Information Security Policy: Handling of Sensitive Information (Essay Sample)

Name:
Course:
Instructor:
Date:
INFORMATION SECURITY POLICY
Policy Statement
This information security policy for Great Catalogs, Inc. (GCI) company is set so as to plan, outline and identify ways in which the company can handle and protect its information also manage and fight security intrusions. This policy will be applying to information for the whole company at the different levels so any violation should be reported in time to the relevant person like the manager or the support centre if not then the violator will face disciplinary for the breach of an agreement with the policy.
Policy/Procedures
Handling of Sensitive Information.
Confidential information is the kind of data that is supposed to be protected from access by unauthorized people so as to safeguard the security and privacy of the company. This is information if they is its confidentiality is compromised then the company must expect severe or serious adverse effects on its operations, financial status, reputation, assets or individuals (Stewart, and et al., 2015).
Sensitive information in this company is like; personal information of the employees, i.e., Social Security numbers, banking and financial information, disciplinary actions and more. Companies information like financial forms, per-awarded contracts, data submitted, property information, suppliers and clients information, etc. classified information of the company like company secrets, passwords, pins, etc. For the safety of this data there are ways to handle the companies information that should be well and strictly observed by all the employees in Great Catalogs, Inc.
The setting of access level in the company. This is the discrimination of employees on access of sensitive information on the company so that not all the company's information is accessible to all the employees in a company. And this will be achieved by the use of passwords, pins and access/pass cards that we will develop for the individual employee for his/her computer or rooms in the company that should be well secured and never to be shared unless when authorized to do so from the in charge person. When an employee leaves the company, all this information should be changed of left back.
Encryption of information taken sensitive by the company. Encryption is the process of encoding that only authorized persons can read the messages or the information that is sent or stored in the company. Encryption is done on classified information, and other sensitive and access will be given to those the information is to be accessed by them (Stewart, and et al., 2015). The next will be an encryption on the all mobile phones and job emails of some employees that all the information they share is all encrypted any deviation from this there should be authorization from the IT department head. Violation of this and doing contrary to this it amounts to disciplinary measures that can amount to the loss of the job or even facing charges.
Automatic Data backup on every necessary information every after two days so as to prevent total loss of information in case of an intrusion in the company system. The backed up data will be supported with encryption on floppy discs CD or cloud storage for the company and
Use of Intrusion Detection System. This the installation of an application or a device that are mounted on the companies machines that are responsible for monitoring for any malicious system activities or any policy violation in the company and it will send a message to IT Management Station. We will mostly use Reactive IDS so that it will not only detect the threat but also react necessarily to the threat like blocking the source the intrusion is detected.
How to Properly Handle Intrusion Detection System (IDS) and Passwords
For the passwords and IDS in the company, there will be ways to deal with them that should be strictly followed lest the company will suffer much harm if the threat is real or the password falls into the wrong hands. First thing there will be an intrusion software installed on the company system, both passive and reactive IDS that will be alerting the in charge at the IT Department and the Information Manager. All employees need to report any case of intrusion or suspicious activity on the company system or person in the companies premises immediately. On passwords, all the passwords, key cards and pass cards will be generated automatically through the verification system for every individual worker, and they should be and remain a secret. The key cards should not be shares or left unattended to on the working stations. Passwords and access codes will be changed every after six months.
There should be a quick reporting of any case of loss of key cards or compromise of the password to the person in charge so as necessary measures are taken to avoid any harm done by that damage.
Respond to Possible Security Incident
Security incidents are like the intrusion, Spam hacking and more so there are proper ways to handle the issue if already attacked first one has to gather evidence from valuable information source like the system event log, security event log on the kind of attack that was happening to the company so as to handle. But for any security incident, there are ways to neutralize the incident. The ways are like determining the source and intention so this can be controlled by disconnection of the attacked system, disconnecting the attached host from the system network, disruption of the site under attack from the Internet, for loss of passwords and pass card then they should be blocked immediately and replaced, for lost key card then it should be denied access till verified should be a lock-down in the company if malicious act is detected to track down the person responsible physically (Kanellis, Panagiotis 2006).
How to Secure Workstations and Internet Connectivity
There are ways that we have to handle the security of the working stations and the Internet connectivity so as to keep the connectivity. To ensure secure workstations then its will start by orientations of all stuff on what information security is and how to go about it in the company. Then all the pass codes, passwords and key cards are well secured this is by being keeping them personal so much and not to share with anyone what so ever. All key cards and pass codes shouldn't be left unattended to and in case a key or password is compromised it should immediately be reported to the supervisor and changed in time. The workstations machines should have screen savers that are password activated when then log off in a period of about 3-5 minutes. No sharing of information on the devices before securing the information and to authorized persons only. Installation of a powerful virus protection software to all the workstations and updating then regularly so as to scan for any virus. There should no allow...