Artiesha Artis
CIS 462
Security Strategies and Policy
Professor Darrell Nerove
October 20, 2012
Working in many different arenas while pursuing my degree in Computer Security has opened my eyes to many things, one thing that I have noticed is that some companies felt that they were immune to data breaches. I have worked in smaller organizations that just didn’t have the knowledge to protect their network against security breaches. One inexpensive and very productive way to counteract lack of resources or know how is with an Acceptable use police. An acceptable use policy is not put in place to snoop on individuals rather than to protect the businesses assets.
The AUP (acceptable use policy) that I want to focus on is one that governs internet usage. Acceptable use policy regarding internet usage normally includes information about websites that are off limits as well as defining a scope for what sites are allowed to be accessed for personal surfing. Most AUP’s are put in place to protect the company’s employees, partners and the company itself from any illegal or damaging actions by individuals knowingly or unknowingly. Confidentiality, integrity and availability are the founding stables of insuring that information is secure. An acceptable use policy enforces confidentiality, integrity and availability by limiting access and disclosure to authorized users -- "the right people" -- and preventing access or disclosure to unauthorized ones -- "the wrong people.”, as well as requiring employees to authenticate themselves in order to control access to data system resources and in turn hold employees responsible if violations occur under their user id.
The company that I presently work for has an acceptable use policy it purposes is to highlight an outline the acceptable use of the computer equipment and systems that we are granted access to. It is always stated throughout all the acceptable use policies I have seen that users must be aware that data created on corporate systems are property of the company. Employees are to exercise sound judgment regarding personal usage of computer systems. To be quite honest the AUP at my current organization is very straight forward and what I consider to be week. It is literally a blurb in the handbook that states that the internet systems are for business purposes only, and that the company observes the right to monitor the usage of the software. I can only think of a few reasons why the AUP at my organization is so brief. I work in the healthcare industry and because we deal with a lot of member information we are more concerned with HIPPA violations. In conjunction with HIPPA we also focus on making sure we remain in compliance with the HITECH act. Since there are other rules that we become preoccupied with the focus is no longer place on the AUP at my job. You will notice although there is no strict regards to an AUP at my place of employment there are filters and blocks in place so that certain websites are not able to be accessed.
I have a few ideas on how I would implement a better AUP at my place of employment. I would first conduct a current policy review. By performing an audit of my current internet usage policy I would compare it with what I want my new policy to be. Taking into careful consideration the degree of policy enforcement required. Next I would want to gain visibility of your network traffic. Using a Web traffic assessment tool, such as a proxy appliance, to identify and monitor Internet traffic and to identify specific areas or groups that are engaging in inappropriate or excessive Web use. This would allow me to analyze how much time users and user groups spend on the Internet during an "average" workday and what policies may need to be implemented. I would then concentrate on working collaboratively with all departments to enforce my end goal concentrating on the departments that have a bearing on the companywide Internet use policy, especially human resources and IT ensuring that there are no mismatches between the policies established and the ability of the network infrastructure to support them.
After all this is completely then we would need to test my new policy by conducting an exercise with key users when the policy is at a draft stage. This will ensure that the policy is both practical in terms of achieving its objectives and sufficiently flexible to accommodate change or emergency situations. Then I would create a plan for announcing the new Internet usage policy throughout the organization to ensure that employee communication is well managed, the policy is understood and the restrictions imposed are fully justified. This would include denying access to Internet resources until users agree to accept the new policy. I would then ensure monitoring employee use is automated through Web monitoring software. I feel it would be a waste of human resources to assign a person or team to monitor the Internet activities of all company employees as a supervisor I know that there is just no time for looking over someone’s shoulder. Web monitoring software would provide efficient and comprehensive reports and data can be accessed within minutes. Stricter automation would allow management to set boundaries for site browsing, prevent downloading and installing of software and has multiple scanning engines to ensure that allowed downloads are free of viruses and other malware. By controlling downloads and browsing in real-time, the network is protected from malware. There is also the prevention of data leakage through socially-engineered websites and it also helps reduce cyber-slacking, thus boosting employee and business productivity.
In order to increase awareness of the importance of AUP and the need for them I would hold formal companywide training. I would also have quarterly reviews on what to do if. I have always believed that the only way for end users to truly embrace and understand the importance of any new policy or procedure implemented is to make them part of it, so during training I would ask for suggestions on how the employees feel they could make things smoother or easier and I would advise them to keep an eye out for violations. Having individuals keep an eye out on violations is the more challenging part of it all because no one wants to be a snitch but in order for any policy or procedure to work well to its fullest all wheels have to turn in the same direction. Of course the responsibility of reporting violations won’t be solely on staff because I would want monitoring in place to assist with that.
AUPs are put in place to protect a company 's data assets and confidential information while also safeguarding employees and maintaining standards concerning the use of the Internet during working hours. Implementing Web monitoring software is an investment in security and could prevent employees from cyber-slacking or abusing the company 's trust with work-related information. By implementing and enforcing a solid AUP and providing ongoing, end-user education and training, a company can minimize risk, allowing them to focus on growing their business rather than the need to repair it.
References
Gaskin, J. E. (1998). Internet acceptable usage policies. Information Systems Management, 15(2), 20
Johnson , R., Merkow, M. (2011). Security Policies and Implementation Issues. Sudbury, MA: Jones & Bartlett.
Palgi, R. D. (1996). Rules of the Road: Why You Need an Acceptable Use Policy. School Library Journal, 42(8), 32-33.
Siau, K., Nah, F., & Teng, L. (2002). ACCEPTABLE INTERNET USE POLICY. Communications of the ACM, 45(1), 75-79.
References: Gaskin, J. E. (1998). Internet acceptable usage policies. Information Systems Management, 15(2), 20 Johnson , R., Merkow, M. (2011). Security Policies and Implementation Issues. Sudbury, MA: Jones & Bartlett. Palgi, R. D. (1996). Rules of the Road: Why You Need an Acceptable Use Policy. School Library Journal, 42(8), 32-33. Siau, K., Nah, F., & Teng, L. (2002). ACCEPTABLE INTERNET USE POLICY. Communications of the ACM, 45(1), 75-79.
You May Also Find These Documents Helpful
-
At Richman Investments the personnel is accountable for the appropriate use of IT assets. Therefore, it is in the best interest of the organization to ensure employees handle security procedures with integrity. It is essential to create a strong AUP (Acceptable Use Policy) procedure and as part of the process, require employees sign an agreement to guarantee they understand and conform to implemented rules and regulations. In addition, the company will conduct security awareness training, annual security exercises, notices about securing information, and constant reminders security is everyone’s responsibility.…
- 663 Words
- 2 Pages
Satisfactory Essays -
These standards and procedures apply to all information systems and resources under the control of Corporation Tech, including all computers connecting to the Corporation Tech network and all Corporation Tech System employees, contractors, and any other individuals who use and/or administer those systems and computers, particularly those involved with information system management.…
- 4134 Words
- 12 Pages
Better Essays -
Conducting annual security training for the user in the user domain will cover the Acceptable Use Policy (AUP). Informing the users will be of what is acceptable and unacceptable use of the system. This layer also needs constant monitoring.…
- 634 Words
- 3 Pages
Better Essays -
The user domain contains the employees that will be accessing resources in the network. Users access systems, applications, and data within the rights and privileges defined by the acceptable use policy. The AUP must be followed at all time or the user may be terminated. There are threats ranging from lack of awareness to blackmail and extortion. All employees are responsible for their own actions when using the network. The users will all be expected to read and abide by the acceptable use policy. (Kim & Solomon, 2012)…
- 539 Words
- 3 Pages
Good Essays -
Internet and network security are a primary concern for many businesses. In today 's world, the number of hacks and leaks of data is continuing to rise, which is what makes security the primary concern. What may or may not be apparent is that many breaches of data tend to be caused by internal users ' errors that may not even have been meant to be malicious. Liaskos and Sandy quote a study by Roman which revealed…
- 2472 Words
- 10 Pages
Powerful Essays -
The user domain is the employees who access the organization network and IT infrastructure. There should be a policy in place that defines what the employee can do inside the organization. A employee handbook would be beneficial and should list all of the guidelines and procedures. Many smack threats can be avoided by the lack of knowledge and security violations. Reminders like emails and periodic meetings can help employees be more aware about threats and technology updates. If there is a security violation the employee should be under watch and have a meeting with their supervisor. Employee’s daily usage should also be supervised periodically to…
- 347 Words
- 2 Pages
Good Essays -
Activity 8-9: Evaluate an acceptable use policy. Learn whether the organization where you work or attend school has an acceptable computer use policy for employees or students. Make a list of activities that are permitted and those that are not permitted. Identify on your list those activities that are illegal and those that are not permitted according to organizational policy. Compare your organization’s computer use policy with the University of Oregon’s policy referenced in the chapter. Describe the similarities and differences.…
- 477 Words
- 2 Pages
Satisfactory Essays -
Define a LAN-to-WAN, Internet, and Web surfing AUP that restricts usage of the company’s Internet connection and permits the company to monitor usage of the corporate Internet connection. Carefully evaluate the implications of each policy and how implementations might impact the IT infrastructure, both positively and negatively. Weigh the benefits and the disadvantages of each method. Consider whether or not a proposed solution causes an interruption to the legitimate users and how it might bring security at the expense of preventing a perfectly legitimate…
- 272 Words
- 2 Pages
Good Essays -
Note. The Week Two assignment has been identified as a tool to assist in the university’s Programmatic Assessment Project. As such, completed student assignments may be periodically sampled for program analysis purposes. To assist in maintaining the integrity of the data collected, do not change the content of this assignment. Please delete this note before submitting to students.…
- 627 Words
- 4 Pages
Satisfactory Essays -
You will gain an understanding of the aspects involved in the conception, enforcement, and implementation of security policies. You will also gain insight to risk analysis and will learn how to respond to any given situation that might arise from a violation of those security policies.…
- 588 Words
- 3 Pages
Good Essays -
After research and careful consideration of some of the other policies listed by other companies such as AT&T, Sprint, T-Mobile, and Verizon Wireless, Richman Investments has come up with the an acceptable use policy (AUP).…
- 303 Words
- 2 Pages
Satisfactory Essays -
The first policy I will be talking about is the general use and ownership. There are four major parts in this policy that are significant to its ruling. The first being that the "Company 's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of the company" (it-security-policy.com, 2010). The company has the ownership of the equipment that the employees are using, any information that the employees leave in the system is considered to be the company 's property. Employees need to practice good judgment on what to save in the company system. Next, any information that is important to the company and considered to be vulnerable needs to be encrypted. This will prevent any sensitive information to be stolen, and will keep any data protected. Third, the company has the option to run an audit with its respected networks and systems. It 's a procedure that is used to ensure that all policies are met and followed. And lastly, "Employees are responsible for exercising good judgment regarding the reasonable of personal use"(Merkow, 2005, p. 377). From email usage, to data entry, as a company, employees are responsible for our own awareness, and be cautious about what we 're doing.…
- 755 Words
- 4 Pages
Good Essays -
References: Johnson, Rob. with Merkow, Mike. Security Policies and Implementation Issues. First Edition. Copyright © 2011by Jones & Bartlett Learning, LLC, an Ascend Learning company…
- 577 Words
- 2 Pages
Good Essays -
A security policy defines limitations on individual behavior or system performance and details activities that are permitted, controlled or prohibited within the company. In order for policies to be effectual, senior management must endorse them, they must be communicated to all employees, undergo recurring reviews, and be assessed for usefulness. A security program encompasses all of the required pieces necessary to successfully protect a business. It should include policies, requirements, standards and procedures. Security plans should be operative at all levels of a corporation to be effective. Management should communicate a formal explanation of what is acceptable by all employees. Management should also clearly dictate what the consequences of noncompliance are. Organizations can use the ISO-27002:2005 as an outline to create a security policy.…
- 396 Words
- 2 Pages
Satisfactory Essays -
Compare the portions that address Internet and e-mail access of at least three different companies.…
- 451 Words
- 2 Pages
Satisfactory Essays