Shepherd College Information Security Planning Project

Abstract

This is a security information plan for Shepherd College. The security plan’s objectives are to create a high level security awareness campaign within the College so as to help its employees recognize and identify social engineering attacks and to develop a high level plan to protect network resources and assets. The security information plan has explored these objectives with the aim of protecting the sensitive, confidential and internal information of the Institution. The plan also looks at the cloud computing services that Shepherd College has adopted in order to secure and protect its data and information. It offers the benefits of these cloud computing services and the possible challenges that certain computing services may render the institution to.

            Shepherd College is taking appropriate steps in ensuring its information system is protected from all security threats. The institution aims at ensuring that all its data including payroll, benefit options, its services and other applications are kept confidential and secure.

The objectives of this information security plan are:

-To develop a high level security awareness campaign to assist employees and the users                        to identify and recognize social engineering attacks.

-To create a high level plan to help to protect the institution’s network resources and      assets.

-To develop an explanation of the benefits and challenges of securing cloud computing   services.

Developing a high level security awareness campaign

To develop a high level security awareness campaign to assist employees and the users to identify and recognize social engineering attacks, the following will be done;

  1. Employees and users will be helped to identify the kind of data the institution has.

This enable the employees to identify the sensitive and more valuable data to the institution like the payroll files, transaction information, financial records etc.

  1. Employees and users will be helped identify and recognize how the data is handled and protected.

This enables employees to realize that the institution’s data is always in the move, and every time it moves, it can be exposed to dangers from different places. Therefore, guidelines and policies should be strictly followed to ensure that each type of data is properly handled, validated and protected by all employees (Balding, 2008).

  1. Employees and users will be helped to recognize what type of data they have access to and under which circumstances they should access the data.

This enables employees to strictly guide the information they have access to from other employees who should not access it. It also enables employees to know under which circumstance they should share their data with other employees. This awareness enables employees to manage and track their data and to know the circumstances under which access privilege is allowed. Doing this helps the security experts and employees to create a list of the specific employees, users or partners who have access of specific data (Dillon, Wu & Chang, 2010).

Once awareness has been created among the employees by helping them to identify the types of data they handle, how they hand the data, and how they can manage and track the data, the security experts will be required to help the employees keep a record of the data’s location. The security experts will move the data to a more appropriate location where it is secure for use by employees (Dillon, Wu & Chang, 2010).

  1. Employees and users will be help to identify and recognize their security responsibilities and know how to fulfill them. Security briefing and refresher awareness materials will be provided to all employees involved with information technology at Shepherd College. All employees and users involved with information technology at the College shall be provided with an in-depth training regarding the security techniques, the potentials threats, how to identify and control them and the general harm the threats can cause the institution (Balding, 2008).

Creating a high level plan to protect the institution’s network resources and assets

Creating a high level plan to help in protecting the institution’s network resources and assets already identified will require the College’s security personnel to:

 

  1. Develop a privacy policy

Shepherd College security experts shall develop a privacy security policies, rules and expectations on information which shall be kept confidential to the institution. These privacy policies shall be shared to all employees, partners and users (Dillon, Wu & Chang, 2010). The privacy policy shall address all types of data identified within the institution including;

-Customer information: This includes transaction information, payrolls etc.

-Personally identifiable information: This includes employees’ names, email addresses, identification numbers, bank account numbers etc.

  1. Protecting data collected on the internet

Shepherd College shall protect data on its website by controlling access and protecting the data from hackers and outsiders. The institution shall protect its network resources and assets through;

  1. a) Physical security

-All employees shall ensure that no one is watching over their shoulder while dealing with confidential information.

-Employees will not leave confidential information on the desks or in the rooms unattended.

– All sensitive information shall not be stored on portable computers that may be moved to unsecure areas.

-All network servers shall be run on an interruptible power supply.

  1. b) Personnel security

Shepherd College will institute the following personnel security to ensure the employees protect their assets and network resources:

-New employees in the positions handling sensitive data will be screened first to ensure they can be trusted with the sensitive data.

-The security personnel within the institution must ensure that all employees handling sensitive data are familiar with the privacy policies, regulations and rules of the institution.

– The institution must have a technical support security personnel who will be trained to ensure that all security procedures are followed properly even in the absence of key personnel.

-The institution must develop a hiring process that properly vets recruits and employees.

-the institution must perform background checks and credentialing on employees to ensure those handling sensitive data, confidential data and other information do not have criminal records.

-The institution must take care in dealing with third parties. The partners must be thoroughly vetted by explicitly setting a credentialing requirement in the service agreements.

-The institution must set appropriate access controls for employees based on their roles.

  1. c) Data communications security.

Most of the threats to the institution’s assets and network resources are from the wide area network (WAN) which provides it with network access. A firewall and security services shall be put between the networks of other organizations that share information to the institution.

-Employees shall not pass sensitive data to any partner, organization or person (Dodge, Carver & Ferguson, 2007).

-Employees will be required to use encrypted means of access information across the internet.

-Any connections connected to the institution’s network shall be approved by the institutions security and listed down.

-All equipment connected to the institution’s network shall be verified and the dial-in access to the assets and network resources controlled (Zhang, Wuwong & Zhang, 2015).

  1. d) Phone system security

-All phone system of the institution shall be controlled to handle only the business needs of the institution. A part from the senior management, all phone systems for the rest of the employees shall be restricted to be only internal among the employees.

  1. e) System access security

-All employees accessing the institution’s assets and resources shall use user ID or passwords. These shall be verified before access to information is given.

– Last logon time and date to the institution’s database shall be recorded.

-After 4 failed attempts to login, a lock system shall be set to lock out further logon for at least 7 minutes.

– All employees shall be expected to change their passwords every 2 months.

-Shared passwords shall be limited to workstations only. Single function use shall be allowed.

-Password policy shall be strictly followed by the employees. This will include employees not sharing passwords, vendor default password changed, business password not used outdoors, password should not be cyclical, proof of identity required to change a password, etc. (Dillon, Wu & Chang, 2010).

  1. F) Ensuring system integrity

Shepherd College shall protect its assets and network resources from viruses by:

-ensuring that all employees scan their documents for virus before sharing.

-Installing a virus protection system to automatically update on new virus and release them.

– Firewall used at Shepherd College shall filter out any incoming virus.

-All files shall be scanned immediately before being saved to a workstation by the virus protection system.

A security verification team shall be located at the central office. The team will monitor the institutions security system and perform security testing daily. The result of the test shall be presented to the key security personnel and changes made to ensure the assets are safe. The team will also manage the institution back-up systems to ensure that no data is lost (Dodge, Carver & Ferguson, 2007).

Benefits and challenges of securing cloud computing services

Cloud services used

Cloud computing services will offer best protection for shepherd college’s assets and network resources. To protect its payroll, Microsoft office, and other applications, the college has chosen different services including:

Software-as-a-service: It delivers some data and software that the college access via web connection. The software delivered here includes human resource management, service desk management, customer relationship management and invoicing (Nedelcu, Stefanet, Tamasescu, Tintoiu & Vezeanu, 2015).

Platform-as-a-service: It delivers a computing platform which the college access via web browsers.

Infrastructure-as-a-service: This service offers the college a full service outsourced packages without the need of buying software, server, data center space, or any network equipment (Nedelcu, Stefanet, Tamasescu, Tintoiu & Vezeanu, 2015).

Business Process-as-a-service: This service is used by the college for payroll, billing and human resource.

Benefits of securing cloud computing services

Shepherd College finds these services beneficial since they:

  1. a) Protect data collected on the internet.

The cloud services provides shepherd College with a great website to collect information. The services help the institution to;

– manage their own servers and protect their data fully from third party interference.

-ensure that any data collected through their website and stored by the third party is sufficiently secure.

-Ensure that all their assets and network information are protected from hackers and outsiders including employees of the hosting company (Dodge, Carver & Ferguson, 2007).

  1. b) Creating layers of security.

The cloud services offer Shepherd College with alternatives to secure its information. It creates layers of protection thus the institution does not only depend on passwords, user IDS etc. Unlike other back-up systems which may leave the institution with nothing if the security mechanism fails, the cloud services offer layers of security which protects the institution from such losses (Nedelcu, Stefanet, Tamasescu, Tintoiu & Vezeanu, 2015). The cloud services have helped the institution to classify and protect its information. In storing information in the cloud, the security personnel in the institution should always classify the data as:

-Sensitive: Include all information considered to be private such as the financial reports.

-Highly confidential: These are information intended for use internally such as, payrolls.

-Internal use only: These are private information which can be accessed by a wider audience but used internally within the institution (Zhang, Wuwong & Zhang, 2015).

These cloud services will ensure that Shepherd college security personnel:

-control access to the institution’s data since the more sensitive the data is the more restrictive the data is in the cloud.

-Secure its data.

– Back up its data.

-protect against online fraud.

-Protect against online phishing.

-Protect against malware.

-regularly update all applications.

Challenges of cloud computing services

Before a decision is made on the type of cloud service to be used, the security personnel of the institution must consult cloud security consultants to help in identifying the best cloud service and the appropriate ways the institution can use it to secure its data (Nedelcu, Stefanet, Tamasescu, Tintoiu & Vezeanu, 2015). Without involving the cloud consultants, the cloud services chosen can expose the institution’s information to a lot of challenges. Shepherd College has constantly engaged the cloud security consultants to help in using the best cloud services and to monitor its information and ensure that it is safe and protected.

By using the wrong cloud services, Shepherd College has identified certain challenges. They include:

-Data integrity threats which occur unintentionally due to attempts by an employee to modify data thus disrupting the functions of the institution or the business.

– Data loss as a result of an employee unintentionally accessing sensitive information from network or device.

-Network-based attacks as a result of an employee visiting compromised legitimate sites using the institutions websites. This results into malicious websites visited launching network-based attacks on the institution information in the cloud.

-Resource abuse by the employees who misuse the network by sending spam from compromised devices thus interfering with the information in the cloud.

-Malicious software can attack the information stored in the cloud. Such malware can be introduced by cloud hackers on poorly protected cloud services.

-The services and applications may also suffer from the challenge of downtime data and downtime outages as a result of internet connection. Moreover, the loss of the cloud application service may result into a huge data loss for the College (Zhang, Wuwong & Zhang, 2015).

References

Balding, C. (2008). Assessing the Security Benefits of Cloud Computing. Cloud Security Blog.

Dillon, T., Wu, C., & Chang, E. (2010, April). Cloud computing: issues and challenges. In Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on (pp. 27-33). Ieee.

Dodge, R. C., Carver, C., & Ferguson, A. J. (2007). Phishing for user security awareness. Computers & Security, 26(1), 73-80.

Nedelcu, B., Stefanet, M. E., Tamasescu, I. F., Tintoiu, S. E., & Vezeanu, A. (2015). Cloud Computing and its Challenges and Benefits in the Bank System. Database Systems Journal, 5(1), 45-58.

Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2015, June). Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2015 IEEE 10th International Conference on (pp. 1328-1334). IEEE.