VII: see attached. | Information Systems

see attached. Finalproject.docx For the final project, you will write a paper that is a minimum of four pages in length that creates and outlines an IT security policy for a medical facility. Your security policy must contain the following sections: · Information Security Policy Overview, · Application Development Security, · Data Backup and Storage, · Physical Security, · Network Device Installation and Configuration, · Data Handling, · Remote Access, · Email, · Internet and Web Access, · Device Security, and · Process for communicating the policy to stakeholders. Your paper should include a title page and a reference page. Be sure to follow proper APA citations. At a minimum, use your textbook as a resource for this assignment and include it on your reference page. Course Textbook(s) Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson. https://online.vitalsource.com/#/books/9780134858548 UnitVII.pdf SEC 4303, IS Security Policy Analysis 1 Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to: 4. Analyze a security policy for its completeness. 4.1 Assess security requirements for physical environments. 4.2 Determine the responsibility for physically securing a facility. 4.3 Determine recommendations for securing a facility. Reading Assignment Chapter 7: Physical and Environmental Security Unit Lesson Physical security is an important aspect of any organization. An organization can consider the location site, surroundings, potential for disasters, and infrastructure as part of the composition of the facility. Therefore, it is important to ensure organizations have sufficient policies established to protect the systems, facilities, and networks from physical tampering. ISO/IEC 27002:2013 provides guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environments (International Organization for Standardization [ISO], n.d.). These standards focus on the implementation processes, accepted controls, and creation guidelines. Physical and environmental safeguards are sometimes overlooked when we refer to security but are critical in protecting information technology elements. Santos (2019) explains how the environmental security refers to the workplace environment, which includes the design and construction of the facilities, how and where people move, where equipment is stored, how the equipment is secured, and protection from natural and man-made disasters. Organizations need to observe the different areas that pose vulnerabilities to their physical structure. Think about the building perimeter for a small credit union. This type of institution may not have a full-time security guard, so the institution needs to observe the teller lanes, back-door entries, front-door access, and surrounding streets. A bank robber could identify these factors before performing an act of robbery. Organizations can protect assets with physical parameters, technical devices, and established procedures. Physical controls refer to the presence of physical deterrents to ensure the security of the perimeter or environment (buildings’ structures and server rooms) containing information and information systems. These controls are meant to stop unauthorized personnel from gaining access to buildings (fire escapes, back doors); the use of locks on offices, server rooms, and other sensitive areas challenge those who are not supposed to have access to restricted areas. Technical security relies on security measures that employ technology in some way. Usually, they are related to computers and software techniques, but they can equally apply to technical systems or locks such as biometric techniques and authorized electronic card access. UNIT VII STUDY GUIDE Understanding the Physical Security SEC 4303, IS Security Policy Analysis 2 UNIT x STUDY GUIDE Title Layer Defense Model Layered defense strategies can help protect organizations and prevent unauthorized access. This concept can also hold true when referring to physical security. If an intruder feels the process is rather difficult to enter a location, then he or she may decide to move to another organization or extend the reconnaissance to identify the access areas. Think about the security controls you have in place at your residence. Most residences have locks on the doors and windows and maybe pets to help deter potential dangers. We can also enhance the security by adding cameras and alarm systems along with decals and signage stating the home is protected by a particular vendor. This certainly places some fear in the criminal's mind, so security becomes a psychological aspect for both the resident and criminal. Obviously, this is positive for the resident and negative for the criminal. As with any organization, the physical aspect is usually the first entry point because it can be as simple as driving to the location. An organization’s location certainly dictates the level of security along with the sensitivity of the data in the systems. You see many commercial buildings providing statistics on the crime rates in the area when the facility is for sale. This information is needed because the monthly expenses can increase depending on the level of security needed. Location-based threats that need to be evaluated include political stability, susceptibility to terrorism, the crime rate, adjacent buildings, roadways, flight paths, utility stability, and vulnerability to natural disasters (Santos, 2019). The protective strategies we can use are lights, gates, locks, card readers, security guards, alarms, and cameras to detect and deter criminals. An obvious deterrent would be security guards because they are very visible and can walk the facility. Organizations determine the types of facility guards needed; this might include professional physical security staff or other personnel such as administrative staff or information system users (NIST, n.d.). A seasoned criminal can easily observe these security personnel, so it demonstrates the importance of physical security for the organization. It is also good to test new strategies throughout the year so the security parameters are constantly changing, causing the criminal not to be able to plan for an intrusion. The entry or main door is the focal point of most organizations. As for the facility entry, we can have employee locks, ID cards, kiosks, and security guards. We also have personnel there to address questions from visitors signing in for a visitor badge. This is usually the area where criminals use piggybacking because of the traffic and activity, especially when work begins for the day. Piggybacking is the process of walking behind a current employee when entering a building and using their access card or existence as a means to enter the building. A helpful employee may hold the door open for a criminal thinking this individual is an employee of the organization. This happens more at larger organizations because most employees at larger facilities do not know every employee of the organization. Therefore, it is extremely important that the front desk personnel enforce the physical security policies for the employees of the organization. An employee needs to know what actions to take if someone follows behind him or her without swiping a badge. The organization also needs another set of eyes on the entry point to ensure piggybacking does not occur. If we review earlier units regarding human resources, then we can see why background checks are so important. We need to hire personnel with strong ethics and integrity to ensure they are following policies and protecting the organization. If an employee fails to shut a back door or lets a friend with questionable intentions enter the facility, it can be extremely dangerous for the organization. The friend may not want to access the network internally to collect information but may want simply to steal equipment. We have also seen a dramatic increase in shootings, so physical security policies need to be followed by every employee. Security cameras can prevent unauthorized access. (Neurolink, 2017) Security guards act as deterrents to crime (McGuire, 2015) SEC 4303, IS Security Policy Analysis 3 UNIT x STUDY GUIDE Title The Federal Identity, Credential, and Access Management program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems (NIST, 2018). One issue that is not always covered under physical security is facility power. If the power goes out, this can be damaging to systems, data, and products. Systems need to be protected from power loss, degradation, and much power or voltage spikes (Santos, 2019). Power is taken for granted unless you have a major storm where everything is down for hours or days, depending on the severity. We have recently seen this with hurricanes, so business continuity plans are essential. Let’s take the case where an organization loses power for three hours. What type of criminal activity can be performed during this time? Remember, criminals cannot anticipate this type of power loss unless they have something to do with the disruption. However, the existing employees may take advantage of the power loss for instances of theft or document removal. This can certainly happen when camera systems are down and everyone is preoccupied with the event. Unfortunately, many organizations do not have policies written to protect the facility during a power loss. Organizations may store millions of records that can contain sensitive information. Therefore, if an organization plans to dispose of any of the information or older servers with information, they should follow stringent data destruction procedures. Additionally, the type of market may also dictate the level of data removal strategies that need to be applied. Efficient and effective management of information that is created, processed, and stored by an information technology (IT) system throughout its life, from inception through disposition, is a primary concern of an information system owner and the custodian of the data (Kissel, Scholl, Skolochenko, & Li, 2006). Santos (2019) stated the objective of physical destruction is to render the device or the media as unreadable and unusable. Devices and media can be crushed, shredded, or, in the case of hard drives, drilled in several locations perpendicular to the platters—penetrating clear through from top to bottom. Summary In summary, organizations need to review the potential dangers when it comes to physical security. Although an organization may have front desk personnel and security systems in place, there are still plenty of ways criminals can gain access to the site. We also have to consider the vendors and suppliers that regularly visit the sites. An established policy will help enforce the procedures and provide better overall results. It is also important to have accountability for each department and employee when it comes to physical security. Finally, small organizations have limited budgets, so they have to explore all solutions when it comes to security. They may not be able to hire a fulltime security guard, but they can install security cameras. It is not as effective, but it can be a deterrent. References International Organization for Standardization. (n.d.). ISO/IEC 27002:2013. https://www.iso.org/standard/54533.html Kissel, R., Scholl, M. Skolochenko, S., & Li, X. (2006). Guidelines for media sanitization: Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800-88). https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=50819 McGuire, R. (2015). Police, security, safety, protection, crime, guard [Photograph]. Pixabay https://pixabay.com/en/police-security-safety-protection-869216/ National Institute of Standards and Technology. (n.d.). NIST Special Publication 500-53 (Rev. 4). https://nvd.nist.gov/800-53/Rev4/control/PE-3 Neurolink. (2017). Camera, monitoring, protection, security camera [Photograph]. Pixabay https://pixabay.com/en/camera-monitoring-protection-2456434/ Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson . Course Learning Outcomes for Unit VII Reading Assignment Unit Lesson