Organisations work for the purpose of profit making and become known as a recognized company with the best set of employees and clientele. For an organization to achieve this it is important for companies to properly plan and device strategies that assist the organization in having the best possible employees who are aware of data confidentiality and help the organization grow further in terms of revenue and recognition. Companies that work in critical software development domains require that they follow information security guidelines. For this purpose, the organization should have a quality management system department in place which looks into software quality as well as data and information systems security. The organisation should also have a dedicated ITIG team which specifically looks into the information technology security policies. For any organization, It is important for it to improve upon its security policies so as to not remain stagnant and express its performance which in turn will improve employee contribution to the organization and increase in economic benefits for the company.
Security Policies in Organizations
It is necessary to have a security policy as the networks are exposed to the possibility to experience unauthorized access or attempt(s) to access its network and computer systems. This policy is to ensure that the number of security incidents to be minimized without impacting the overall mission, confidentiality and integrity of the company’s information and information processing facilities. The policy also ensures the availability of information and information processing facilities to all parties concerned by continuously assessing the risks involved and putting in place an appropriate business continuity plan and disaster recovery plan.
Objectives of security policies
- Minimize physical security breaches
- Reduce incidents of malicious software
- Ensure minimum disruption by having a business continuity plan in place
- Enhance trust and confidence of customer in the company
Network and System Administration security features
In an organization, the identification of system and system components is done by assignment of the unique identification number to computer systems and allocation of resources. Any resource that joins the organization should be assigned a designated system by the system administrator. An email ID specifically should be created for the resource and all this is noted in resource allocation form. Computer groups and networks should be password protected. The password protection of servers is the responsibility of the network administrator. When an employee leaves the organization it is the responsibility of the network administrator to take back all hardware and software rights and passwords from the employee. The network admin should ensure that all access to company network and mail is revoked. For logging and tracking network issues there should be a ticketing system wherein network related issues are logged and their status is tracked. Risk preventive maintenance should be carried out every month wherein the computer systems should be analysed for any virus attacks. All company communication websites should be checked on a daily basis to ensure that they are up and running. The back up of folders on everyone’s system should be done twice a week. The backup media should be put on a drive every fortnight. Employees connect to the network through VPN. The network security is achieved either through isolating LAN or by implementing firewalls. For the security of internal networks, software firewalls should be installed at the gateway level. The firewalls scrutinize the unsafe content based on a database which should be updated regularly. There should be a physical restriction of the servers and the servers are application specific. The servers have a continuous power supply. Every log event of the server should be monitored. Antivirus software should be installed on systems. The communication tables should be concealed and protected so that they are not exposed and tampered with. There should be an annual maintenance contract for all equipment so that they are available when needed and perform best to their abilities. The client networks have static IP information configured. All the activities of accessing the desktops or the laptops should be logged in the audit table. Systems should be monitored using the event log generated in the systems. Any unauthorized activity should be immediately detected. All the logs that are maintained should be reviewed by the network administrator.
Ensuring the Security of Facilities
The physical access to the organization should be secure against non-authorized access is secured. All entry points of the building should have 24/7 security guards, employees should have access to only the desktop and work areas and not the server room, access to computing, power generator, communication is restricted to network admin and server vendors only. All employees should have access card only using which the entry and exit doors unlock. Every visitor should get an access card and their entry and exit along with the computer hardware are noted in the visitor’s register. Access to any company related or communication software to employees should be given by management permission only and the level of access should be defined by the project manager. Once the project is completed access to software should be revoked. All employees should be made to sign a confidentiality agreement wherein software and data security is covered.
Ensuring strict Password Policy and Guidelines
In any organization, password policy should have some rules to be bound by for data and information security. Few rules could be ones such as that the user system/application password should expire every three months and should be complex, the employees should be trained on password security standards, the organization should have guidelines on password creation guidelines should be available. Password security standards should be created published and employees are trained on it.
What does Risk Management in Data Security imply?
Risk management means the methods and ways to deal with risks and management of risks related to projects and network in an organization. There are processes and manuals in place which categorize the risks as high level, low level and mid-level. These processes also contain a risk mitigation plan as a part of it. In an efficient organization, as soon as a risk is identified the risk management group has to meet and work on risk closure. A company should always be ready as to how data security risks can be avoided altogether. There should be an organisation level risk register that records all risks and their statuses.
By having appropriate security practices and risk management practices in place, an organization can ensure data security for itself.