Embed Size (px)
DESCRIPTION
Outline of components needed to develop cyber security procedures for public and private institutions.
Citation preview
COMPUTER SECURITY POLICY
Ridha Ben Hammouda
EVEREST UNIVERSITY-South Orlando Campus
COMPUTER SECURITY 1
Abstract
This paper considers many of challenges faced by internet security professionals. The
risks are the same around the world. This research paper suggests taking a holistic approach to
this huge problem.
COMPUTER SECURITY 2
COMPUTER SECURITY POLICY
Computer security policy needs of industry and government have been a priority since the early
1990’s. These policies relate to internet security, firewalls, virus protection and statistical
methods of computer security. Internet security professionals around the world face the same
risks when it comes to the lack of needed resources to develop and sustain an effective security
policy (Waning Security, 1996, p. 3). A holistic approach in computer security policy is needed
(Scientists on Cybersecurity, 2002b, p. 38).
The National Research Council, which advises the government on technology matter, examines
cybersecurity issues including the nature of cybertrheats and common causes of system and
network pboblems. The agency has developed some controversial policy recommendations,
such as making software and system vendors legally responsible for insecure products and
systems (Scientists on Cybersecurity, 2002c, p. 38).
The security risks posed by microcomputers need to be controlled because microcomputers are
being used more frequently in large financial reporting systems. These risks include threats to
data integrity, unauthorized information access, and theft. A cost-effective security plan should
first identify business assets that need protection and risks from which the assets need to be
safeguarded. Controls can then be designed and based on the level of exposure to loss. Specific
security procedures that can be implemented include (1) policy statements on computer security
guidelines, (2) locking devices, (3) password protection, (4) security software such as data
COMPUTER SECURITY 3
encryption programs, and (5) data backup procedures to insure against accidental or intentional
destruction of data (Herdman & Neary, 1987b, p. 9).
Computer security is not always the answer the protecting a computer system. The cost of the
system must be weighed against the cost of damages without it. The purposes of security
systems, which are to prevent sabotage, protect confidential information and guard against
human error or technical failure must also be considered. Apprehensions about sabotage often
come from employee-related or company policy-related problems and computer security only
convinces a saboteur to harm the company in another way. Security systems to protect
confidential information are effective, but cannot protect against individuals intent on getting
information. Although human error and technical failure cannot be eliminated, preventive
measures can be taken. Adequate employee training can minimize human error while automatic
backup of important information is the best safeguard against technical failure (How Much
Computer Security, 1992, p. 12).
Research shows that corporate losses due to poor computer security are more likely to result
from error than from fraud. Further, more fraud losses are caused by employees than by
outsiders. A proper corporate computer security program takes a team approach, with
components including ongoing design, education and enforcement. It should begin with an
examination of the kinds of information the company deals with, and should consider the level of
protection appropriate to each during every phase of its life and regardless of is location or form.
Separation of functions, access controls, audit trails, and regular backup are all essential to
effective computer security. A well-documented, well-publicized security policy can help
COMPUTER SECURITY 4
companies comply with new federal and state laws and prosecute violators more effectively
(Thackeray, 1988b, p. 45)
Data security across networks is also an important issue for network administrators. To secure
intranetworks, some elements to include in a computer security policy are: (1) permission rules,
(2) responsibilities, (3) unauthorized access to files and directories, (4) unauthorized use of
software, (5) use of the network in for-profit activities, (6) use of electronic mail, (7) harassment,
(8) waste, (9) abuse, (10) theft, (11) enforcement, (12) workplace monitoring, (13) network
managers’ responsibilities and (14) the use of the network for non-company tasks (Alexander,
1995b, p. 59).
Needed computer security procedures should be implemented after and based on results of a
preliminary survey, assignment of security project responsibilities, risk analysis, analysis of
defenses against security risks, selection of appropriate defenses, implementation of the security
measures identified and periodic audit and improvement of the security program, security
controls (i.e. detective measures, preventive measures and insurance coverage).
The following procedures are recommended for application by all internet security professionals:
1. Permission – Use of computer facilities must be authorized by the owner of the information or by a senior manage. Prior permission to use another user’s computer account or user-ID from the owner of the account should be required. All computer or electronic files are considered private unless the owner has explicitly made them available to others.
2. Responsibilities – The user is owner of their data. It is their responsibility to ensure that it is adequately protected against unauthorized access. Keep passwords and accounts confidential; change passwords frequently. Do not leave terminals unattended without logging out first. Do not engage in any activity that is intended to circumvent computer
COMPUTER SECURITY 5
security controls. Do not acce3ss the accounts of other with the intent to read, browse, modify, copy or delete files and directories without authorization.
3. Unauthorized Use of Software –Users should be prohibited from loading any software on any computer system (i.e. shareware o freeware software) without approval from the system administrator and your supervisor. Users should be expressly prohibited from using company computers to make illegal copies of licensed or copyrighted software. Copyrighted software must only be used in accordance with its license or purchase agreement.
4. Harassment – Company computer systems are not to be used to harass anyone. This includes the use of insulting, sexist, racist, obscene or suggestive electronic mail, tampering with others’ files invasive access to others’ equipment. Etc.
5. Destruction of Records – Instruct employees how to dispose of old manuals, floppy disks. Shredding and thoroughly erasing floppy disks, removing any information that could be used by an outsider to penetrate a company’s computer system. Recycle ink and toner cartridges.
6. Networks – Disallow use of the company-owned network (or other network accessible by company computers) for any activity other than company business. This includes surfing the Internet, online discussions in newsgroups and bulletin board services, attempting to access other computer systems without authorization, posting commercial messages, and transmitting viruses, worms, or other invasive software.
7. Enforcement – Investigate all alleged abuses of computer resources. Each employee must be responsible for their own actions. A company has the obligation to ensure that its computer resources are used properly and within the guidelines established by the company. The company should have access to all electronic files of its employees. Limiting the access of guilty employees is appropriate. Refer flagrant abuses to senior managers or law enforcement authorities. In extreme cases of flagrant abuse or disregard of computer security guidelines, may result in termination of employment
8. Workplace Monitoring – A company must reserve the right to monitor the computer system for signs of illegal or unauthorized activity. (Alexander, 1995b, p. 59)
In conclusion, computer security professionals must be highly trained, continuously updating
their education, and constantly vigilant in order to protect their company from intruders who
would cause them harm. The computer security professional must have integrity and be
trustworthy. The demands made on the individuals entrusted with the responsibility of computer
security is making that person increasingly valuable as we become a global community and
market place.
COMPUTER SECURITY 6
References
Alexander, M. (1995b). Make It a Policy to Protect Yourself. Datamation, 41 (22), 59. Retrieved
May 19, 2008, from http://find.galegroup.com.
Herdman, R. K., & Neary, R. D. (1987a). Planning Your Microcomputer Security Strategy.
Financial Executive, 3 (4), 9. Retrieved May 19, 2008, from http://find.galegroup.com.
How Much Computer Security. (1992). Across the board, 29 (2), 12. Retrieved May 19, 2008,
from http://find.galegroup.com.
Scientists on Cybersecurity. (2002a). Security Management, 46 (4), 38. Retrieved May 19, 2008,
from http://gind.galegroup.com.
Thackeray, G. (1988a). Computer Security: The Manace is From Inside. The Office, 108 (4),
45. Retrieved May 19, 2008, from http://find.galegroup.com.
COMPUTER SECURITY 7
