Asset Identification & Classification Policy
Policy Definition
It is the goal of this organization to implement the policies necessary to achieve the appropriate level of protection for each corporate asset.
Standard
Protecting each asset requires collaboration from every employee. Different assets have a different probability of failure do to vulnerabilities, threats and require annual information security training for each employee.
Procedure
A true security program includes an Asset Identification & Classification Policies, therefore, identifying and categorizing, tracking and managing assets require one to create and implement an inventory control list according to the recommendation outline in NIST 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organization.
Guideline
The classification of assets in accordance business need in the event of disaster is critical to this organization, therefore the classification scheme require the approval of the Chief Information Officer and the head of building security.
This assessment/classification of assets must include the following parameters:
• Identifying the type of asset including (network components, devices (laptops, workstations, servers, routers, and data)
• Rating of each asset identified
• Data classification o Based on roles and responsibility and access privileges
It is imperative to conduct an annual assessment management.
Asset Management and Protection Policy
Policy Definition
Today an organization has must take every precaution to manage and protection their assets including its offshore, physical, and IT Infrastructure assets. The need for Asset Management and Protection is a harsh reality and by design will not only ...
... middle of paper ...
...the marketplace, increase profit, and comply with both external and internal policies and procedures, including federal laws and regulations. It is imperative before an organization begins to discuss, design or implement policies a clear understanding of hardening and the benefits of a layered defense at key “point on the network (public and private), at the server, and at the desktop. Policies written by an organization, which encompasses guidelines or mandates from a government entity are therefore ensure a layered approach.
Reference
SANS Institute. (2003). Global Information Assurance Certification Paper. Retrieved from http://www.giac.org/paper/gsec/3908/layered-security-model-osi-information-security/106272
SANS Institute. (2003). Global Information Assurance Certification Paper. Retrieved from http://www.giac.org/paper/gsec/2599/layered-security/104465
The use of cybersecurity policies within CSN is to provide security of the divisions assets. The written policies provide guidance on implementation, through references to applicable standards and statements of best practices (Booz Allen Hamilton, 2012). As stated by Control Data Corporation, there is no asset which can be 100% secure; network security is often times focused on strategic prevention or reactive procedures, rather than examination of the security policy and maintaining the operation of it (1999). Therefore analysis indicates that numerous breaches are often due to reoccurring weaknesses in the policy. “Even the most reliable, state-of-the-art technologies can be undermined or rendered ineffective by poor decisions, or by weak operational practices” (Control Data Corporation, 1999, p. 3).
Physical and environmental security programs are generally considered to be a collection of mechanisms and controls put into place that help ensure the availability of information technology capabilities. These programs protect an organization from fire, flood, theft, power failure, intentional, and even unintentional damage through negligence. Implementation of these programs at the organizational level can take place in a number of ways but most organizations choose to follow the application of a body of standards, usually set forth by an organization such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Once such body of standards put forth by ISO/IEC is 27002, Information technology – Security techniques – Code of practice for information secur...
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
When an organization first starts out, they start gaining things. They have new buildings, offices, and equipment in them. Their buildings and offices have value. With everything of value this organization has, they will need some sort of protection to make sure the business as well as the employees stay safe at all times. The conversation should go from the “we have acquired all of this stuff, now what are we going to do to keep it safe?” Then the company needs to decide how they will handle the issue of protecting all the things that they own.
We will protect the organization’s assets. This includes tangible assets such as the building, vehicles, and equipment. It is equally important to protect intangible assets such as copyrights, information, and computer programs.
Every organization, big or small, should have some level of security policy to protect their proprietary information. While the intensity and depth of an organization's security policy depends heavily on the nature of their business, common guidelines are mentioned in this paper that apply to all policies. One of the most important things to remember is that employees are a critical component to a successful security policy. It is the organization's job to ensure that their security policy is widely distributed and understood.
As threats evolve and change with each new technology introduced organizations will also have to strive to improve the techniques used to protect their critical Information Technology (IT) assets. Gartner's IT Key Metrics Data for 2010 which was based on a survey of companies worldwide found that a company spent 5% of their IT budget on IT Security (Kirk, 2010). Connie Guglielmo, a Forbes staff member noted that IT spending will hit $2 Trillion in 2013 and Worldwide IT spending will rise 4.6 percent this year (Guglielmo, 2013).
Implement physical security: - “Physical security protects people, data, equipment, systems, facilities and company assets” (Harris,
Issues that will fall under this umbrella will be management accountability, fiscal liability, internal and external audits and protection of stockholder and stakeholder interests” (Fisher, 2004). An area of concern for both customers and vendors will be how well the organization can protect the information system that houses secured information such as a customer’s financial institution, bank routing numbers and account numbers. The same will apply to a vendor’s need of protection. If an organizations electronic accounting data base where to be hacked into and the information were to fall into the wrong hands, a company could be destroyed financially. An organization’s performance review also plays a vital role in the homeland security assessment. In conducting a review on this level I will obtain information as to “how the senior leaders translate organizational performance review findings into priorities for continuous and breakthrough improvement of key business results and into opportunities for innovation” (Fisher,
Silver Star Mines risk assessment illustrates how a company can be at great danger if proper security measures and policies are not put in effect on every business process. In fact, “an IT security risk assessment is needed for each asset in the organization that requires protection” (Stallings, 2015, p. 486). According to the initial review, Silver Star Mines risk assessment highlights the following risk areas: Supervisory Control and Data Acquisition (SCADA) at top critical risk, stored information at extreme risk, financial, procurement, production systems at high risk and e-mail services at high risks accordingly. With this in mind, management should evaluate and take proper security measures to assets that need the most protection, assets
The network management plan and security plan is important to help the company figure out how they will improve its network and security procedures for the company. Planning involves outlining objectiv...
According to the information security governance, success is often less, due to inability to value the the organisation 's information and data. This creates the discussion on the needs for security and the resources to be assigned to this.
In the prevention stage, preventive safeguards are setup in an effort to stop the occurrence of disasters. In the ICT world, this could entail a wide range of steps. They would generally indul...
Security in any company is vital for it to success. Whether that is physical or technical security, each plays a part in ensuring important data is in the wrong hands. Key physical security may also be needed when dealing with critical physical environment issues. These measures can help prepare a company looking to protect their computing facilities from natural and man-made events.