ITEC 100 - WEEK 4

is a written document outlining how a company protects its physical and IT assets. It evolves with changes in technology, vulnerabilities, and security requirements. It may include an acceptable use policy, detailing employee education, security enforcement, and evaluation procedures to ensure effectiveness.

security policy

defines the rules and procedures for accessing and using an organization's IT resources. It reflects the company's culture, risk tolerance, and employees' approach to information security.

IT Security Policy

involves the protection of assets from unauthorized entities

Confidentiality

ensures the modification of assets is handled in a specified and authorized manner

Integrity

is a state of the system in which authorized users have continuous access to said assets

Availability

This policy outlines proper practices for employees when accessing IT assets, including hardware, data, internet, and email. It defines acceptable and unacceptable behaviors when handling critical information. also highlights risks and consequences, including legal issues, from improper use, such as accessing data unrelated to one's job, which is crucial for new hires.

Acceptable Use Policy (AUP)

is crucial for successful IT security implementation. Security awareness

training helps employees perform their tasks while protecting company information. This policy should educate users on security impacts and include guidelines on workstation maintenance, employee responsibilities, email and internet use, and personnel in charge of training development.

Security Awareness and Training Policy

focuses on handling security incidents, distinct from the Disaster Recovery Plan. Its goal is to minimize damage, recovery time, and costs. It outlines response procedures, the incident response team, their roles, testing responsibilities, and resources for data recovery. The policy also emphasizes reporting procedures and the importance of regular assessment, monitoring, and updates.

Incident Response Policy

ensures that an organization's information systems have appropriate hardware, software, and auditing mechanisms. It safeguards data confidentiality, integrity, and availability by enforcing regular system activity reviews. The policy also requires documentation of failed login attempts, privileged account usage, anomalies, firewall changes, and network device activities.

Network Security Policy

ensures that all IT and security changes are managed, tracked, and approved. It minimizes outages and maintains regulatory compliance by enforcing a structured procedure for planning and execution. This policy enhances awareness of proposed changes and reduces their impact on services and customers.

Change Management Policy

educates employees on creating strong, unique passwords and how often to change them. It provides guidelines for password creation, security, and management, including rules for changing temporary passwords and avoiding reuse. The policy also enforces password complexity requirements to prevent weak or easily guessable passwords.

Password Creation and Management Policy

ensures users have authorized access to company data. A strong access control policy adapts to changes, minimizing potential damage. The policy can include specifications for user, network, and system access, with models varying based on compliance requirements and security levels.

Access Control Policy

This policy aims to reduce exposure to damages from unauthorized use of company assets during remote access. It applies to all employees and covers email, intranet use, VPN requirements, and disk encryption. The policy also prohibits illegal activities and unauthorized access to work devices.

Remote Access Policy