欢迎来到留学生英语论文网

当前位置:首页 > 论文范文 > French

Security classification

发布时间:2018-01-12
该论文是我们的学员投稿,并非我们专家级的写作水平!如果你有论文作业写作指导需求请联系我们的客服人员

3. System Objectives

3.1. Purpose

This document contains the security assurance plan formulated for Sirius Council Borough of Betelgeuse. The Purpose of this report is to define security requirements and policy to mitigate the risks and eliminate threats. This document contains policies and guidelines for various departments across the council. This document highlights all the assets and their owners in Sirius Council Borough. Assets are identified on the basis of criteria such as confidentiality, integrity and availability. This document elaborates the risk involved and security threats to these assets and the treatment plan. This document also explains the steps to be taken for business continuity, disaster recovery, training and quality assurance.

3.1.1. Information security

Every asset has some information about the council. Information security is about safeguarding all the information owned by the organisation. Information is the heart of every organisation, because of its value it is exposed to various security threats and vulnerabilities. A security threat can be malicious software, Virus, Trojan, information leakage by staff, data corruption, system failure, unauthorised access etc. For securing this information from the security threats the policies and the guidelines should be reviewed based on the requirements. To keep the information secure from the security threats is information security.

3.2. Information Lifecycle and Classification

The council handles information about its business, resource, employees, suppliers and citizen which is the most valuable asset. To create an information life cycle we have to identify assets and classify them in categories. Importance to the asset is given on the basis of Confidentiality, Integrity and Availability properties of the asset. Based on the importance given to the asset; the security level of the asset is decided. Information can be classified at different levels. Few types of information levels:

  1. Personal
  2. Important
  3. Secret
  4. Top Secret
  5. Address Only
  6. Cosmic Top Secret

An information asset can be either logical or physical. Following are the list of assets found in the council.

3.2.1. Information assets (Physical)

  1. PCs
  2. Routers
  3. Servers
  4. Document Image Processors
  5. Phones, etc

3.2.2. Information Assets (Logical)

  1. Databases
  2. Software
  3. Personal records
  4. Email
  5. Training materials, etc

Note: The list of all the assets can be found in the attached Gokulanathan Murthy (7514338).xls file

3.3. Relevant Topics for Compliance

This section lists the important regulations and standards that are followed across the organisation to conduct an information security compliance assessment.

3.3.1. Regulation

http://www.netlawman.co.uk/acts-of-parliament.php

The Council employees should be in compliance with the following regulations as mentioned in ISO/IEC 27001:2005

  1. Data Protection Act
  2. Freedom of Information Act
  3. Organisation's record protection
  4. Communication Act
  5. Computer Misuse Act
  6. The Privacy and Electronic Communication Regulations

3.3.2. Standards

Standard assures system's security from all threats. Sirius Council and its staff should comply with the following standards

  1. Information Security Management (ISO/IEC 27002:2005, ISO 17799)
  2. Quality Assurance (ISO 9001)
  3. Risk Management Guide for Information Technology Systems (NIST 800-30)

3.4. Responsibilities and Excepted Characteristics of Stakeholders and Users

Every stakeholders and users has certain responsibility in this System assurance plan. Use of technology doesn't guarantee security for the system, to make the systems more secure the council should define the responsibilities and guidelines that are to be followed by its stakeholders and users. Regular checks should be made to make sure the guidelines are been followed by the stakeholders and the users.

3.4.1. Human Resources Manager

HR Manager is responsible for the employees recruited during their tenure. HR Manager should check the background of the employee before recruiting them. Each employee should know their limitation in accessing certain resource about the council. HR manager are responsible for providing the required resource for the employees and should make sure that employees follow the guidelines.

3.4.2. Security Manager

Security Manager and his team are responsible for developing security measures across the council. Security Manager should make sure that their security policy reaches to all the departments and they follow it. The restricted section in the council should be accessed only by the authorised personal; their identity should be verified by the security management team before giving accesses to them.

3.4.3. Line of Business Manager

All the documents and report of the council are maintained by the Line of Business Management department. They are responsible to backup the important documents and should ensure proper security to the files. Updates made to the file should be made in the backup file also and authorisation to access those files should be made at the time of creating the file.

3.4.4. Operations Manager

Operation Manager is responsible for the reviewing the agreement with the external suppliers and should make sure the business continuity. He is also responsible to make backup plans when the external suppliers are not able to provide service to the council.

3.4.5. Network Manager

The Network Manager and his team are responsible for the network and they ensure that the network is secured from external and internal attack. Network is secured in such a way that the performance of the system is not compromised. The backup plan is formulated by the network management team, and the antivirus and the firewall are kept up-to-date to face the threat which grows every day.

3.4.6. IT Manager

IT Manager is responsible for the IT infrastructure of the council. Access to the systems by the employees is defined by the IT Manager. The integrity of the system and the files has to be maintained by the IT Manager, his responsibility is to safeguard the system from threats and stop the misuse of the system utilities.

3.4.7. Voice Service Manager

Voice Service Management team is responsible for the voice network across the council. To measure the quality of the call, each call is recorded. Stored voice data should be protected from unauthorised access.

3.4.8. Database Administrator

The Sirius Council functions on the information they possess. The Database Administrator is responsible for storing and securing the data. DB Administrator must ensure the integrity of the data entered and should secure it from unauthorised access, data corruption, virus attack, etc. DB Administrator has the right to provide data access to the employees.

3.4.9. Employees

Employees are the major part of the council, they are expected to follow all the security policies and handle the asset with care. If any condition goes out of their hand, they are expected to report to their higher officials.

4. Protection Profile

Information possessed by the council should be protected from threats and the priority to the asset should be based on the information sensitivity. Information must have a back up in a remote location. Security measures for information systems such as Antivirus software, firewall, should be installed and regularly updated. Access to sensitive areas in the council should be restricted to unauthorised persons and it should be monitored by surveillance videos, CCTV cameras should be installed in sensitive areas to monitor the threat from external and internal threats.

5. Asset Register

Note: Please refer Gokulanathan Murthy (7514338).xls file for the list of assets assessed as part of the plan for Information assurance plan

6. Risk Assessment

Note: Please refer Gokulanathan Murthy (7514338).xls file for the lists of risk and its impact strategy as a part of the plan for Information assurance plan.

7. Risk treatment and countermeasures

8. Business continuity

Business continuity ensures the continuous operation of its business processes and the services it offers. Unplanned events or interruptions such as natural disaster, System malfunctioning, absence of key employee may halt the council operations. A business continuity plan ensures the business continuity by planning necessary backups for the resource and the assets at a remote site.

8.1. Prioritisation

The assets are prioritised based on the sensitivity and the impact the assets bring to the council. The asset which enables continuous work flow is given more priority. During any disaster the assets based on its priority level should be restored within the specified time. Importance should be given to the asset with highest priority.

8.2. cucu

8.3. Incident Management

Incident management ensures the orderly response to the incident occurred and the steps to pacify the result of the incident. Examples of incidents are Application error, Server down, Service not available, Denial of service.

8.3.1. Incident Identification

The admin should have a close look at the incident and should find the risk that matches the incident, if not look for a similar incident and match the risk associated of that incident to the new incident. The process of the affected business part should be closely monitored and managers should be ready to brief the incident to the management.

8.3.2. Incident Classification

Incidents can be classified based on the intensity of the incident; it is classified into two categories:

8.3.2.1. Major Incidents

When the impact of the incidents spreads across the council infection more systems and hence bringing the process to a halt. Ex: Virus, worm, Trojan attack.

8.3.2.2. Minor Incidents

Minor incidents don't affect the business continuity. The impact of the incident is limited to single department or a small group of systems. Ex: Service not available.

8.3.3. Incident Response

Any suspicious incident will be reported to the Incident Response team (IRT), the responsibilities if IRT is to analyse the incident and should take the issue to the department which is involved. The IRT keeps a close look on the progress of the business unit which is affected. The report should contain Description, cause for the incident, Damages observed, steps taken to pacify the incident. Warnings should be sent to similar department which may also be affected by the similar incident.

8.3.4. Incident Recovery

It is the process of eliminating the causes of the incident and brings back the system and the process to normal. This involves implying security measures to tackle the incident and reconfigure the system in such a way that the incident never happens again. Once the recovery from the incident is done the affected portion should be monitored to find out the effectiveness of the implied security measures.

8.3.5. Incident Aftermath

After the incident the IRT should make sure that all the operations are back to normal and the involved team should be informed about the termination of the incident. People involved in tackling the incident to bring the process to normal should be informed about their work and given incentives. Review the way the incident was handled and search for any better methods which would have been used, if there is any better method document it for future purpose.

8.4. Response and Recovery Checklist

Use this checklist for the steps to be taken during emergency

Preparation Phase

Ø Establish a building evacuation plan

Ø Post the names of the department/supervisor to which the employees should report at the time of incident

Ø Keep track of the changes made to the network

Ø Regularly update the resource available and information added being added to it.

Ø Maintain contact information of the employee and regularly update it

Ø Maintain a list of all vendors/customers/shareholders and their scheduled delivery dates.

Ø Store resource at remote site and make sure the response team members know where it is.

Response Phase

Ø Determine the nature and extent of the emergency.

Ø Inform employees in the building/department of the emergency.

Ø Make sure all the trace of the incident is totally removed.

Ø Contact other location and inform them about the situation.

Ø Contact your vendors/customers/share holders

Ø Make sure security is in place.

Ø Activate your Disaster Recovery plan.

Checklist taken from the Emergency response checklist on

http://www.wcpolicy.com/Loss_Control/emergency/pdfs/ERchecklist.pdf

8.5. Log Sheet

The log sheet must be used to record the actions taken during the emergency time.

Date

Time

Action taken

Person Responsible

8.6. Audits

Audits should be conducted regularly to ensure the validity and relevance of the business process. The audits should be made internally and also by the third party and the criteria for the audit should be set by the council.

  • All the methods and processes mentioned in the business continuity plan should be implemented
  • Test the councils ability to handle a incident
  • All the action taken by the incident response team during the incident is recorded and reviewed by the audit team
  • Review the BCP and update it as per the need of the day
  • From the audit results changes are made in the concern department to make the system more secure

8.7. Testing the BCP

  • Test the BCP to find whether all angles have been covered and whether the plan is achievable
  • Check whether the third part involved in the BCP are ready to respond
  • Measure the time required to run the backup systems
  • Check whether the BCP are realistic and can it be put in place in expected timescale
  • Check the validity of the backup data and check for updates in the backup data
  • Test the employees how they react during a emergency period
  • Retest the BCP once in 12 months to ensure the effectiveness of the BCP

9. Disaster Recovery

Disaster recovery is the steps to be taken to restore the council's operations after a disaster. Disaster can be as a result of hacker attack, malicious software, natural disaster, unauthorised access of council's data, etc.

9.1. Emergency Response during disaster

  • Activate the Disaster Recovery Team to implement the disaster recovery plan
  • Make sure all the employees assemble outside the building (in case of earthquake, fire), it can be Civic centre parking area
  • When there is a disaster Emergency Response Team should be called and they should measure the intensity of the disaster and should assign Disaster Recovery Team for each case
  • All the staffs members should know how to contact their Disaster Recovery Team
  • Decide on which Disaster plan can be implemented for the disaster

9.2. Disaster Recovery Team

The disaster recovery team is formed by the members from different department. Each department will have a member in the team, so that taking decision for each department will be quick and precise. The aim of the team is to implement the disaster recovery plan and restore the functions of the council. The team should restore the lost asset and ensure the continuous operation. The duties of the disaster recovery team are:

  • Prepare a quick report about the disaster
  • Analyse the situation and check whether any asset can be saved from further disaster
  • Test if the business continuity plan can be carried on without any blockage
  • Split the work among the team based on the specialisation of the members
  • Establish a emergency service within 2 hours to notify the clients/shareholders about the work done for the restoration of service
  • Restore key services within 4 hours of the incident
  • Identify the root cause and try to reduce the impact
  • Work with the owner of the asset to learn more about the asset and its impact on the council
  • Assets should be given priorities based on the intensity of the damage and its impact on business
  • Mock drills should be performed after the recovery from disaster
  • Document the proceeding and review the steps taken and if necessary do changes to it.
  • Risk assessment should be done once a year
  • Training for the employees about how to act at times of disaster
  • Record all the actions and log it for future reference
  • Measure the cost of the impact to claim insurance

9.3. Disaster Recovery Plan

Disaster Recovery Plan (DRP) lists the key asset that needs to be restored or recovered after a disaster. DRP ensures the stability of the process and the integrity of the system used. The DRP should be stored in a remote location; the plan should be assessable at times of disaster. The table below highlights the key assets of the council and the ways to recover it.

Asset

Impact Rating

Department Responsible

1st Contact Person

2nd Contact Person

Recovery Plan

Recovery Time

Information Systems

1

IT Department

Mr. ABC

Mr. XYZ

Replace the affected system/ Upgrade

1 day

Software: OS, Antivirus, firewall

1

IT Department

Mr. ABC

Mr. XYZ

Reinstall

1 day

Mainframes

2

IT Department

Mr. ABC

Mr. XYZ

Backup/ Remote location storage

2 days

Documents Financial, strategy

2

Management Team

Mr. ABC

Mr. XYZ

Backup/ Revise it

3 days

Servers

1

Networking Team

Mr. ABC

Mr. XYZ

Secondary backup servers

1 day

Public kiosk

3

IT

Mr. ABC

Mr. XYZ

Replace it

3 days

Data Warehouse

2

Database admin

Mr. ABC

Mr. XYZ

Backup in remote location

2 days

Cables

3

IT

Mr. ABC

Mr. XYZ

Replace it

1 day

Networks: LAN, WAN, Data, Voice

1

Network department

Mr. ABC

Mr. XYZ

Alternative connection

1 day

Staffs

4

HR Department

Mr. ABC

Mr. XYZ

Replacement/ temporary resource

5 days

Power

3

IT Department

Mr. ABC

Mr. XYZ

UPS backup

1 day

Office buildings

3

Security Department

Mr. ABC

Mr. XYZ

Alternate location

2 days

Impact: 1=Major impact, 5=Minor impact

9.4. Log sheet

The log sheet must be used to record the actions taken during the Recovery time

Date

Time

Disaster type

Action taken

Person responsible

10. User training and Awareness

Growth in technology has resulted in fast processing and accuracy, illiteracy in use of those new technologies may breach the security code. It is the council's responsibility to provide training to the council employees. Training brings the awareness among the employees about the threats and vulnerabilities to the information they possess. They become aware about the policies and controls they have to follow

10.1. User training

10.1.1. Policy statement

All the users of the council systems should be provided training with regards to Sirius Council council's policies, standards and guidelines to ensure that users are aware of the information security threats and concerns, and are equipped to support Sirius Council Information Security policy in the course of their normal work.

10.1.2. Scope

This policy shall apply to all the Council associates, and all information assets in the custody of respective owners, including client data, software, application, storage, access and distribution to users both internally and external.

10.1.3. Controls

10.1.3.1. Information security Education and Training

All employees of the council and, where relevant, third party users shall receive appropriate training and regular updates in councils policies and procedures.

10.2. User awareness

10.2.1. Responding to Security Incidents and Malfunctions

User should be aware of the council's policies, standards and guidelines, awareness by experience will give the employees confidence to face any problems. Each employee should be aware about how they should respond to an incident

10.2.2. Policy Statement

Establish rules to minimize the damage from security incidents/malfunctions, and to monitor and learn from such incidents.

10.2.3. Scope

This policy shall apply to all the Council associates, and all information assets in the custody of respective owners, including client data, software, application, storage, access and distribution to users both internally and external.

10.2.4. Controls

10.2.4.1. Reporting of Security Incidents/weaknesses/Malfunctions

The user of the asset should be able to note and report any suspected security incidents/security weaknesses/software malfunctions through appropriate management channels as quickly as possible.

10.2.4.2. Learning from incidents

The types, volumes and costs of incidents and malfunctions shall be quantified and monitored to the extent possible.

10.2.4.3. Disciplinary Process

The violation of organisational security policies and procedures by associates shall be dealt with through a formal disciplinary process.

10.3. Compliance

10.3.1. Compliance with Legal Requirements

10.3.1.1. Policy Statement

To establish the rules to avoid breach of any criminal and civil law, statutory, regulatory and/or contractual obligation, and any security requirements.

10.3.1.2. Controls

Identification of Applicable Legislation

All relevant statutory, regulatory and contractual requirements shall be defined explicitly and documented for each information systems.

Intellectual Property Rights

Legal restriction on the use of propriety software products and other material shall be complied with.

Safeguarding of Organisational Records

Important records of the Sirius Council shall be protected from loss, destruction and falsification.

Prevention of Misuse of Organisational Information Processing Facilities

Council security committee shall authorise the use of information processing facilities and controls shall be applied to prevent the misuse of such facilities.

Collection of Evidence

Where action is taken against an employee in the council which involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law. This shall include compliance with policy, control and standards published by the Sirius Council.

10.3.2. Acceptable use and Enforcement

With all the policy, controls and guidelines the employees should be given training about the use of the asset they handle. Training materials, manuals should be made available to all the employees of the council. Any update in the policy/guidelines should be made available to the employees. Third part involved with the council should sign a agreement where the policy and controls should be mentioned.

Employees must be aware of the level of authorisation they have to the asset. All the employees and staffs working in the council should sign a policy declaration form at the joining time. Any violation by the employee will face disciplinary action according to the law of books. Serious offence may result in termination from the council and legal action will be taken.

11. Quality Assurance Regime


12. Coursework Submission Form

By submitting your coursework you are making the following declarations (please read them):

Declarations:

  1. I confirm that this is my own work and that use of materials from other sources has been properly and fully acknowledged in the coursework submission.
  2. I confirm that this work has not been submitted either partly or wholly for any other assignment.
  3. I confirm that the submitted work has been created exclusively by me and that I have not been assisted nor have copied part or all of somebody else's work, either with their explicit approval or without their knowledge and consent.
  4. I confirm that I have read a copy of the current University regulations and notes on coursework and academic malpractice, including plagiarism, and that I fully understand the meaning of these terms.
  5. I confirm that the information I have given is correct to the best of my knowledge.
  6. I agree that any work I submit may be screened (including electronically and by other means) for Academic Malpractice, using internal and/or external detection systems, to check against any appropriate other material, including but not limited to other submitted work and material on the web. I understand that a case of suspected Academic Malpractice may proceed at any time during or after my degree programme.
  7. I agree that the University may make, and may authorise third parties to make, copies of any work submitted by me for assessment but only for the following purposes:
    1. assessment of my work;
    2. comparison with databases of earlier answers or works or other previously available works to confirm there is no plagiarism;
    3. addition to databases of works used to ensure that future works submitted at this institution and others are not subject to plagiarism from my work.
    4. for the University to include my work in any public archives of academic work which it may maintain, under the University Copyright and Intellectual Property regulations applied to such work.

The University will not make any more copies than are necessary for these purposes, will only use copies made for these purposes and will only retain such copies as remain necessary for those purposes. Where copies are made and retained for the purposes identified in clauses (b) and (c) above, it shall ensure that no personal data is made available to any third party.

I may request, in writing before submitting my work, that the University does not use my submission for one or more of purposes 5(b)-(d), giving full reasons for the request.

Signature

Student name:

Student number:

Module

COMP60391 Computer Security

Coursework

Security plan

上一篇:Perception Du Risque Et Intention French Essay 下一篇:The comedian and actor coluche