Saturday, September 14, 2019
Develop information security awareness
Nancy Johnson worked in U.S. Bancorp organization and was fired in April 2002 on the basis of viewing confidential files of the company and some personal files of supervisor Kathy Ashcraft that she was not allowed to view. Information security awareness and training program must have following content to make employees aware of the U.S. Bancorp policies and avoid such occurrence in the future. All employees must be well aware of all the policies of an organization governing computer systems, networking, information assessment, privacy and authorization to view any content. All policies must be available on the intranet and/or desktop of an employee. Policies are constantly updated according to the day-to-day needs hence must be read and understood carefully as soon as these are updated. In case an employee is unable to understand anything, he/she must immediately contact his/her supervisor or manager to know about their specific roles and policies elaboration. All computer users of the company must understand that ALL information on the companyââ¬â¢s intranet is confidential and valuable asset of a company, which must be accessed on need-to-know basis after obtaining authorization from their manager. All computer users in an organization will have permission to access to the confidential information or other information not relevant to the user on the basis of valid reason and need-to-know basis to perform a particular job. The permission will be limited to time period required to perform that job and the amount of information required. Employees will not share this information with any other of their co-workers within an organization and/or any person outside the organization unless it is needed, specified and authorized to share such information with those who are also authorized to view this information for the time period and authority granted. All employees who work in the Bancorp organization will be abide by all security laws, rules and policies. They must follow these rules and regulations and support their implementation. Employee will report any misuse of such information by any user on the intranet of the company or any external threat, if he/she is informed about it. 2- Information security awareness and training program for probing networks connected to the clients Moulton, a network administrator, tried to port scan illegally for the computer networks of the Defendantââ¬â¢s client. Information security awareness and training program defines following content in order for network administrator to know of policies and rules. The job of a network administrator is to handle all technical issues on the network, manage software, hardware, and administer tools of the network. However, in no way a network administrator will use clientââ¬â¢s network resources and private information without any need and authorization. A network administrator must understand this that all network resources on the clientââ¬â¢s computer network, data, files are private and confidential and asset to be used by the client only. Network administrator will understand the core concepts, policies and strategies of the security training program. He/she will be abide by all the rules and laws while administrating networking tools. Access to the centrally administered network will be granted on permission with valid reason of a need to have such assessment to perform a particular task. Authentication to use network will be granted with specific user ID and password. User id and password must be changed frequently to maintain high level of security. Network of clientââ¬â¢s computer possess valuable and confidential information. Access to this information is not allowed unless the person is authorized to view it. Network administrator will return all valuable material to company upon termination. He will be responsible to dispose of any sensitive information not of any further use. 3-Information security awareness and training program for Information security violation concerns Watkinsââ¬â¢ security concerns were regarding use of that confidential information by another employee along with him. Hence he requested State of Tennessee cancellation of the secret code. However, another employee who had access to the information was authorized to do so. Watkinsââ¬â¢ plea was rejected by the court. Information security awareness and training program must have following content of security violence. Information security is very important and none can access this information accept those who are authorized to do so. None will be allowed to get this information except solely for companyââ¬â¢s business purpose and for processing different tasks. Hence, only ââ¬Å"authorizedâ⬠persons can access that information with a specific code. Authorized means theyââ¬â¢re allowed legally to use this information in one or another form for the benefit of company/people/business/organization. Hence, there is nothing violation of privacy when such confidential information is accessed by the authorized people. However, an authorized person will use that information only for the period of time and to the extent heââ¬â¢s granted permission. Authorized person will not misuse that information for his/her own purpose or in any case will not sell, transfer or damage such information in any circumstances. Misuse of such information may result in revoke of authorization and administration. It can also result in termination from job. Authorized use of such information for the good of company is not a security violation. Security administrator will be in charge of all information and will report any violation by the users. He will keep in check proper protection all confidential data and will be in charge of granting permission to different users to access required information as needed. References Enisa Security awareness. Retrieved from http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_a_users_guide_how_to_raise_IS_awareness.pdf NIST security awareness. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment