A security policy is a set of
rules and processes that an employee must follow when accessing or manipulating
an organisations network or data assets.
These policies also document what to do in a situation if it does occur.
An organisation needs these type
of policies to:
Establish a set of rules on how
information security is approached.
To identify and prevent the
compromise of a system and its information such as data misuse, networks and
To adhere to an organisation’s
ethical and legal responsibilities – there is legislation put in place to
protect the customers’ data. If a
company abide by these responsibilities, they may be penalised in the form of a
fine or a temporary ban on providing services, ultimately putting the services
they provide at threat.
To engage employees – security is
the responsibility of everyone within the company – from the end user, Security
Administrator to IT professionals.
To dictate who gets access to what
– some employees will require higher privileged access in the system compared
to others. For example, an end user in a
HR department will need access to resources for HR, but won’t need access to
User Account Control. Whereas this may
concern Security Administrators etc.
An example of one of these
policies includes restrictions on who can access what data in order to stop
confidential data being viewed by people that don’t actually need to see it.
This can be classified with the
CIA Triad which documents the security requirements as confidentiality (Ensure
that sensitive data is only obtainable to those supposed to use it), integrity
(Data is altered only in a specified and approved manner) and availability
(Information is accessible when needed).
An issue that could occur as a result of a missing policy is
unauthorised access by an individual through a company’s employee account. This
could happen when a policy documenting how passwords need to be made strong
with the use of unique characters and certain length and changed after a
certain time period is missed. The policy may look something like this;
“All passwords must be kept
private and have a unique set of characters in order to make them less
susceptible to attack.
Passwords must also be changed
every three months to avoid them being easily guessed and mustn’t be too
similar to the previous password used.
All passwords must contain at
least one lower-case letter, upper-case letter and a number to ensure that they
are more unique”
This issue could lead to an individual
masquerading himself as this said employee and giving themselves access to the
whole network and to any and all data that it holds. This would allow
for eavesdropping or changing information to their advantage, putting
the integrity of data at risk and stealing data for their own personal gains.
Security is the responsibility
of everyone within the company. Any
opportunity for a hacker to further gain knowledge of the security can result
in further opportunities developing. For
example, if an employee writes down their password and leaves it at their desk,
or throws it away in a non-confidential waste bin, the hacker could then try to
snoop around and try to figure out their username. Usernames may be generic too (e.g. first letter
of first name, followed by surname), so if the hacker is aware of a few
usernames, he may be able to figure out that username and password
combination. A way of preventing this
may be to use 2 Factor Authentication, as the hacker won’t be able to sign in
unless they had the physical device used to authenticate the user. Four basic things that should be explained to
an employee about a typical security policy are:
How to properly manage your Username and
password as well as any other important information.
A company’ most insecure part of their network
might be humans, as they might record their authentication credentials on
paper, follow bad practices etc. Training
should be put in place to emphasise how important these credentials are and the
devastating impact that it could have if these credentials got into the wrong
How to act when a potential security incident
or intrusion attempt takes place.
A company’ should have taken measures for these
‘contingency plans’. This should be
executed in the event of an IT disaster.
All employees should be briefed on this plan if such event was to occur.
How to use workstations and Internet
There may be a fair use policy on top of that,
preventing employees from browsing certain websites that might either be
distracting or pose a threat. This may
also prevent an employee to run applications that haven’t been approved. All these measures combined make good
practice of the security policies put in place.
What will happen if an employee does not abide
by these policies.
In order to deter employees from breaking these
policies there needs to be punishments in place. These need to be explained to
employees so that they know the consequences and severity of what they are
doing when a policy is broken. This could range from suspension all the way up
to getting arrested.
Always applying the latest updates
Employees should immediately be
made aware to always download and install the latest updates for their
anti-malware programs and any programs they use to improve upon the security of
their workstation and to perform full scans of their workstation at least once
The security policy should be
explained to an employee before they are let anywhere near a system. Not
knowing any of the rules and procedures and proceeding to access the system
could lead to the network being compromised and important data being corrupted
all through an uninformed employee.
The security policies could be
completed before any employee even signs a contract as it allows a potential employee
to review what they are getting into and along with this shows how serious the
company are about their security protocols. A signature from the employee once
they have read and understood the policy will create an agreement of
cooperation between the employee and the organisation that the policies will be
After the initial explanation of
the security policy it should be reviewed with employees at regular intervals
during their employment. This keeps the security policies for the organisation
fresh in the employees head and again reaffirms the level of seriousness it is
to the organisation. An added benefit of
this is that it allows for any newly introduced policies to be taught and
enforced. To really check the knowledge
of employees a test could also be given with a required pass rate.
A security policy for an e-mail
service for an organisation should be thorough and be applied to all employees
at every level. There are many security
errors, cost impacts and performance implications that can affect a company without
properly thinking through all scenarios.
A security policy for this server should include:
Encrypting Email for Confidentiality
The sensitive nature of the
emails being sent through the server means that encryption should be applied to
every message sent. This will stop any
eavesdropping across the network, especially if sending outside the
organisation where security could be more lenient.
Digitally Signing Email
By having employees use digital
signatures it provides authentication that the email is from the person who
sent it. This will reduce the
possibility an employee will be caught out from a fraudulent email as they will
be looking for the signature. The procedure also creates a tamper evident seal
that will fail if an email has been changed in anyway.
Emails only allowed to be sent to known associates of the organisation
server is set up for senior management and important clients meaning that the
email address used to contact them can be established as secure and any other
email addresses can be treated with more suspicion. This policy can also be paired with
restricting sending emails to and from personal email accounts as these are
All emails should be kept for a
certain length of time before being deleted.
This allows for recovery of information and encase any security
incidents do occur through the email system it can be traced back. It also takes the stress off the main email
server as archived emails can be stored cheaply on other servers.
All emails should be put through
some sort of screening software to look for anything that could do damage to
the organisations network or reputation.
This could include swear words, malware or the email address from
Limiting the Size of Email
By limiting the size of all
emails going through the server it reduces the amount of space needed and will
improve performance overall. This will
also reduce the likelihood of a denial of service attacks as without the limit
hackers can send emails with large attachments using all available resources on
the server. Over time this will have a
significant cost impact as less servers will be needed for storage purposes.
Harvard University’ Security
policy consists of ‘Data Classification Levels’, unlike UCL’s security
policy. Harvard University have took the
approach to classify their data based on:
Level of sensitivity
Level of value
Level of criticality to the
The classification of such data
will help in developing baseline security measures to protect their data.
To the right, you will see the 5
different levels of data classification for Harvard University. The higher the level, the greater the
Normally, data is classified
into 3 different sensitivity levels/classifications.
This would be level 1. This data is
public because the unauthorised alteration or disclosure of that data would
result in little/no harm to Harvard University.
This would consider level 2 and 3. This
data, if disclosure or altered, could result in some harm. This data isn’t public, or restricted and as
such it makes sense to treat it as private data.
This would consider level 4 and 5. This
data, if disclosure or altered, could result in devastating harm. Examples of Restricted data include data protected by UK
privacy regulations and data protected by confidentiality agreements.
Both University’s security policies are divided up into sections
however Harvard university’s security policies are all simply laid out with
each having a link to a more in-depth version for the selected policy that are
split into separate sections to describe the policy in regards to different
scenarios (e.g. for users, for devices, for servers). This allows for a user to
easily find and jump to a specific security policy they want to read up on and
makes the security polices as a whole appear less wordy, where as UCL have
their security policies all listed on the same pdf file with each section being
shown as lengthy paragraphs and would be difficult for someone to easily jump
to a certain policy and so I think UCL could benefit from having their security
policy written up in a similar fashion to how Harvard university have written
At the end of the UCL’s list of their security policy, they have a
revision table which lists all the changes/updates made to the document that
includes; which section that the edit was made, the date that the change was
made, and if the change had been checked and approved. Also includes the latest
date that the document had been checked for revision, the date of the next
planned revision would be and a list of committees/groups who were responsible
for approving the changes made to the security policies.
UCL have a section on disciplinary procedures (5.3 & 6), outlining
the consequences if these policies are broken.
Whereas Harvard seem to brush over this, for the sake of a more concise,
‘user-friendly’ policy, and where UCL tend to explain the objectives of their
Information Security policy (1.3), Harvard seem to jump straight into the
policies without explaining why a staff member is even complying with the
Harvard have broke their policy into 3 different components, which are
broken down further.
Whereas UCL have one.
In summary, Harvard has the most appropriate design to appeal to
university students and staff, along with policies that are small and easy to
read. However, UCL policies seem to
offer more detail that don’t leave room for assumptions. Harvard policy has a
questionable completeness to it as it leaves out details users may deem