Free Essay

Information Security Policy Review

In: Computers and Technology

Submitted By stvn9877
Words 1355
Pages 6
Heart-Healthy Insurance Information Security Policy Review
In an effort to ensure Heart-Healthy Insurance’s Information Security Policy is up to date, complies with current regulatory requirements, takes advantage of industry standards, utilizes recognized frameworks, is relevant, and meets the requirements of all relevant regulations and standards, a review of the current Information Security Policy has been performed. The following recommendations on how users are provided access to the information systems used by Heart-Healthy Insurance and the password requirements for each system will ensure that the company’s policy is in compliance with all relevant federal regulations and industry standards. As an insurance company, Heart-Healthy Insurance works with and stores personal health information, financial information, and credit card information of clients and business partners. Data of this type is required to be protected by the United States Federal Government under several privacy acts. Heart-Healthy Insurance must also be Payment Card Industry Data Security Standard (PCI-DSS) compliant due to the fact the company takes credit cards to pay for premiums and deductibles. Below is information on each privacy act and security standard that Heart-Healthy Insurance must be in compliance with.
The Payment Card Industry Data Security Standard (PCI-DSS)
The Payment Card Industry Data Security Standard (PCI-DSS) was developed “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally” (PCI Security Council, 2010 p. 5). PCI-DSS provides the following requirements for passwords and user access:
-Each user must be assigned a unique ID for system access.
-A user’s identity must be verified before passwords are reset.
-Passwords for new users and reset passwords for existing users must be set to a unique value for each user and reset after first use.
-Group or shared passwords are strictly forbidden and must not be distributed by system administrators, even if requested.
-Users must change passwords at least once every 90 days (PCI Security Council, 2010).

Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) repealed part of the Glass-Steagall Act of 1933, which prevented financial institutions from acting as any combination of a commercial bank, investment bank, or insurance company (Gramm–Leach–Bliley Act, 2014). The GLBA also put into place safeguards governing the disclosure, and protection of consumers’ personal information (Gramm–Leach–Bliley Act, 2014). The following are requirements for passwords and user accounts:
-Each user must have a unique user id.
-Passwords must be changed on a regular basis.
-Passwords must be at least 6 characters using a combination of letters, numbers, and symbols.
-Passwords cannot be shared.
-Immediately deactivate the passwords and user accounts for terminated employees (Federal Trade Commission, 2006). Health Insurance Portability and Accountability Act (HIPPAA) and Health Information Technology for Economic and Clinical Health (HITECH) The Health Insurance Portability and Accountability Act of 1996 (HIPPAA) established national standards for electronic health care transactions and also addresses the security and privacy of health data (Health Insurance Portability and Accountability Act., 2014). HIPPAA security and privacy requirements were later strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act, in 2009 (Dowdell, N.D.). HIPPA and HITECH require the following password and user account procedures to be in place when accessing a system containing personal health information:
-Passwords must be 8-10 characters and include at least 1 letter, 1 number, and 1 special character value (Trendmicro, 2012).
-Passwords must be renewed every 90 days (Trendmicro, 2012).
-System Administrators should specify a period of inactivity (in minutes) in which inactive users must re-authenticate to continue accessing the system (Trendmicro, 2012).
-Passwords should not be based on or contain usernames (Wyman, N.D.).
-Written down passwords should be stored in a secure location and not near the computer (Wyman, N.D.).

Summary The current Information Security Policy in place at Heart-Healthy Insurance regarding User Accounts and Passwords meets some, but not all of the requirements outlined in HIPPA, HITECH, GLBA, and PCI-DSS. In order to be compliant in all required areas it is recommended that the following additional requirements be added:
User Accounts: Each user must be assigned a unique ID for system access. Users will be required to re-authenticate after 30 minutes of inactivity. All user accounts must be deactivated immediately upon termination of employment.
Passwords: Passwords must include at least 1 letter, 1 number, and 1 special character. Passwords cannot be based on, or contain the user name. Passwords must be reset every 90 days. Passwords for new user accounts and reset passwords for existing user accounts must be a unique value and reset upon first use. A user’s identity must be verified before passwords are reset. Securing the personal information of Heart-Healthy Insurance’s clients and business partners is not only required by federal law requirement under the HIPPA, HITECH, GLBA acts, but it is also in the best interest of our clients and business partners. It is important for Heart-Healthy Insurance to participate and implement standards and best practices as defined in industry security standards such as PCI-DSS. As innovations in information technology continue to advance and the electronic storage, retrieval, and transmission of personal health information become more common, we must maintain the faith and confidence of our clientele and business associates that their personal data will be secured. By adopting the proposed changes to the Heart-Healthy Insurance Information Security Policy listed below, we can insure that Heart-Healthy Insurance is taking every precaution with personal health data and is in compliance with both Federal Law and industry standards and best practices.
Updated Heart-Healthy Insurance Information Security Policy
Updated New User Account Policy:
“Each user must be assigned a unique ID for system access. New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access. Users will be required to re-authenticate after 30 minutes of inactivity while logged into any of Heart-Healthy Insurance’s Information Systems. All user accounts will be deactivated immediately upon termination of employment.”

Updated Password Requirements Policy:
“Passwords must be at least eight characters long and contain a combination of upper and lowercase letters, at least 1 number, and at least 1 special character. Passwords cannot be based on or contain the user’s username. Shared passwords are not permitted on any system. Passwords for new user accounts and reset passwords for existing user accounts must be a unique value and reset upon first use. Passwords must be reset every 90 days. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset. A user’s identity must be verified before passwords are reset.”

References

Dowdell, S. (N.D.) . The HITECH Act & HIPAA. ehow.com. Retrieved April 12, 2014 from http://www.ehow.com/facts_7384264_hitech-act-hipaa.html

Federal Trade Comission. (2006, April) . Financial Institutions and Customer
Information: Complying with the Safeguards Rule. Retrieved April 13, 2014 from http://www.business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule

Gramm–Leach–Bliley Act. (2014, April) . wikipedia.com. Retrieved April 12, 2014, from http://en.wikipedia.org/w/index.php?title=Gramm%E2%80%93Leach%E2%80%93Bliley_Act&oldid=602731130

Health Insurance Portability and Accountability Act. (2014, April) . wikipedia.com.
Retrieved April 12, 2014, from http://en.wikipedia.org/w/index.php?title=Health_Insurance_Portability_and_Accountability_Act&oldid=603796422

PCI Security Standards Council. (2010, October) . Requirements and Security Assessment
Procedures v. 2.0 [PDF Document] . Retrieved April 12, 2014 from http://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Trend Micro, Inc.. (2012) . Addressing the Data Protection Requirements of the HITECH
Act [PDF Document] . Retrieved April 13, 2014 from http://www.mclellancreative.com/files/trend_micro_white_paper_hitech_compliance.pdf

Wyman, C. M. (N.D.) . HIPAA Password Requirements. ehow.com. Retrieved April 13,
2014 from http://www.ehow.com/list_7434736_hipaa-password-requirements.html…...

Similar Documents

Premium Essay

On the Development of Comprehensive Information Security Policies for Organizations

...On The Development of Comprehensive Information Security Policies for Organizations The article selected for review is titled, “On the Development of Comprehensive Information Security Policies for Organizations.” The article is from the International Journal of Academic Research; the authors are Fahad T. Bin Muhaya, Fazl-e-Hadi, and Abid Ali Minhas. The article offers guidelines on the development of information security policies for organizations based on a proposed framework. The introduction of the article emphases the importance of protecting information, “Information security failures have gradually damage many progressing organizations; ruining its repute, reducing customer trust and ultimately lose its market share.” I believe is this a very strong introductory statement. The introduction of the article also implies that a new form of terroristic attacks may come from breaching organizations and accessing sensitive information. The authors further suggest that information security comprises of three elements which are human, organizational, and technological vulnerabilities. The article objective is clearly stated as a tool on how to develop or improve information security. The development approach when viewing an organizational structure is defined in the article as threats versus defense. The article identifies security policy issues at the environment, application, cryptography, network, and physical layers. This is a simple definition but I feel that......

Words: 565 - Pages: 3

Premium Essay

Pricinples of Information Security, Chapter 5 Review Questions

...1. How can a security framework assist in the design and implementation of a security infrastructure? Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets.  A framework is the outline from which a more detailed blueprint evolves.  The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies.  The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years.  The blueprint is used to plan the tasks to be accomplished and the order in which to proceed. What is information security governance? Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination......

Words: 4589 - Pages: 19

Premium Essay

Information Security Policy

...are the effects of international trade to GDP, domestic markets and university students?University of Phoenix IT/244 Intro to IT Security Instructor’s Name: Date: 03/25/12 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary Due in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario. This new strategy guide for Bloom Design Group provides a comprehensive strategy for providing a safe and secure work environment. Several new policies and procedures will be implemented as a result of these new ideas. Bloom Design Group will have little trouble in adhering to the......

Words: 3916 - Pages: 16

Free Essay

Information Security Policy Essay

...typically store many versions of the same information so that new work can reuse old work. Some operations like Backup store extremely dismissed information. Deduplication lowers storage costs since fewer disks are needed, and shortens backup/recovery times since there can be far less data to transfer. In the context of backup and other near line data, we can make a strong supposition that there is a great deal of duplicate data. The same data keeps getting stored over and over again consuming a lot of unnecessary storage space disk or tape, electricity to power and cool the disk or tape drives, and bandwidth for replication, creating a chain of cost and resource inefficiencies within the organization. The way that Deduplication works, that the Deduplication segments the incoming data stream, uniquely identifies the data segments, and then compares the segments to previously stored data. If an incoming data segment is a duplicate of what has already been stored, the segment is not stored again, but a reference is created to it. If the segment is unique, it is stored on disk. For example, if a file or volume that is backed up every week creates a significant amount of duplicate data. Deduplication algorithms analyze the data and can store only the compressed, unique change elements of that file. This process can provide an average of 10-30 times or greater reduction in storage capacity requirements, with average backup retention policies on normal enterprise data. This means......

Words: 1234 - Pages: 5

Premium Essay

Heart Healthy Information Security Policy

...Introduction to Policy Augmentation Process Due to the fact that both HIPAA and HITECH are non-prescriptive security frameworks HITRUST common security framework (CSF) was leveraged to augment the Heart-Healthy Insurance Information Security Policy. Moreover, HITRUST CSF was chosen as it maps to various other information security frameworks applicable to Heart-Healthy Insurance Company (i.e. HIPAA, HITECH, PCI, ISO 27000-series, etc.). Furthermore, CSF compliance worksheet is an intelligent tool that allows for control mapping to the aforesaid security frameworks based on the scope of assessment (i.e. type of organization, number of insured members, number of system users, number of transactions, etc.). New-User Policy Augmentation Using the aforesaid CSF-based logic, the following security controls are applicable to the new user protocols of Heart-Healthy Insurance overarching security policy: • Heart-Healthy users will be granted accessed to the system on need-to-know bases and on the principle of least privilege. • Users will be given access rights based on their job roles and responsibilities as well. • Common job roles will be defined in order to receive standard user access, critical and non-critical access rights will be removed within 24 hours after a user has changed roles or has left the company. • All Heart-Healthy employees requesting remote access or dial-in-services must sign the acknowledgement of understanding and accept the use policy and rules of......

Words: 524 - Pages: 3

Premium Essay

Principles of Information Security Chapter 2 Review Questions

...implementing information security to protect the ability of the organization to function. They must set policy and operate the organization in a manner that complies with the laws that govern the use of technology. Technology alone cannot solve information security issues. Management must make policy choices and enforce those policies to protect the value of the organization’s data. 2. Data is important to an organization because without it an organization will lose its record of transactions and/or its ability to furnish valuable deliverables to its customers. Other assets that require protection include the ability of the organization to function, the safe operation of applications, and technology assets. 3. Both general management and IT management are responsible for implementing information security. 4. The implementation of networking technology has created more risk for businesses that use information technology because business networks are now connected to the internet and other networks external to the organization. This has made it easier for people to gain unauthorized access to the organization’s networks. 5. Information extortion is when an attacker steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. One example could be someone that gains access to PII such as SSN’s through a company’s database and ransoms the information for money. If not paid, he could sell the information on the......

Words: 1112 - Pages: 5

Premium Essay

Final Information Security Policy

...1. Executive Summary 2 2. Introduction 3 2.1 Company Overview 3 2.2 Security Policy Overview 4 2.3 Security policy goals 4 2.3.1 Confidentiality 4 2.3.2 Integrity 5 2.3.3 Availability 5 3. Disaster Recovery Plan 6 3.1 Risk Assessment 6 3.1.1Critical Business Processes 7 3.1.2 Internal, external, and environmental risks 7 3.2 Disaster Recovery Strategy 8 3.3 Disaster Recovery Test Plan 8 3.3.1 Walk-throughs 8 3.3.2 Simulations 9 3.3.3 Checklists 9 3.3.4 Parallel testing 9 3.3.5 Full interruption 9 4. Physical Security Policy 10 4.1 Security of the building facilities 10 4.1.1Physical entry control 10 4.1.2 Security offices, rooms and facilities 11 4.13.Isolated delivery and loading areas 12 4.2 Security of the information systems 12 4.2.1Workplace protections 12 4.2.2Unused ports and cabling 13 4.2.3 Network/server equipment 13 4.2.4 Equipment maintenance 13 4.2.5 Security of laptops/roaming equipment 13 5. References 14 Executive Summary The objective of this proposal is to present the information security policy created for Bloom Design Group. The issue of a company’s network security continues to be crucial because the results of data loss or significant system failure can be disastrous for a company. An alarming number of companies fail to realize how vulnerable their network is to internal, external, and environmental risks. One of the top priorities of an organization should be......

Words: 3568 - Pages: 15

Premium Essay

Heart-Health Insurance Information Security Policy Proposal

...6 May 2011 Heart-Health Insurance Information Security Policy Proposal A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password......

Words: 1042 - Pages: 5

Premium Essay

On the Development of Comprehensive Information Security Policies for Organizations

...Annotated Bibliography Assignment 1 Gary L. Williams Information Assurance Research Literature RSC 830 January 20, 2015 Dr. Emily Darraj Annotated Bibliography Assignment 1 The purpose of this assignment is to examine the topic cybersecurity via an annotated bibliographic review of multiple dissertations. This assignment will work toward the identification of a future dissertation topic within this field and also towards the identification of research material in support of the final dissertation. The annotated bibliographic reviews contained within this paper will work to provide information that will support my future research and provide experience in garnering and explaining the salient tenants of research material. NOTE: This paper will not include proper APA formatting as citations have been bolded to ensure the professor can discern where citations begin and end. Curtis, S. K. (2012). Commitment to cybersecurity and information technology governance: A case study and leadership model. (Doctoral dissertation). Retrieved from the ProQuest dissertation and thesis database. (UMI No. 3569139) The problem as described by the author in this quantitative study is senior managers are not using web analytic technology (WAT) and there is a lack of literature describing why this is the case. The purpose of this study is to “examine how management consultants perceive WAT” (p. 22). This study has seven hypotheses. Unified theory of acceptance use of......

Words: 3359 - Pages: 14

Premium Essay

Unit 1 - Information Security Policy

...Running Head: UNIT 1 ASSIGNMENT Unit 1 - Information Security Policy Regina Sykes Kaplan University Abstract ------------------------------------------------- This paper will provide information on the purpose of a security policy and components of a security policy. Additionally, this paper contains information on a specific organization and the unique important items the organization choose to establish security policies around. Lastly, this paper provides information around the major areas of concern, missing or incomplete information in the policy and areas that are ill-advised in an identified organization’s security policy. Unit 1 - Information Security Policy Introduction Many organizations rely on the use of networks and computers to manage the business. Along with the use of networks and computers to manage the business there is also the need to establish a plan to secure the technology both the network and computers . A security policy is the plan developed with instructions from senior leadership instructing decision makers in the organization on how to protect the organization’s assets (Mattord & Whitman, 2012). There are various components of a security policy which include, statement of policy, equipment usage and access control, prohibited uses regarding equipment, who manages the systems, policies around violations of the policy, modifications and review section and lastly, limits of liability (Mattord & Whitman, 2012). Part 1 ...

Words: 2121 - Pages: 9

Premium Essay

Information Systems Security Policy

...Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 ________________________________________________________________________ 1 MICROS Systems, Inc. Enterprise Information Security Policy Version 8.0 Public Table of Contents Overview – Enterprise Information Security Policy/Standards: I. Information Security Policy/Standards – Preface……………....5 I.1 Purpose …………….……………………………………………...5 I.2 Security Policy Architecture ………………….………………….6 I.3 Relation to MICROS Systems, Inc. Policies……………………..6 I.4 Interpretation………………………………………………….…..7 I.5 Violations…………………………………………………….….....7 I.6 Enforcement…………………………………………….................7 I.7 Ownership………………………………………………................7 I.8 Revisions…………………………………………………………..7 II. Information Security Policy - Statement………………………..8 MICROS Enterprise Information Security Policy (MEIP): 1. Information Security Organization Policy (MEIP-001)...……....9 2. Access Management Policy (MEIP-002)…………………………10 3. Systems Security Policy (MEIP-003)...…….…………………......11 4. Network Security Policy (MEIP-004)…………………………….12 ________________________________________________________________________ 2 MICROS Systems, Inc. Enterprise Information Security Policy Version 8.0 Public 5. Application Security Policy (MEIP-005)…..………………………13 6. Data Security/Management Policy (MEIP-006)……………….14-15 7. Security Incident Handling Policy......

Words: 4971 - Pages: 20

Premium Essay

Information Security Policy

... WATERWORLD WATERPARKS Information Security Policy Version 1.0 Revision 191 Approved by John Smothson Published DATE March 23, 2011 CONFIDENTIAL/SENSITIVE INFORMATION This document is the property of WATERWORLD WATERPARKS. It contains information that is proprietary, confidential, sensitive or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to WATERWORLD WATERPARKS, Attention: IT Director. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of WATERWORLD WATERPARKS Executive Management. Revision History Changes | Approved By | Date | Initial Publication | John Smothson | 3-23-2011 | | | | | | | | | | | | | | | | | | | | | | | | | | | | Table of Contents 1 Introduction and Scope 8 1.1 Introduction 8 1.2 Payment Card Industry (PCI) Compliance 8 1.3 Scope of Compliance 8 2 Policy Roles and Responsibilities 10 2.1 Policy Applicability 10 2.2 Information Technology Manager 10 2.3 Information Technology Department 11 2.4 System Administrators 12 2.5 Users – Employees, Contractors, and Vendors 12 2.6 Human Resource Responsibilities 12 2.6.1 Information Security Policy Distribution 13 2.6.2 Information Security Awareness Training 13 2.6.3 Background Checks 13 3 IT Change Control Policy 15 3.1 Policy Applicability and Overview 15 3.2 Change Request......

Words: 28277 - Pages: 114

Premium Essay

Information Security Policy in Malaysia.

...Introduction Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual,......

Words: 6195 - Pages: 25

Premium Essay

Information Security Policy

... Information Security Policy Student Name: Brice Washington Axia College IT/244 Intro to IT Security Instructor’s Name: Professor Smith Date: 11/7/2011 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary Due in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario. With advancements in technology there is a need to constantly protect one’s investments and assets. This is true for any aspect of life. Bloom Design is growing and with that growth we must always be sure to stay on top of protecting ourselves with proper security. For Bloom......

Words: 4226 - Pages: 17

Premium Essay

Information Security Policy

...Axia College Material Information Security Policy Axia College IT/244 Intro to IT Security Dr. Jimmie Flores April 10, 2011 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary There are several threats to the security of networks and data. While there is no definite way to prevent all of the incidents that can befall a network, by developing a proactive security plan that will encompass many of the known threats data loss and corruption can be minimized. Sunica obtains different levels of customer information and records large amounts of financial information on their network. The best way to prevent the......

Words: 4350 - Pages: 18