IS433 Final Case_Adnan Amy Ashwaq Francisco.docx.docx

Ashwaq Al AbduljabbarAdnan AliFrancisco GonzalezAmy RosenIS 433 Final Project

Globex Corporation is based in Zurich and has offices across Europe. The company delivers product and parcels across Europe, the Americas, and Asia. Globex carriers use GPS and the packages utilize RFID and/or bar codes for identification. Globex identified concerns for potential loss of company data that is subject to governmental privacy regulation. Accidental or purposeful loss of this data can reduce trust in Globex and can create a negative company image or cost Globex unnecessary legal fees.

DeficienciesSignificant fundamental deficiencies in Globex data security and sources of business and monetary risk are: Lack of a formalized information security policy Lack of a Chief Information Security Officer Lack of a formalized company security awareness program

Pathways to improvement:Ways to improve Globexs information security and therefore secure its standing with its competitors and secure its bottom line: Create a formalized information security policy. Create a position for Chief Information Security Officer and head count to hire a team. Work with Training, IT, and Human Resources to create a formal company security awareness program. Document the Physical Security Policy surrounding the Data center, in continuing work to ISO certification for Data Center. Document Human Resources Security Policy to aid in compliance issues. Document Access Controls. Categorize and classify all data to assist in disaster recovery and business continuity and protect proprietary information. Improve Tone at the Top Governance and Risk Management. Ensure all employees follow proper procedures and guidelines. Promote a positive work environment and sustain motivation.

Initial Recommendations:The Globex goal of preventing loss of company data can only be achieved through a formalized security policy and supporting policies. Therefore, it is recommended that Globex immediately establish a formal security policy, and develop a security awareness program to reduce risks. The Physical and Access Controls will take high priority at this time, as these policies will assist with the immediate security concerns for Globex. They will be documented and enforced to address Mr. Bernards concerns. Once the controls are in place, the Human Resources Security Policy will be enforced upon all existing employees and incoming new hires. Existing employees will be given sufficient time to adopt the new policy.

Table of Contents

POLICY NUMBER POL100: Globex Information Security Policy ..3POLICY NUMBER POL200: Physical Controls Policy . 5PROCEDURE NUMBER 200 PR.01: Contractor Sponsorship Procedure ..6PROCEDURE NUMBER 200 PR.02: Contractor Access Procedure 6POLICY NUMBER POL300: Human Resources Security Policy ..7PROCEDURE NUMBER 300 PR.01: Return of Assets Procedure 8PROCEDURE NUMBER 300 PR.02: Removal of Access Authority Procedure .. 8POLICY NUMBER POL400: Access Control Policy ..9

POLICY NUMBER: POL100Globex Information Security PolicySECTION I. JUSTIFICATIONThis policy provides important information to establish the Globex Information Security. The purpose of this policy is to address risks associated with the storage and transmission of Globex information. The goal is to identify and mitigate the risks that lead to: Loss of information through theft, or disaster. Loss of company equipment that uses or stores company information.

This policy assists Globex with: Information safety and integrity. Reducing legal actions against the company.

SECTION II. SCOPEThe policys scope includes all data, equipment, personnel, and facilities that store, or transmit information.

Data includes: Company proprietary data including financial and legal information. Customer information including names, payment methods, and shipments. Employee information including names, salaries, and banking information.

Equipment includes: Computers, servers, and hand held devices that utilize company information. Storage devices utilized for electronic information storage, back up, or transport.

Personnel include: All Globex employees who access or utilize company information (full or part-time employee). Contractors and subcontractors who are granted access to company information.

Facilities include: All Globex facilities that utilize, store, or transmit company information. All contractor facilities granted access to company information.

SECTION III. POLICY STATEMENTSThis policy will increase the security of company information and reduce the risks associated with data loss or destruction as well as unauthorized transfer. This will be accomplished through specific policies that address Globex data, equipment, personnel, and facilities. The minimum goals are as follows:Data: Company data will be protected from unauthorized access, loss, or transfer. Company data will be segregated based on value, legal requirements.

Equipment: Company equipment will be issued only to authorized users based on need. Company equipment will be protected from loss, theft, or destruction.

Personnel: Personnel will comply with Globex security policies and goals. Personnel will be familiar with Globex security policies and goals. Personnel will be reprimanded for behavior inconsistent with Globex security policies and goals.

Facilities: Globex facilities will ensure the security of company information. Globex facilities will restrict access by unauthorized personnel Contractor facilities will restrict access to Globex company information.

SECTION IV. ENFORCEMENTAll department managers are responsible for enforcing this policy and monitoring their staff compliance with it. Violations to this policy may be subject to disciplinary action, up to and including termination of employment according to the standard of Globex Corporations procedures.SECTION V. REVISION HISTORYCreated May 29, 2014Revised June 6, 2014SECTION VI. DEFINITIONContractors : Individuals, under contract, working on behalf of Globex without employee status SECTION VII. REFERENCESNIST Special Publication 80039, Managing Information Security RiskURL: http://csrc.nist.gov/publications/nistpubs/80039/SP80039final.pdf

POLICY NUMBER: POL200Physical Controls PolicySECTION I. JUSTIFICATIONThe Globex Data Centers hold within people, infrastructure, and data that are imperative to the wellbeing of the Globex Corporation. A Physical Security Policy is required to provide protection for the housing of the data center, the resources within the data center, the data itself, and the people within the data center The Physical Security Policy will address risks present to the data center from Natural (for example, earthquakes and floods) and manmade hazards. Following this policy will provide a reasonable amount of assuredness that the data, people, and resources are protected against theft, destruction, alteration, and interruption. SECTION II. SCOPEThis policy applies to the data center for Globex Corporation in Switzerland All individuals entering and leaving the data center are responsible for the security of the data center. Those sponsoring contractors must inform the contractors of their responsibilities and are ultimately responsible for their sponsored following the policy. Data Center Security guards will be trained and tested on physical policy before working shifts on their own, within the first two weeks of training.The Data Center itself has been designed to withstand many natural and manmade disasters. Meet or exceed all fire codes Clean agent fire prevention system Designed to meet or exceed earthquake proofing standards No outside facing windows Meet or exceed cooling standards Meet or exceed power standards Have at least 2 power feeds from different power stations (different suppliers if possible) and an onsite generator and UPS for graceful shutdowns if needed. Meet or exceed flood prevention standards Supplies for staff to shelter in place if necessary for a weekWhat is excluded from this policy? Under normal circumstances there are no exclusions, during an emergency, exceptions may be made

SECTION III. POLICY STATEMENTSData Center Manager and CIO are ultimately responsible for compliance to this policy Intruder alarm service Installed and maintained. surveillance cameras, perimeter alarms on doors and other potential access points, movement detection equipment Access control systems Key card system controlled by management and audited by responsible team members. Entrance to be monitored by Security 24 X 7 via CC TV. Each person entering must scan badge, no piggybacking. Employees wear badges visibly at all times, access list to be audited weekly for changes to access. Terminations, transfers, and LOAs processed via automated check against HR database Contractors to be sponsored and escorted at all times following sponsorship procedure published at 200 PR.01. Contractors must: wear badge visibly at all times, work within appointed hours or have special dispensation using procedure published at 200 PR.02 from manager of sponsoring department and data center manager, leave key card with Security at the end of work day. Keycard system access list audited daily for contractors, confirmation of continued service with sponsor established biweekly (every two weeks).

SECTION IV. ENFORCEMENTEnforcement is the responsibility of the CIO, Data Center management, and the Head of Security. Any employees found violating the policy will face appropriate disciplinary action ranging from loss of privileges to loss of pay to dismissal. Disciplinary action will be decided by a committee including the employees managers. SECTION V. REVISION HISTORYCreated June 1, 2014 This Policy will be reviewed annually by the Board of Directors, the Project Team and relevant senior management, and submitted to the Board for approval. This Policy will additionally be reviewed when necessary or appropriate in response to events and changes in circumstances.

SECTION VI. DEFINITIONContractors Individuals, under contract, working on behalf of Globex without employee statusCCTV Closed Circuit TelevisionSECTION VII. REFERENCESCorresponding standards documentation from outside bodiesLinks to internal standards, procedures, and guidelines that relate to the policy statementCONTRACTOR SPONSORSHIP PROCEDURE: 200 PR.01 All Globex contractors are to be sponsored by Globex management ONLY. Contractors contracts are to be uploaded into Globex database and archived for reference after completion of work. Contractors must be vetted by background check conducted by HR. Contractors must be escorted in and out of Globex property at all times. Work area must be secured with sensitive company information and assets locked away or relocated until completion of work.CONTRACTOR ACCESS PROCEDURE: 200 PR.02 All Globex contractors are required to wear visible security badges when working on Globex property. All Globex contractors must work within appointed hours ONLY, unless special arrangements have been made by the sponsoring department with management approval. Assign key card access to contractors and document card assignment. Key cards are to be issued by security at the beginning of the day and must be returned at the end of the day. Perform end-of-day audits on all key cards.POLICY NUMBER: POL300Human Resources Security PolicySECTION I. JUSTIFICATIONHuman Resources Security Policy will ensure all employees of Globex are trained and made aware of the current information security policies, and held accountable for their actions. HR Security will address security education and training and help prevent potential misuse of information by laying down the law to Globexs employees. HR Security will benefit the employees of Globex as well as its clients to ensure quality and integrity.

SECTION II. SCOPEHuman Resources Security Policy will be applied to the three phases of employment, which are (1) Prior to Employment, (2) During Employment and (3) Termination or Change of Employment. All employees of Globex including management and senior executives will be required to abide by this policy. All employees must have a solid understanding of this policy as it applies to everyone equally. Everyone is equally responsible for their actions and must maintain the level of confidentiality pertaining to information security set forth by their respective departments. Every department within Globex is included in this policy, and each must ensure their employees are abiding by the standards and following correct procedures.External vendors and individuals are excluded Human Resources is an internal entity, therefore its security policy can only be applied to Globex employees. However it is required that all external individuals Globex brings in, i.e. consultants/contractors, are subject to background checks and security clearance, which the sponsoring department and employee(s) are accountable for.

SECTION III. POLICY STATEMENTS1. Prior to Employment All Globex employees, consultants and contractors are required to sign confidentiality agreements and pass background checks prior to accessing Globexs properties and information systems.2. During Employment Information Security Awareness, Education and Training: Security education and training begins during the hiring process and awareness continues throughout the life of employment. It is the employees responsibility to be up to date with all current policies.3. Termination or Change of Employment Return of Assets: Immediately following the termination or resignation of an employee, all Globex assets that were in the possession of the employee must be returned and documented accordingly following procedures published at 300 PR.01. Removal of Access Authority: Immediately following the termination or resignation of an employee, all access to Globex properties and information systems must be removed following procedures published at 300 PR.02. Employee records are to be archived.Employees must have strong communication skills in order to spread the culture throughout the company to ensure policies and procedures are being followed on a consistent basis.SECTION IV. ENFORCEMENTThe CIO, senior level management and Human Resources Director are responsible for enforcing the HR Security Policy.Disciplinary Process: Any violation of this policy may result in disciplinary action including termination, and/or civil action and/or criminal prosecution.SECTION V. REVISION HISTORYCreated June 1, 2014Revised June 6, 2014To be revised annually and accordingly by senior management and HR DirectorSECTION VI. DEFINITIONHR: Human ResourcesCIO: Chief Information OfficerInformation Systems: The user systems employees log on to in order to complete daily tasks.SECTION VII. REFERENCESJohnson, Rob: Security Policies and Implementation Issues. Chapter 7: How to Design, Organize, Implement, and Maintain IT Security Policies.RETURN OF ASSETS PROCEDURE: 300 PR.01 Retrieve asset records assigned to employee after hire Match assets with serial numbers in record Have employee initial surrendering column for each asset Have receiving employee initial receiving column for each assetREMOVAL OF ACCESS AUTHORITY PROCEDURE: 300 PR.02 Retrieve access records assigned to employee after hire Have employee initial surrendering column for each access code/key Have receiving employee initial receiving column for each entity Remove employee from user database

POLICY NUMBER: POL400Access Control PolicySECTION I. JUSTIFICATIONThe objective of this policy is to address the considerations that will help to ensure that Globex IT Resources and information assets are properly protected against unauthorized access, while meeting the access requirements for all authorized users.The Access Control Policys aim is to protect the confidentiality, integrity and availability of all of Globex information resources. SECTION II. SCOPEThe principles set forth in this Policy are applicable to all information technology and assets, in all formats, used by Globex. The Policy applies to: All Information Technology resources provided by Globex All Globex information systems and network domains All users users of information assets including Globex employees, vendors, business partners, and contractor personnel and functional units regardless of geographic locations All connections to (locally or remotely) the Globex Domains All connections made to external networks through the Globex network

SECTION III. POLICY STATEMENTSAccess controls are necessary for Globex systems that contain sensitive or limited access data. This policy describes the mechanisms used to implement access controls and responsibilities to ensure a high level of information security. User Account Management Access to Confidential and Internal data must be made using a formal Access Request Form. User accounts that have not been used for 90 days may be disabled without warning. After 180 days of inactivity, these accounts may be deleted without warning. Records of processed and denied requests for creation of user accounts must be kept for auditing purposes. Password Use All e-mail, network and domain accounts must be password protected. All new accounts will be created with a temporary password. The temporary password must be changed upon first use. Passwords used on Globex systems that are authorized for use must have the following characteristics unless otherwise approved by the CIO: Passwords must be a minimum of 8 characters in length; Passwords must contain both alphabetic and numeric characters; Passwords must not be the same as the username; Network Access Control Access to any given network service must only be granted to users who are specifically authorized to use that particular service. Approved remote access methods must be used for and by employees, contractors and contracted business partners. Whenever possible, connections from specific locations and equipment must be authenticated using automatic equipment identification.SECTION IV. ENFORCEMENTEnforcement is the responsibility of the CIO, Application Managers, and Employees. Appropriate technology and procedures will be put in place by the CIO to enforce this policy.SECTION V. REVISION HISTORY Created June 7, 2014 Revised June 8, 2014 To be revised annually by the CIO SECTION VI. DEFINITIONDomain Accounts Accounts that are registered under the Globex domain host.

SECTION VII. REFERENCESJohnson, Rob: Security Policies and Implementation Issues. Chapter 7: How to Design, Organize, Implement, and Maintain IT Security Policies.Class LecturesCorresponding standards documentation from outside bodies

1