, Fujifilm, Sony are members • Business ecosystems (see chapter 9): Informal, emerging relationships © 2016 John Wiley & Sons, Inc. 22 Deciding Where Onshore, Offshore, or in the Cloud?
• New option: cloud computing • See chapter 6 for basic definitions; advantages; disadvantages. • Works when outsourcing or insourcing © 2016 John Wiley & Sons, Inc. 23 Cloud Computing Options • On-premise • Private clouds • Data—managed by the company or offsite by a third party. • Community clouds. • Cloud infrastructure is shared by several organizations • Supports the shared concerns of a specific community. • Public clouds. • Data is stored outside of the corporate data centers • In the cloud provider’s environment • Hybrid clouds • Combination of two or more other clouds. © 20…
Do you have a similar assignment and would want someone to complete it for you? Click on the ORDER NOW option to get instant services at EssayBell.com