The security policy that I would recommend using would be
the CIA Triad-Confidentiality, Integrity and Availability. The CIA triad is the basis of all security
programs. Information security
professionals who create policies and procedures must consider each goal when
creating a plan to protect the network. In this context, confidentiality is a
set of rules that limits access to information, integrity is the assurance that
the information is trustworthy and accurate, and availability is a guarantee of
reliable access to the information by authorized people (Rouse, 2014).
The company will need to set up passwords and accounts
for all users and also only users that need access to sensitive information meaning
that users should be given enough privilege to perform their duties, and no
more. The high-level access users would
be the ones to find out who their customers are including the names and
addresses. This would fall under the CIA concept.
There would be no public information for just anyone to
see. There would be a password set up and a security code in order to get any
information about a customer. This is done to prevent people that are not
authorized to changing any information in the system, the managers will have
some kind of authorization code and or signatures before anyone can make
changes or to get any kind of information.
The company will have a backup disk that will be updated
once a month for all information or
updated when there is new information stored into the systems. This keeps data and resources available for
authorized use, especially during emergencies or disasters. Also, the denial access for the people that
do not have password rights will be able to help out, like if the system fails
due to an electrical problem not just anyone would be able to get into the
system, someone from upper management would have to give the individual some
kind of authorization in order to help get the system back up.
Working from remote locations leads to the use of
insecure networks and hence bring in additional security issues. Additional
access control mechanisms are required to deal with these problems and to
protect the LAN and the user. One other commonly used network used by remote
users, to access corporate networks is the Virtual Private Network (VPN). The
VPN creates a private tunnel between the end points of the user’s network and
the protected corporate network, to prevent data modification or eavesdropping.
The user uses his ISP to obtain this Internet connection via VPN. It is
virtually impossible to hack or attack message transfers with VPN, as it uses
powerful cryptography to authenticate both the senders and receivers of
messages. In conclusion, as you can read
in this document ACP is a very important part of an organizations security.
This document is just a summary of what is proposed, and can be modified
accordingly based on cost, need, and any other factors that may arise.