A Software Engineer designs, develop, tests, and evaluates the software and the systems that allow computers to execute their applications. Take on the role of Software Engineer for the organizatio
Student’s Name Security policies and procedures University’s Name
Table of Contents
Introduction 2
Importance of security plans, policies and procedures 2
Data privacy policies and procedures 3
Data isolation policies and procedures 4
Non-Disclosure Agreement (NDA) policies and procedures 5
Intellectual Property (IP) policies and procedures 6
Password policies and procedures 7
Acceptable use of organizational assets and data policies and procedures 8
Employee policies and procedures (separation of duties/training) 8
Risk response policies and procedures 9
Compliance (Regulatory, Advisory, Informative) 10
Incident response policies and procedures 11
Auditing policies and procedures 12
Environmental/physical policies and procedures 12
Administrative policies and procedures 13
Configuration policies and procedures 15
References 16
Introduction
This is a manual of security standards, policies, and procedures recommended to the management of Brainhub limited. This manual will look at the importance of implementing security policies, plans, and procedures to the organization. It will also recommend appropriate policies and procedures for: data privacy, data-isolation, non-disclosure agreement (NDA), intellectual property, password policies, acceptable use of organizational assets and data, employee policies, risk response, compliance, incident response, auditing, environmental, and administrative and configuration policies and procedures.
Importance of security plans, policies and proceduresAccording to Loots M (2001) a company’s security policy is the “central repository where intangible such as corporate philosophy, mission statements, culture, attitude to risk and other difficult to define parameters can finally be crystallized into enforceable, measurable action statements, procedures and ways of working”. Security plans, policies and procedures are important because:
According to Yeagley G (2015) they address threats. Yeagley G (2015) recognizes that threats are everywhere and ransomware are popping up every day, a security policy and procedure will be used to detect such threats and mitigate them.
According to Yeagley G (2015) a security policy and procedure is used to know who does what, when and why? Yeagley G (2015) says that security policies and procedures “provide a roadmap to employees of what to do and when to do it”. A good example of this is who is responsible for assigning passwords to users, and what to expect when creating a password and where to use the password so as to access the system.
Data privacy policies and proceduresPurpose
The main purpose of the data privacy policy and procedures is to protect peoples’ data from being accessed without the consent of the user.
Scope
These policies apply to employees, contractors, and clients
Responsibilities
The Data privacy policies will be enforced by the compliance management
Policies
The organization will notify the owner of the data the real intention of collecting the data
The organization will give owners of information the choice of cancelling further information processing of their data or not.
The organization will be responsible for the accountability of users’ information and the processing of the information
The organization will use the collected information for the intended purpose and nowhere else
Compliance
Any individual who does not comply with these policies will be subjected to disciplinary action and/or termination of employment.
Data isolation policies and proceduresPurpose
The data isolation policies purpose is to ensure data is isolated from unauthorized users.
Scope
The scope of the data isolation policy applies to data stored in database
Responsibilities
This policy will be enforced by the database security administrator
Policies
We need to use a password in order to access data saved in the database
The password needs to be encrypted
Data transferred over the network needs to be encrypted
Compliance
Noncompliance to these policies will result to disciplinary actions
Non-Disclosure Agreement (NDA) policies and proceduresPurpose
The purpose of the non-disclosure agreement policies is to explain how employees should handle organization confidential information and even trade secrets.
Scope
This policy applies to employees and contractors who work at the organization premises.
Responsibilities
The non-disclosure agreement policy will be enforced by the human resource management
Compliance
Failure to comply with these policies will lead to termination of employment and/or legal action
Policy
Confidential information should be inside the organizations’ premises at all times
Confidential information should be locked in a safe place at all times
Not everyone can access organization’s confidential information
Intellectual Property (IP) policies and proceduresPurpose
These policies purpose is to build a structure for ownership, reporting and commercialization of the Intellectual Property
Scope
These policies applies to employees, contractors who work for the organization
Policy
The organization sees creative work, intellectual property created out of research within the organization’s premises and day to day running of the organization as a valuable asset to the organization
Any commercialization of an intellectual property that was reached through the use of the organizations’ facility by the employee is part of the organizations property and the employee will receive certain amount that is agreed upon by the employee and the organization.
Password policies and proceduresPurpose
The purpose of the password policies is to create a guideline on how passwords should be created and used within the organization
Scope
This policy applies to employees and contractors issued an organization account and can access the organizations’ network.
Responsibilities
This policy will be enforced by the Systems Administrator
Policies
Passwords are not meant to be shared among users
The system should lock out a user who inputs wrong password three times
A password should be more than 10 characters which include letters, special characters and numbers
A password should be changed periodically e.g. in a months’ time
Compliance
Failure to adhere to this policy will result to a user being denied access to organization system for a duration of time or may also lead to termination of employment if a user has been warned severally
Acceptable use of organizational assets and data policies and proceduresPurpose
This policy shows how the organizations’ assets should be used and handled
Scope
This policy applies to organizations’ assets and they include laptops, workstations, servers, software, stationery etc.
Responsibilities
This policy will be enforced by the Chief Information Security Officer
Policy
Every employee assigned an asset by the organization is responsible for that particular asset
All users using IT assets must have prior training
IT assets must be used for the intended purpose and by authorized users
Employee policies and procedures (separation of duties/training)Purpose
The employees’ policies and procedures deals with how employees are to conduct themselves within the organization and while representing the organization to clients
Scope
This policy applies to all employees of the organization
Responsibilities
This policy will be enforced by the human resource management
Policy
Employees are meant to uphold ethical behavior at all times
Employees shall abide to the organizations’ rules and regulations and applicable laws at all times
Employee shall do the duties assigned to him/her as specified by the job description of a particular position
Employee shall meet stipulated individual performance
Risk response policies and proceduresPurpose
This policy purpose is to manage risks that may arise from threats to data confidentiality, integrity and availability.
Scope
This policy applies to information system and electronic data that is transferred over the network.
Responsibilities
This policy will be enforced by the Chief Information Security Officer
Policy
Information system of the organization must be assessed for risks that may lead to threats to confidentiality, integrity, and availability of data
Risks identified will need to be mitigated
Every information system must have a security plan that is as a result of risk input, security and vulnerability assessment
Compliance (Regulatory, Advisory, Informative)Purpose
The purpose of this policy is to have effective governance of the company while maintaining policy, procedures and the law.
Scope
This policy applies to employees, contractors and users data that is collected
Responsibilities
This policy will be enforced by the senior management of the organization
Policy
The organization has a mandate of complying with relevant legislation and obligations
Since Brainhub operates in Europe it is meant to comply with Europe’s General Data Protection Regulation (GDPR)
Training will always be conducted by compliance management on compliance obligations
Incident response policies and proceduresPurpose
This policy purpose is to come up with roles and responsibilities and a team that will perform investigation of computer security and data breaches
Scope
This policy applies to information system of the company
Responsibilities
This policy will be enforced by the Computer Security Incident Response Team
Policy
The Incident Response Team will detect and investigate security incidents and breaches
If an IT asset is affected you should not turn it off
Affected IT assets should be labeled so that users cannot use it.
Everything should be documented, from the incident, action taken to lessons learnt
Auditing policies and proceduresPurpose
This policy deals with assessing of the organization’s performance while using certain metrics and regulations.
Scope
The scope of this policy include company’s business units, assets, governance and security
Responsibilities
Auditing will be done by internal and external auditors
Policy
Several audits will be performed and they will include: environmental audits, information technology audits (security), performance audits, and compliance audits
Environmental/physical policies and proceduresPurpose
The purpose of this policy is to ensure the physical security of the information processing equipment
Scope
This policy applies to business units, employees and contractors wishing to access the information processing facilities
Responsibilities
This policy will be enforced by the management of the organization
Policy
Servers will be placed in a well-ventilated room that is under lock and key at all times
CCTV will be installed in the organization premises so as to enforce security
The organization premises and offices will be accessed using an identification card
Compliance
Any person who does not comply with this policy will result to disciplinary measures and/or termination of employment.
Administrative policies and proceduresPurpose
The purpose of this policy is to set rules on how the organization is run and governed on day to day basis
Scope
This policy applies to sick leave, hiring and firing of personnel, dress code, promotions etc.
Responsibilities
This policy will be enforced by the senior management of the organization
Policy
New employees will undergo a probation period of six months
If performance of the employee is not satisfactory during the probation period, he/she will be terminated
After an employee finishes the probation period, he or she will be confirmed within duration of one month after the probation period
Salary of an employee will be adjusted through assessing of the employee performance, work experience and education background.
Leave and public holidays will be days with pay
Compliance
Any person who does not comply with this policy will result to disciplinary action and/or termination of employment
Configuration policies and proceduresPurpose
The purpose of this policy is to ensure proper configuration of devices within the organization and thus protecting the organization data and information system
Scope
This policy applies to information systems which include routers, switches, servers, firewalls etc.
Responsibilities
This policy will be enforced by system and network administrators
Policy
The organization devices must be configured in a proper manner and in accordance to the organizations’ standards
ReferencesLoots, M. (2001). Importance of a security policy. Retrieved https://pdfs.semanticscholar.org/63f4/8a40f006c8e0c1de52903649217e589b89db.pdf
Yeagley, G (2015). IT security policies and procedures: why you need them. Retrieved from https://www.compassitc.com/blog/it-security-policies-and-procedures-why-you-need-them