Issue-Specific Security Policy

/ Answer / By /

Mahtmarg Information Security Policy

Grantham University

Organization Name: Mahtmarg Manufacturing

  • Statement of Purpose
    • Scope
    • Responsibilities
  • Authorized Uses
  • Prohibited Uses
    • Illegal Conduct
    • System and Network Restrictions
      • Copyright Infringement
      • Proprietary Information
      • Personal Use
      • Malicious Programs
        • Email and Communication Activity Restrictions
        • Blogging and Social Media
      • System Management
        • Authentication
        • System Administrator Responsibilities
        • User Responsibilities
        • Audits
        • Configuration
      • Violations of Policy
        • Procedures for Reporting Violations
        • Penalties for Violations
      • Policy Review and Modification
        • Schedule of Review of Policy
        • Procedures for Modification
      • Limitations of Liability
      • References

      The Mahtmarg manufacturing company provides fiber cable to local businesses, individual customers, and some government organizations. An information security plan is of paramount importance, as it will be used to clarify the measures that the organization will go through to protect their customer’s and its information. With the execution of this plan, our main objective is to ensure the security and control of Mahtmarg assets and customer information to include protecting the organization against loss, destruction, and unauthorized access of Mahtmarg information.

      Statement of Purpose

      The purpose of Mahtmarg information security plan is to provide an overview of the requirements of expected of all of the employees, and to outline the security controls that are in place and how they are expected to function. The Mahtmarg information security plan will also explain the responsibilities and the expected behavior of all employees in the handling of this information as well as the legal implications of its mishandling and misuse. The ISP must reflect input from all branches and managers of the organization and its implementation will be the responsibility of the Chief Information Officer.

      Scope

      The scope of the Information Security Plan outlines the boundaries of the plan, information systems, cyber architecture and the personnel to which it applies. The Mahtmarg security plan will apply to the organization itself and extend to the customers which the organization serves. The plan shall pertain to all information systems housed within the organization, to include workstations, servers, and data centers, well as any online storage and cloud services offered. As it pertains to personnel, the plan shall apply to all personnel employed at Mahtmarg, and failure to adhere to the policy may be met with disciplinary consequences.

      Roles and Responsibilities of the major roles:

      Authorized Uses

      • Chief Information Officer – is the senior-level executive within the organization and is responsible for the information technology and computer systems that support enterprise goals. Generally, the CIO reports directly to the CEO. .
      • Information Security Officer – is responsible for managing and maintaining databases, information catalogues and web resources, information officers use their expertise to make sure that the information they manage is safe, secure and easily accessible.
      • Information Security Architect – is responsible for designing, building, and overseeing the implementation of network and computer security for an organization.
      • Information Security Coordinator – is responsible for planning, coordinating, and implementing security measures to safeguard information in computer files against accidental or unauthorized modification, destruction, or disclosure.
      • Data Proprietor (Administrative Official) – Data owner’s individuals who control, and are therefore responsible for the security and use of a particular set of information; data owners may rely on custodians for the practical aspects of protecting their information specifying which users are authorized to access it, but they are ultimately responsible for it (Whitman & Mattord, 2017).
      • Data Custodian (Technical staff) – Individuals who work directly with data owners and are responsible for storage, maintenance, and protection of the information.

      Persons Covered by This Policy

      All employees of Mahtmarg Manufacturing shall have access to the company’s network and technology assets in accordance with their various roles and duties within the organization. Upon hiring, each employee shall receive a username and password for which they will be responsible for safeguarding. Depending upon their specific job, users will be placed in a certain user groups that have been granted the appropriate permissions needed in order to complete their work. Mahtmarg Manufacturing operates its access levels according to the principle of least privilege. Users will be allowed expanded permissions on an “as needed” basis.

      Fair and Responsible Use

      While the use of Mahtmarg Manufacturing electronic resources may be a requirement for work and completion of other duties, access and use may be restricted or revoked in cases of misuse and reported abuse. Mahtmarg Manufacturing reserves the right to limit access to its electronic resources when applicable policies or state and/or federal laws are violated. Although the monitoring of information and content transported over Mahtmarg’s network is not a common, everyday practice, the organization has the right to do so. If content or activities found while monitoring appear to have a diminishing effect on the capacity of the network, threatens the security of the network, is found to be of an offensive/explicit nature, or violates company policy by falling into one of the “Unacceptable Usage” categories, Mahtmarg has the right to block access to the network and online content if it deems necessary. In the event of accessing the company’s network from an outside source (public hotspot), aside from accessing the company’s public web page, any access to the organizations’ internal network assets shall be accomplished with a company issued laptop or device, or if using a personal computer, through the company’s VPN tunnel.

      Mahtmarg’s network resources shall be used primarily for work, with limited access for personal connections such as internet radio, and some email. By no means shall users access websites or download files from any of the following:

      Information Security

      • Peer-to-peer sharing sites
      • Pornographic material
      • Online gambling and other gaming websites
      • Websites used for spreading of racist, sexist, discriminatory, and/or offensive content.

      The security of our information, both internal proprietary information and personal information of our employees, is of paramount importance to us. It is crucial that all employees safeguard their login information for access to the organizations’ resources. Pertaining to the protection of our information, we have taken great measures to ensure its security with the top of the line security and firewall protections for our servers. As such, access to internal information when using an outside connection will only be allowed through a VPN tunnel to help ensure the safety of information traversing our network.

      Prohibited Use

      Prohibition of illegal conduct

      The purpose of this policy is to outline and summarize the prohibited uses of information technology assets of Mahtmarg Manufacturing. Engaging in any of the outlined activities in the prohibited use policy may expose Mahtmarg Manufacturing to unnecessary risk such as external attacks (e.g. worms, virus, and malware), compromised network systems, and legal issues that are associated with tampering and theft of data, and privacy.

      Employees of Mahtmarg are not authorized to engage in any such activity that is deemed illegal or in violation of local, state, federal or international law, and engaging in such acts may be met with disciplinary action and/or criminal charges from local, state, and/or federal authorities.

      There may be instances where some employees may be exempted from some of these restrictions during fulfillment of their job duties, in which case, it shall be monitored and documented. The proceeding policy is intended for all subsequent use outside of assigned performance duties.

      System and Network Activity Restrictions

      The following list of system and network restrictions shall be adhered to by all Mahtmarg Manufacturing employees. The activities listed have been defined for a better understanding.

      Employees shall not engage in:

      Copyright infringement – Producing, duplicating, or distributing information, pictures, or documentation that violates of the rights of any person or company protected by copyright, trademark, or registered patent, intellectual property, or software products that are not appropriately licensed for Mahtmarg Manufacturing.

      Unauthorized use for personal business- Use of Mahtmarg Manufacturing assets for personal business is strictly prohibited unless authorized by a department manager.

      • Proprietary information disclosure – Distribution of confidential material, trade secrets, or proprietary information outside of the company is prohibited and will mean immediate termination of employment and possible litigation or prosecution.
      • Transmitting software, technical information, encryption software or technology in violation of export control laws which is illegal .

      Account Disclosure- All employees are prohibited from disclosing their account information. Use of another employee’s credentials is strictly prohibited and will result in being locked out of the system, and possible further disciplinary action.

      • Malicious programs – Purposefully introducing any malicious programs (e.g. virus, worms, Trojan horses, email bombs and so on) into Mahtmarg assets is strictly prohibited. As a precaution all computers will have virus definitions pushed automatically during non-business hours. Furthermore, all email attachments will be scanned, and certain attachments will not be allowed (.mp3, .mov, .exe, etc.).

      Email and Communication Activity Restrictions

      The use of company email will be a daily occurrence within the organization. As such, employees are expected to conduct themselves professionally in its use. All emails are monitored, digitally signed, and stored in the event that a violation occurs, it can be traced back. This section of the policy will give guidance on the use of email for all Mahtmarg employees.

      Employees shall not use the company email to engage in:

      Harassment – Engaging in any form of harassment is unacceptable and will result disciplinary measures being taken up to and possibly termination.

      Chain letters –There will be no transmitting or dispatching chain letters, or advertisements not related to the company business purposes or activities.

      Unsolicited emails- Employees shall not send unsolicited emails (spam) to anyone within the organization. Emails shall be used primarily for conducting business and receiving information from the organization management.

      Blogging and Social Media Activity Restrictions

      While we at Mahtmarg Manufacturing understand that we are in a technological age where many of our employees communicate through online mediums such as Facebook, Instagram, Snapchat, and other carious blogging and social media outlets, we have a strict policy regarding the activities of our employees. Please be aware of the following concerning blogging and social media.

      Employees shall not:

      Representation of the company on blogs or social media unless it has been authorized is not permitted. The wearing of the company uniform is not permitted at unsanctioned events as we aren’t in control of the events, and would not want to portray a negative image, or appear to condone actions of another organization or individuals.

      Separation of personal and professional comments – It is expected that our employees to keep their professional and personal life separate as to not put the organization in the position of having to defend itself from employees’ personal comments. Any postings concerning our organization, unless posted by our marketing team on our social media accounts, shall be made with a disclaimer that your personal views are not those of the company.

      Systems Management

      Authentication and Encryption

      Many of the systems as well as applications used by Mahtmarg Manufacturing (“Mahtmarg”) use authentication and authorization mechanisms to include the use of access control lists to ensure that data can be accessed only by authorized users. In addition to our systems, Mahtmarg will use its best efforts to ensure that all personnel and visitors are authorized before entering the premises by use of guards and other security measures. All departments, employees, temporary staff, and contractors are required to use Mahtmarg Manufacturing approved authentication and encryption solutions. This shall ensure that we preserved the confidentiality, integrity, and control of access to all data classified as “restricted” where said data is processed, stored or transmitted. Currently we are using Microsoft BitLocker for our hardware encryption, which employees will need to enter their passwords for to be able to get to the network authorization screen. Network authorization will be handled by the operating system when using an in-house computer, but you will need to utilize a VPN if logging in from another network.

      System Administrator Responsibilities

      Mahtmarg system administrators will be responsible for remaining technically proficient with regard to technology and best practices relevant to IT. Administrators will also maintain security procedures in order to keep with the current security policies. System administrators shall develop procedures that address issues such as access control, backup and disaster recovery mechanisms, and continuous operation in case of power outage or other disruptions. Reasonable precautions to protect against, and detect corruption, compromise, or destruction of technological resources will be a key responsibility for the system administrator as well. Finally, maintaining access privileges for the organization, and ensuring the right access levels, and internal audits.

      User Responsibilities

      Users are a key component in keeping information secure within our organization. Users must ensure that they safeguard their credentials used to access our systems. Users shall also comply with all policies and regulations set forth in this information security policy, as well as all state and federal laws. Users should only use our systems for authorized purposes. If there are any violations or suspected security or policy breaches, users are expected to report them to their manager or the technology department. Users are also forbidden to disable firewalls or their antivirus protections.

      Audits

      The audit policy shall serve as a guideline to the security audit team to conduct a security audit on Mahtmarg’s IT systems. Security audits are done to protect the entire system from the most common security threats including viruses, Denial of Service attacks (DoS), password compromise, unauthorized access, etc. Audits may also be conducted to ensure integrity, confidentiality, and availability of information and resources, to monitor security measures for compliance, and to investigate security incidents. The system administrator will be responsible for internal audits. For external audits, any access needed/requested shall be provided by the system administrator. Audit reports will be kept in digital form and hard copy for a period of at least two years. All users upon receiving their login credentials shall acknowledge and sign documentation stating that they understand that they may be audited at any time.

      Configuration

      A standard set of mandatory configuration setting shall must be established and documented for IT products used within the organization. All Mahtmarg systems shall have a baseline configuration consisting of:

      If any changes are needed to be made, the CIO shall determine the types of changes made to the systems that are configuration controlled. Changes to configurations shall be documented and approved by the CIO before changes take place.

      • Standard operating system and installed applications with current version numbers.
      • Standard software load for workstations, servers, network components, and mobile devices.
      • Up-to-date-security patches.
      • Organizational network topology settings.

      Violations Policy

      Reporting and Response to Violations

      Users of the Mahtmarg community who believe that they have witness or been a victim of a violation of the usage policy should notify or file a complaint with the Information Technology office. All reports will be reported to the individuals’ department manager, withholding the reporting individuals’ name unless absolutely necessary. If the department manager determines that a violation has occurred, a file shall be maintained and disciplinary actions will be delivered accordingly. Depending upon the severity of damage caused by the violation, the offending employee may be required to bear the costs bringing the system back to an operating state as well as any legal fees, and/or fines, settlements or judgments awarded to the organization.

      Penalties for Violations

      Violations of this policy and the procedures will be handled by the Information Security Department along with the manager of the violating person. Mahtmarg system administrators reserve the right to suspend, block or restrict access to information and network resources when it appears that an employee may have violated the policy. Additionally, this may happen in order to preserve the security, integrity, and access to the network. If deemed necessary, Mahtmarg may report violations to the appropriate authorities if there are any suspected violations of local or federal law.

      Violations of this policy and the procedures can result in disciplinary action up to and including separation from the Mahtmarg Manufacturing and/or fines and imprisonment. Disciplinary offenses shall proceed in the following manner:

      Verbal warningverbal statement to employee that he/she has broken a rule and/or regulation and that such violation may not continue.

      Written reprimand – official notice is giving in writing to employee that he/she has broken a rule and/or directive.

      Suspension depending on the severity of the offense. Notice of suspension will be provided to the employee in writing.

      Discharge. The employer/employee relationship is severed.

      All employee receiving four warnings in a twelve-month period, shall be subject to discharge.

      Review and Modification Policy

      This policy shall outline the procedures and practices for the reviewing and modification of the Mahtmarg Manufacturing ISP.

      Reviewing Policies

      In efforts to ensure that Mahtmarg Manufacturing continues to operate with best practices as it pertains to information security, the Mahtmarg Information Security Policy (ISP) shall be reviewed semi-annually to determine if any of the procedures that have been set forth need to be altered, or if any additions need to be made. During the review, at a minimum, the listed topics shall be discussed:

      Incidents/Disasters occurred or thwarted

      Known threats

      Know Vulnerabilities

      Risk Assessment

      Obsolete practices

      If there are any changes to be made to the ISP, please refer the “Modification Policy” of the ISP.

      Modification of Policies

      As the ISP is a “living document”, there will be instance where protocols and procedures will need to be modified. If there are any modifications that are needed, the following procedure should be followed:

      Modifications will only be made after semi-annual reviews unless an emergency protocol must be enacted.

      All changes shall be voted on by the ISP committee members:

      Information Security Manager

      IT Manager

      Network Manager

      HR

      Legal

      Changes to any of the protocols or procedures will require an amendment.

      Amendment proposals must be typed, and emailed with digital signature attached to the committee members for discussion and vote.

      Change request shall be logged by Information Security Manager.

      Amendment proposals may be sent back for further detail or changes.

      If vote is passed for amendment, a policy modification form, along with the attached amendment, will need to be approved/signed off by the CISO.

      Once approved, the amendment will be added to the policy, and the revision will be sent out company-wide by email, and a hard copy maintained by the Information Security Manager.

      Limitation of Liability

      As the Mahtmarg ISP is required to be adhered to by all employees, contractors, and authorized users, in the event that the policy is not followed, the following policy will outline the company’s limitations of liabilities.

      In the event of failure to adhere to the policies set forth in the Internet Security Policy of Mahtmarg Manufacturing, to the extent permitted by applicable law, the company shall not be responsible for any loss of employee’s/contractor’s/authorized user’s personal revenue or any other damages incurred when using company systems for items that lay outside the scope of their duties with Mahtmarg Manufacturing. If persons should incur a loss during the performance of their duties, notwithstanding adhering to the policies of the ISP, damages resulting from claims relating to this agreement shall not exceed $500 (USD)

      If abuse of the company’s ISP incurs a loss for the organization, the persons responsible may be held liable for restitution of all or a portion of the costs to recover from such loss up to the amount of $10,000 (USD).

      Acceptance of these terms of liability are assume to be agreed to upon signing and acceptance of the company’s ISP.

      References