Creating And Communicating A Security Strategy Essay

Creating And Communicating A Security Strategy

Professor: Kourosh Samia

By: La’Sha May

January 23, 2020

Communicating Security Strategy

Business Environment

The business that is set up at the mall is a Fin-tech organization identified as Cash Link Company. Fin-tech technology entails development areas such as wealth management, crowdfunding, lending, payment, and provides more personalized services than traditional firms (Leong and Sung, 2018). Hence Fin-tech is a financial technology in the form of software and other technologies that are used by firms that provide improved and automated financial services. Cash Link is a fast and innovative mobile payment system that allows tech-savvy customers that require their lending, money transfer, loan management, and investing to be scalable, secure, and effortless, without any assistance or visit to the bank. Cash Link Inc. provides a branch at the mall where customers can come and inquire or access the technical teams if there are issues with their funds or transactions.

Because of the sensitivity of the organization’s model where it handles many customers as well as their money that they transact, the organization must protect the customers. Information can be attacked from the outside, but there is also a chance that there can be personnel that can access unauthorized information from within, leading to leakages. Ahmad, Maynard, and Chan (2015), a majority of information security professionals agree that there is little that is being done to tackle data leakage in organizations. The focus has been on financial, technical, and physical security instead of human factors. Ahmad et al. (2015) add that a common approach to safeguard information is compartmentalizing sensitive company information and processes, which entails that only the staff that “need to know” can access the information. Such techniques reduce the needless circulation of sensitive information and limit the risk of leakage. In the memo, Cash Link Inc will provide policies, standards, and practices that will ensure that there is a restriction in access to sensitive information to only the employees that are authorized.

Policies

1. Purpose

In the development of the policies for Cash Link Inc., the aim is to institute and maintain the confidentiality and security of networks and applications, information systems, and information held or owned by Cash Link Organization.

2. Employees

IT operations shall assume responsibility for the maintenance of the logs mentioned below for a minimum of 40 days for each server supported:

· Activity Logs: Only activities that the system administrators perform

· Operating system access logs: Note attempts that are invalid in accessing operating systems resources

· System access logs: Note both unsuccessful and successful attempts to log on

3. User access authorization and controls

· There shall be a restriction to access of data to authorized users that have a credible business need to access the data.

· The database and application service teams shall preserve the list of restricted databases and applications and their matching business owners.

· Approval for access to the restricted business databases and applications must be allowed by the nominated business owner.

· There must be an electronic mail from the mail account of the business owner granting permission for the appropriate access for the authorization.

4. Cash Link Company shall ensure that there are appropriate information classification controls that shall be based on the outcomes of a formal risk assessment and guidance:

· Information classified Confidential: Shall be used for information that is passing between the company’s employees, and employees of other appropriate organizations.

· Documentation that is classified Restricted: Shall be used for sensitive documents that include contractual and financial records. Such documents are marked as restricted because their disclosure can result in:

· Challenges in the maintenance of the operational effectiveness of the company

· Negatively affect the reputation of the company or its officers or significant distress to the client

Standards

1. Purpose

1.1. The aim of this information us to facilitate teams to operate using a defined set of security requirements that enable solutions to be managed, deployed, and developed according to the security standards of the department that is based on the international best practice for information security.

2. Scope

2.1. This standard contains security control requirements that are product agnostic and apply to all IT systems, service implementations, or applications that are provided for use in the departments.

2.2. More controls can be applied based on the security classification of the data that is being processed by the Department’s IT service implementation, application or system,

3. General Security Control Requirements

3.1. There MUST be the implementation of controls to limit access to business computing devices, network services, information systems, applications, and any data processed and stored in them.

3.2. The Agencies and Department MUST ensure the implementation of authentication and identification controls for the management of the risk of unauthorized access and to maintain the correct management of user accounts and allow auditing.

3.3. All individual Departments, networks and services, applications, and information systems MUST be maintained and be equipped with a System Access Control Policy that MUST be approved by the authorized Information Asset Owners.

3.4. The System Access Control Policy MUST ensure that there is information for the individuals that are involved in using, operating, developing the system, service, or application will require so that to ensure that:

a) The service, application or system is developed with the authorized security mechanisms in place

b) Those procedures are developed to support the operation of the service, application, or system following the appropriate security standard and policies.

4. Access and Identity

4.1. Access and identity management arrangements MUST provide a reliable set of methods for:

a) Identification of users using unique UserIDs

b) Authentication of users using smartcards, biometrics or passwords

c) Identification equipment such as MAC-based authentication

d) The user ID procedure

e) Authorizing user access privileges

f) Administering user access privileges

4.2. User profiles MUST contain the following details:

a) Unique/Primary USER-ID

b) If required to access remote and local resources

c) Any protected encryption servers, encryption key data or credential

d) Key dates (such as reactivation, last-changed, termination, account start)

e) Full name

f) Other USER-ID

g) Address

h) User status (on leave, terminated, suspended, and recertification required)

i) Job, group or other roles codes that permit indirect resource access authorization

j) All authorized access rights

Practices

One of the best practices that can be implemented to control the individuals that have access to the business systems is the use of the principle of least privilege benefits (Veinović, 2016). According to the principle, each application, service, or user requires only the permission to carry out their role and nothing else. It is one of the fundamental approaches in network and system security. No matter the proficiency of the user, they should be authorized to only the network they need to conduct their duty.

One of the critical reasons for minimizing the level of access of each user is that one can significantly lower the security risk and attack surface (Veinović, 2016). Through strict limitations of the individuals that can access the critical systems, one lowers the risk of malicious or unintentional data leaks or changes whether by the users or by hackers who can access their credentials. To be specific, there are limitations to the possibilities of malware, viruses, or rootkits from being installed because a majority of the accounts will not have administrative privileges needed for installing them.

Another benefit that comes with the implementation of privilege is the attainment of regulatory compliance. Many standards require a firm to provide users with the privileges that are required to conduct their functions, particularly the privileged users. Even if the business is not required to follow such regulations, implementation of the privilege principle constitutes smart practice.

Additionally, the least privilege approach simplifies configuration and change management. Each time an individual with administrative privileges logs in, there is a likelihood that the configuration of the system can be inappropriately changed, either accidentally or deliberately (Veinović, 2016). Least privilege assists the organization in maintaining the required configuration of a system by being in control who can change what.c

It is the role of the management and the IT department to ensure that each department and employee has the appropriate authorization to any login that is needed for them to conduct their duties. Mainly the IT department should ensure that the policies, standards, and practices are adhered to, and any anomaly is reported and documented. Besides, the organization should ensure that it is the organizational culture for each individual to understand their limits when it comes to accessing data. There should also be a habit of ensuring that any sensitive information is handled as such to prevent any consequences that can fall on the employee or the organization.

References

Ahmad, A., Maynard, S., and Chan, S. (2015). Memo to business: information security is not just IT’s problem. The Conversation. Retrieved from https://theconversation.com/memo-to-business-information-security-is-not-just-its-problem-38838

Leong, K., & Sung, A. (2018). FinTech (Financial Technology): what is it and how to use technologies to create business value in fintech way?. International Journal of Innovation, Management, and Technology, 9(2), 74-78. Retrieved from https://s3.amazonaws.com/academia.edu.documents/60183957/BH865-PDF-ENG__Fintech__Ecosystem__business_models_20190801-95998-19ksrtq.pdf?response-content-disposition=inline%3B%20filename%3DScienceDirect_Fintech_Ecosystem_business.pdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWOWYYGZ2Y53UL3A%2F20200122%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200122T160518Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e2ac8c8ba3d708fe190fe5fdbff41711e7806d312b8013dd857156b693b71b92

Veinović, M. (2016). Privileged Identities-Threat to Network and Data Security. In Sinteza 2016-International Scientific Conference on ICT and E-Business Related Research (pp. 154-160). Singidunum University. Retrieved from http://portal.sinteza.singidunum.ac.rs/Media/files/2016/154-160.pdf

Creating And Communicating A Security Strategy Essay

Write my Essay. Premium essay writing services is the ideal place for homework help or essay writing service. if you are looking for affordable, high quality & non-plagiarized papers, click on the button below to place your order. Provide us with the instructions and one of our writers will deliver a unique, no plagiarism, and professional paper.

Get help with your toughest assignments and get them solved by a Reliable Custom Papers Writing Company. Save time, money and get quality papers. Buying an excellent plagiarism-free paper is a piece of cake!

All our papers are written from scratch. We deliver high quality assignment answers to students.