Asset Identification & Classification Policy
Policy Definition
It is the goal of this organization to implement the policies necessary to achieve the appropriate level of protection for each corporate asset.
Standard
Protecting each asset requires collaboration from every employee. Different assets have a different probability of failure do to vulnerabilities, threats and require annual information security training for each employee.
Procedure
A true security program includes an Asset Identification & Classification Policies, therefore, identifying and categorizing, tracking and managing assets require one to create and implement an inventory control list according to the recommendation outline in NIST 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organization.
Guideline
The classification of assets in accordance business need in the event of disaster is critical to this organization, therefore the classification scheme require the approval of the Chief Information Officer and the head of building security.
This assessment/classification of assets must include the following parameters:
• Identifying the type of asset including (network components, devices (laptops, workstations, servers, routers, and data)
• Rating of each asset identified
• Data classification o Based on roles and responsibility and access privileges
It is imperative to conduct an annual assessment management.
Asset Management and Protection Policy
Policy Definition
Today an organization has must take every precaution to manage and protection their assets including its offshore, physical, and IT Infrastructure assets. The need for Asset Management and Protection is a harsh reality and by design will not only ...
... middle of paper ...
...the marketplace, increase profit, and comply with both external and internal policies and procedures, including federal laws and regulations. It is imperative before an organization begins to discuss, design or implement policies a clear understanding of hardening and the benefits of a layered defense at key “point on the network (public and private), at the server, and at the desktop. Policies written by an organization, which encompasses guidelines or mandates from a government entity are therefore ensure a layered approach.
Reference
SANS Institute. (2003). Global Information Assurance Certification Paper. Retrieved from http://www.giac.org/paper/gsec/3908/layered-security-model-osi-information-security/106272
SANS Institute. (2003). Global Information Assurance Certification Paper. Retrieved from http://www.giac.org/paper/gsec/2599/layered-security/104465
National Institute of Standards and Technology (NIST): Risk Management Guide for Information Technology Systems. Special Publication 800-30, 2002.
Physical and environmental security programs are generally considered to be a collection of mechanisms and controls put into place that help ensure the availability of information technology capabilities. These programs protect an organization from fire, flood, theft, power failure, intentional, and even unintentional damage through negligence. Implementation of these programs at the organizational level can take place in a number of ways but most organizations choose to follow the application of a body of standards, usually set forth by an organization such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Once such body of standards put forth by ISO/IEC is 27002, Information technology – Security techniques – Code of practice for information secur...
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
When an organization first starts out, they start gaining things. They have new buildings, offices, and equipment in them. Their buildings and offices have value. With everything of value this organization has, they will need some sort of protection to make sure the business as well as the employees stay safe at all times. The conversation should go from the “we have acquired all of this stuff, now what are we going to do to keep it safe?” Then the company needs to decide how they will handle the issue of protecting all the things that they own.
Protect its assets, such as physical facilities and equipment and prevent any damages to them
We will protect the organization’s assets. This includes tangible assets such as the building, vehicles, and equipment. It is equally important to protect intangible assets such as copyrights, information, and computer programs.
Implement physical security: - “Physical security protects people, data, equipment, systems, facilities and company assets” (Harris,
Security audits and surveys are the most important aspects to a security professional. A good survey can give the professional all the information they need to find all the levels of risks and threats that an asset faces. The ability to conduct a thorough and effective survey is paramount to the security professional. The security professional could find themselves carrying out surveys from scratch in a new role, or reviewing the current processes and procedures that may already be in place. Upon their visits to site and various processes the security professional presents his or her findings via risk assessment and advises the client on where the main threats and risks to the asset is and how they could impact loss financially or through loss
530). The risks assessment suggests to identify and manage critical documents and store them on a centralized application and file servers. Moreover, it proposes to use applicable controls. To further explain the applicable controls, role based control (RBAC) should be enabled to regulate access to the files resources based on the roles of individual users within the company. In this structure, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file. Roles are defined according to job proficiency, authority, and responsibility within the business. In fact, role describes the level of access that users have for their account. For example, by assigning roles to users, administrators can allow multiple users to complete tasks securely. Also, RBAC limits risk by ensuring that users do not have access beyond their training or level of control. Thus, an employee 's role determines the level of permissions granted and ensures that junior level employees are not able to access sensitive information or perform high level tasks. Additionally, an employee education and security awareness program should be implemented to improve employee behavior, hold employees accountable for their actions, complying with rules, and improve employee knowledge base on
This includes measures to limit access to electronic information, to encrypt and decrypt electronic information, and to guard against unauthorized access to that information while it is being transmitted to others. Procedures and policies are required to address the following elements of technical safeguards: • Access control - Allowing only access to persons or software programs that have appropriate access rights to data or PHI by using, for example, unique user identification protocols, emergency access procedures, automatic logoff, and encryption and decryption mechanisms. • Audit controls - Recording and examining activity in health IT systems that contain or use PHI. • Integrity - Protecting PHI from improper alteration or destruction, including implementation of mechanisms to authenticate PHI. • Person or entity authentication - Verifying that a person or entity seeking access to PHI is who or what they claim to be (proof of
A security policy also provides a forum for identifying and clarifying security goals and objectives to the organization as a whole. A good security policy shows each employee how he or she is responsible for helping to maintain a secure environment.” (SANS Institute)(4)” There are many ways to put together an Information Security Policy but based on what PCI requires and experts in the field including the SANS Institute and OWASP I have assembled the Policy as listed
With a growing use of technology in modern society, it is not surprising that many businesses have to take significant measures to protect their company data and keep it secure. It is interesting to know to what lengths a company should go to avoid security beach and ID theft. I had an opportunity to sit down and meet with a senior manager of the project management office at CVS Health. She stated that computers and mobile phones were an essential part of her workday. When asked how she used technology in the office setting, she discussed how she uses technology to communicate with others, document information, give presentations during meetings, and share live web conferencing.
When planning configuration identification is it important to: define how the classes and types of assets and CIs are to be selected; define the approach to identification; allocating identifier such as serial number, version number to CIs; uniquely naming and labelling all the assets or service components; define roles and responsibilities of the owner of CI; defining and documenting the criteria of selecting CIs; specifying the relevant attributes of each CI; deciding a level at which control must be exercised. (Office of Government Commerce, 2007). By identifying CIs, a baseline of software-related items will be established. This way, changes to the baselines can easily be controlled; audited and reported. According to ITIL best practices, CIs selection should be done by applying top down
Asset – Equipment that is utilized, but not consumed, in the production of goods or services supporting the program mission. An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.
The first thing that we must consider about Information Security is that there is not a final destination at which we can arrive. IT Security is an ongoing set of processes and activities that requires attention and expertise on a daily basis. It is important to understand that systems are not secured by themselves and it is our responsibility to maintain and improve them periodically as required. It is of vital importance to establish the appropriate mechanisms and requirements in order to support the company’s CIA triad. The following report will provide you guidance about auditing and hardening techniques applied though the 7 Domains by utilizing IT Security Best Practices.