There are multiple steps for creating a security plan. One must create information security policies and identify an individual who is responsible for implementing the security policies such as keeping passwords secure. Informing employees of these policies to and training them is crucial in developing and maintaining a security plan. Critical information assets and risks surrounding, for example, the IDS (Intrusion Detection System) and Firewalls that are used are necessary to know and maintain. Below are some of the main parts of a comprehensive security plan
Password Security- Passwords should have several requirements such as using capital letters, a minimum number of characters needed, and require creating new passwords every 30-45 days (TBD)
Client-level Security- Using 2-factor authentication, antivirus, proxy settings, and controlling what is accessed in browsers.
Operational Security- Covering the involvement of the employees in security programs. Employees need to be instructed and continuously taught these safety practices.
Emergency Security Plans- Disaster plans for fire, floods, loss of power, terror threats, etc.
Physical Security- All network servers are required to be secured in a locked room or enclosure. All server rooms will require CO2 based fire extinguishers and smoke detectors. Server rooms need to be temperature and humidity controlled. All servers need to be run on a (UPS) uninterruptible power supply. Access to the server room will be managed and monitored. The use of unauthorized devices will be controlled and monitored as well. All network devices will be cataloged and accounted for. When an employee wishes to use a device, he or she will need to sign it out.
Personal Security- New employees will be screened before hire to assess their ability to confidently protect and handle sensitive data. All employees must take it upon themselves to educate themselves on proper internet practices and sign documents stating that they will adhere to all rules and regulations. All employees will not use their personal devices on the company network unless authorized. It is recommended to not give employees, or customers access to the wireless network from their own devices unless proper security measures are taken.
Data Communications Security- Firewalls and other security services will be implemented. All employees shall use encryption for all documents when available. Access to the network will be controlled, and only authorized devices will be allowed to connect. All users network ID and passwords are required to have at least a 9-character password that requires the use of special characters and will be reset every 30-45 days. (TBD) Login and logout details of every network-connected device will be recorded and saved. Accounts will lock after 5 failed password attempts. All data will be treated as confidential information.
Firewall- A sophisticated firewall will be used to protect the network and allow for network monitoring. It will also block and log intruder attempts. It will feature web filtering, antispam, and an (IPS) Intrusion Prevention System. By configuring the firewall in the proper manner, certain harmful websites or those of the pornographic nature can be blocked. Those who try to access these improper websites will be easily identified and then disciplined.
Virus Protection-As with any network, the risk of harmful items like viruses needs to be fought against using advanced virus protection software as well as proper education on how to avoid these potential dangers. It is the responsibility of every user to combat against viruses. The virus protection software shall be able to scan incoming files before being saved to the network. The virus protection software must also be updated continuously.
• The goal is to provide a safe working environment for all the assets and interests of the company.
• Adapt the layered defense model of physical security- First is the perimeter, then building grounds, building entrance, building floors/offices, then finally data centers and media supplies and equipment. Each layer will be secured individually.
• Surveillance– Principle tool of protection of space.
• Can be landscaping, lighting, and CCTV. Cameras will be set up to give a complete view of the perimeter of the building as well as every interior room.
• Equipment will be advanced enough to provide proper detection, recognition, and identification.
• Properly located entrances, exits, landscaping, and fencing can control the flow or limit access to foot and automobile traffic.
• Key locks, keypads, mantraps, proximity readers, barricades, and guards will be implemented to control who can access what.
• A proper check of the building will be done to determine if the materials used are fire-rated, penetration resistant, earthquake resistant, as well as its potential dangers regarding its power, water, heating, A/C, and ventilation systems used.
• Fire support systems will also be addressed, and the multiple types of different fire extinguishers will be available for all to use including proper an advanced fire detection system.
We will avoid EMI and RFI disturbances interfering with our devices and equipment by using EMI shielding, using items like shielded twisted cables.
Faraday shields can also be used to shield against EMI.
Current layouts of electrical equipment and devices will be checked and rearranged to reduce the chance of EMI or RFI interference.
Areas which need additional security
• Data centers, server rooms, communication centers, and any computer containing highly sensitive information will require added physical security.
• Building entry points will be protected with a card access control system. Inside the building, doors will be accessible with facial-recognition equipment as well as a proximity badge.
New security practices
• All employees will be added to an access list and only gain access to what they need to have.
• All employees will be required to take a class on proper security policies regarding both the use of the network and building itself.
• All employees will have to sign an information protection agreement as well be briefed on proper social media etiquette and personal device usage such as restricting cell phones in certain areas.
• “5 Step Data Security Plan for Small Businesses.” Trey Wilkins. Wilkins Consulting. www.Wilkins-consulting.com. Web. 11 April 2017.
• “CompTIA Security+ All-In-One Exam Guide.” WM. Arthur Conklin. Gregory White. 11 April 2017.