Bloom Design Group Information Security Policy University of Phoenix / Axia College IT244 Intro to IT Security November 1st, 2009 Executive Summary The overall objective of the Bloom Design Group Information Security Policy is to create a program that will promote an environment of secure data within the Bloom Design Group community from attacks or threats of attack against productivity, intellectual property rights, reputation or client and employee privacy intellectual.
As it is recognized and noted the important and vital role that technology has in the modern work place, it is paramount to the Bloom Design Groups future to ensure that all data and personal information (client and employee) is ultimately secure and free from harm. The following policy applies exclusively to all users and those Bloom Design Group designates as “guest users” within the Bloom Design Group network and all types (analog or digital) of data resources. The policy will detail all user and “guest user” responsibilities to eliminate unauthorized and unwanted access to the Bloom Design Group’s network and related data.
The information security policy is designed to be compliant with all regulations of Sarbanes-Oxley Act of 2002 and all other governmental laws that were created specifically to regulate types of information and technology. Introduction The Bloom Design Group is an interior design company that offers services to businesses and individual clients throughout all seven continents. One of the many services and features that Bloom offers is an online virtual design studio; this tool is located on the company’s website.
The design tool allows clients to experiment with color schemes and design ideas in order to view realistic visuals of a finished project. The website also offers designers the ability to access client files and Bloom’s original design and style guide, as well as the ability to process orders for furniture and design materials as they are needed. The Bloom Design Group has its corporate headquarters located in New York and a satellite office in Los Angeles, the majority of Bloom’s employees work remotely via a secure VPN (Virtual Private Network); as such it is possible for Bloom to ave an office virtually anywhere at any time. For the Bloom Design Group there are three main areas that will be focused on to improve information security. The three areas of focus are as follows; physical site security, access control and network security. Physical Security Policy One of the most under-rated areas for information security is within the actual physical security of the facility or business. This approach refers to the security of the building and the areas where the information is stored and the information system they are stored on.
Security of the facilities Physical Entry Controls – All entry points into the buildings will be changed to a keyless entry system using individual specific P. I. N. (Personal Identification Number), this will allow users access to areas that are job specific. Entry to the server room and other designated areas will be controlled by a bio-metric system that will only allow entrance to authorized personnel only. Both of the above described methods will provide a detailed report of individuals who enter and exit.
Offices, Server Rooms and Facilities – The two offices of the Bloom Design Group (New York and Los Angeles) will have keyless entry into the buildings and closed circuit video cameras at all entry and exit points. Server rooms and other designated areas will have bio-metric access to ensure authorized entry to secure areas. The server room will also have rack mounted servers; these racks can in turn be locked to avoid theft. The server room will also have non-absorbent fire-suppression system and a built in HVAC system that will keep the server room at an optimal room temperature.
The facilities themselves must be look at and it must be determined if the current design is going to benefit long-term information security. An example of this would be in the server room, the rooms walls should extend up past the ceiling to eliminate potential unauthorized entry or break-in points. Isolated Delivery and Loading Areas – Delivery and loading areas will be monitored via closed circuit television cameras, all deliveries and pick-ups will be signed in and out by the receiving manager. All “guests” will be escorted throughout the building by a representative of Bloom Design Group.
Security of Information Systems – Workplace Protection – All access to the buildings and job specific areas are monitored and cross check via daily reports, all visitors are escorted through the building for the extent of the stay, employees are subject to random bag and locker checks. Network/Server Equipment – Convert to rack mountable server units, the individual racks can be locked and secured with the key given only to the Network administrator or Director of IT. All vulnerable equipment must be locked with a bio-metric secured room.
Equipment Maintenance – All servers, workstations, printers and other network assigned equipment will be put on a rotating maintenance schedule, this schedule will ensure that all network equipment is cleaned and checked at least every 3 months. Security of Laptops and Roaming Equipment – Individuals who are assigned laptops must sign for equipment and assume all responsibility for the care and maintenance of assigned equipment. All individuals assigned a laptop will be granted access to a secure VPN (Virtual Private Network) through the software known as DameWare.
Individuals will have access to all of the Bloom Design Groups network resources. Access Control Policy Access control is a vital piece of the security puzzle; a quality access control policy can effectively provide a substantial layer of protection for any network User enrollment – Each individual will be placed into a job specific group or groups, this will allow users to access network resources that are needed for their job and keeping unauthorized access to areas that are not related to the users job.
Identification – Identification will occur every time an individual user logs into a system, the users will be assigned a unique user name… it is this user name that will identify one user from another. A randomly generated password will be given for each of the systems that are being used by the Bloom Design Group, these passwords will ensure that the correct individual is in the correct job specific are. All employees are to be notified that it is a disciplinary action to write the user name and password down at all, it is also a disciplinary action to allow another user to “borrow” the user’s individual user name and password.
Each of the above noted offenses can lead up to and include immediate termination. Authentication – Authentication will occur via 128 bit encryption, this will occur for any system within Bloom Design Group that sends or receives sensitive or personal data. All decisions regarding encryption will come from the network administrator or the Director of IT. All keys are distributed through the IT Department, with the approval of network administrator or Director of IT.
Privileged and Special Account Access – Clients of the Bloom Design Group will be granted guest access to all design and ordering tools located on the Bloom Design Group website. Once a client or designer has registered with the site they will be issued a temporary user name and password. Privileged access to the network will be granted to all Directors, managers and department supervisors… this access allows users into management related areas such as pay roll, hiring as well as coaching and training.
Remote Access – Remote access is granted to those employees who work outside of the office; these positions would include management, IT Department, Sales Department and Design Department. The remote access will be given via DameWare software which will provide a link to a secure VPN (Virtual Private Network). Network Security Policy The rules governing the overall network security are some of the most important, it is these rules that allow or disallow access to the network in the first place. As these rules are more or less the front line of defense they must be stable, strict and strong.
Network access – Network access will be given only to those individuals within the employ of the Bloom Design Group, clients of the Bloom Design Group or vendors / designers who have been granted limited access to tools and resources located on the website and network. Network Security Control Devices – The Bloom Design Group will utilize a NACwall Micro from NetClarity, Inc. ; this device runs audits and database searches to locate vulnerabilities within a network. The NACwall will explain and clearly define each of the discovered vulnerabilities beginning with the initial audit, the type of audit is customizable to meet ny industry, federal or legal regulations, and this would include HIPAA privacy act and the Sarbanes-Oxley Act of 2002. Conclusion In closing it should be noted the importance of a valid and comprehensive information security policy, not only is the physical security of a network important, not only is the security of the hardware important, not only is the security of the applications and programs important… the most important piece of any security system is the individual who are users within the network.
Users must be vigilant and responsible, because people will always be the deciding factor in whether or not a security policy is effective. References http://www. scmagazineus. com/NetClarity-NACwall-Micro/Review/2458/ http://www. dameware. com/ http://www. sans. org/reading_room/whitepapers/policyissues/ http://www. ruskwig. com/security_policies. htm Merkow, Mark S. , & Breithaupt, Jim. (2006). Information Security: Principles and Practices. Chapter 12; University of Phoenix / Axia College November 1, 2009