Global Technologies, Inc. ("GIF") Information Security Policy Summary

Abstract

Morgan Stanley Dean Witter (1999) professed in 1996 that the internet was going to change (increase) the way banking does business and manages information. That information is the lifeblood of every organization and the same holds true for GFI's information. If this information is compromised in any way either by invasion, destruction or other intrusive manner, the lifeblood exists no longer, and neither will GFI. Consequences range from losing credibility as a viable enterprise to extensive monetary liability as the result of lawsuits. The GIF Information Security Policy (hereinafter "ISP") is a set of policies and requirements used to oversee the access to, control of and management of GIF information. The ISP sets forth the absolute guidelines regarding GFI information and is overseen by the GFI IT personnel. The ISP identifies all levels of corporate responsibilities in protecting GIF information and its resources.

The primary objective of the ISP is to most importantly prevent, but secondarily minimize, the threat of or impact by security breaches thereby increasing the protection necessary to ensure the integrity of GIF information. This policy establishes roles for data security, sets requirements for protecting sensitive data and critical systems, and identifies all the security program components required to protect GFI information.

Information breaches that can potentially impact GFI's operations include, but are not limited to, the unauthorized access to GFI information, disclosure of GFI information (either intentional or unintentional), data tampering or vandalism, and destruction of computing systems leading to outages or failure.

The ISP will afford GFI a sense of security and protection through the coordinated efforts of the GFI IT Department and GFI personnel, generally, resulting in stronger confidence in the safety of its information. While it may seem an exorbitant amount of attention is paid to measures concerned with the management electronic information and computing systems, the ISP also provides for paper records, personnel matters and issues related to buildings.

Finally, this is only a summary. The ISP in its entirety contains the entire policy, it conforms to applicable rules and regulations, including the standards set forth by the International Organization for Standardization ("ISO") on information and communication, pursuant to the United States being one of the participating countries. Obviously, this may impact GFI doing business with countries which are not participants and have implemented a different security standard; however, since GFI currently has international business in Canada and Mexico, both of which are members of the ISO, complications of business based on conflicting security issues will not hamper GFI's international endeavors. The ISO requires the following categories (along with their respective subsections) be included in business' information policies: security policy; organization of information security; asset management; human resources security; physical environment security; communications and operations management; access control; information systems acquisition, development and maintenance; information security management; business continuity management; and compliance. While many of these policies are mentioned below, some are not and that should not precipitate the assumption that the standard was omitted, overlooked or ignored. The ISP complies properly and will be the guiding document for GFI information security.

Global Technologies, Inc. ("GIF") Information Security Policy Summary Discussion

The ISP is divided into several categories sometimes with relevant subsections. What follows is an overview of the categories or "policies" within the ISP described in a more user-friendly manner. The sections described below are in the same order as they appear in the Security Policy. It is important that GFI management grasp the magnitude of this policy and this summary will streamline that understanding in a more palatable fashion.

The first section of ISP in this discussion the "Dissemination of the Policy" section. This addresses how personnel will be made aware of the ISP and how the ISP will be reviewed and/or updated. The ISP will be available on the internet along with training modules and policy excerpts aimed at specific areas of personnel. In addition, a hard copy will be provided to all personnel, for which all personnel will be required to acknowledge receipt by signature. Reviews of the ISP shall take place every three years or after some technological occurrence or identification of new potential risks. 'Those changes will go through the required approval process and then provided to GFI personnel.

The "Organization of Security" section sets forth the roles and responsibilities to carry out the provisions of the ISP, including but not limited to, confidentiality, new system requisitions and third-party or vendor contracts. More specifically, management and the IT department will ensure the ISP is implemented, meaning all managers will be responsible for overseeing staff compliance with the ISP. The acquisition of new systems must be pre-approved as set forth in the ISP and vendor or third-party contracts must include a clause relating to information security.

Hiring, training, conditions of employment, disciplinary procedures, termination guidelines, and confidentiality agreements are addressed in the "Human 'Resources" section. All job descriptions will include whatever security role attaches to the respective job. In addition to the new-hire documentation provided, a confidentiality agreement is included outlining the terms and expectations of GFI employees when dealing with GFI personnel, vendors and/or customers' information which confidentiality agreement must be signed prior to his or her first day at work.

As previously mentioned, training will be provided via the internet with said training completed prior to the first day at work. Disciplinary procedures for violation of the ISP will follow closely with GFI's employment disciplinary policy currently in effect.

The general security of the equipment is provided in the section entitled "Physical and Environment Security." This section improves information security by maintaining physical entry controls at every building with staff and/or visitor security cards, which controls will be stringently enforced. Areas where restricted information is contained, such as personnel records or computer systems, must be lockable. Computer systems will be maintained by qualified professionals and installed pursuant to manufacturers' instructions. In addition, the computer systems will be installed in such a fashion to safe keep the systems from damage or harm by power failure or other damage. If it is necessary for any of GFI's equipment to be taken off-site, that removal will only occur after the removal is formally approved.

Identify theft is a concern organizationally, nationally and internationally and addressed in the section entitled Client Safeguards. As a customer information safeguard and in satisfaction of federal rules, the protection of GFI customers, disposal of any client information, including information derived from consumer reports, will be according to appropriate, ISP guidelines. In addition, hard-copy documents and/or documents classified as restricted must be locked away when unattended or not in use. GFI protects its clients vis-a-vis its ISP by including provisions protecting GFI clients from the fraudulent acquisition of their personal financial information such as by false pretenses or impersonation. GFI client safeguards also include truncation or the last five digits of clients' respective card numbers on receipts of other documents provided to GFI customers.

Finally, GFI includes a "Red Flag Rule" aimed at early detection of identity theft through the identification of red flags or early warning signs of fraudulent behavior. This rule will be reviewed annually and updated accordingly. GFI's policy of retention is six years and data will be destroyed according to GFI policy at the time of destruction whether said data is electronic or paper.

The "User Access" section is a subcategory under the "Controlling Access to Information and Systems Policy" which includes other subsections such as "Securing Unattended Work Stations," "Controlling Access to Operating System Software," and "Types of Access Granted to Third Parties." However, for purposes of this summary, personnel password activities and minimum password requirements for GFI personnel will be highlighted here touching briefly on system and application managers' roles as administrators and enforcers of the Password Policy.

While password management on its face appears harmless enough and seemingly at the end of the technological food chain, considerable studies have been done on what is endearingly termed "password hygiene" (Stanton, 2004). Password hygiene is the level at which end users either change their passwords or share them with coworkers or outsiders (Stanton, 2004). And, while most businesses fear the intruder, most of the fraudulent activities including identity theft is committed by employees against their employers' customers and/or clients (Stanton, 2004). So, a nod of the head to GFI's Password Policy is included here with the side note that contained in this policy are provisions for employee training with the goal to improve overall password hygiene.

The "Encryption Policy" directs which documents and how those documents are encrypted. Simply, all documents with the potential of leaving the purview of GFI will be encrypted. This includes documents stored on a computer, cell phone, handheld, flash drive, etc.

Next, a brief explanation of a couple of the subsections in the "Processing Information and Documents" policy. First, the "Backup, Recovery and Archiving" subsection is noteworthy in that there is some concern that the integrity of GFI information may not be secure in the cloud and GFI is hesitant to expound upon the cloud avenue in light of enduring some sort of breach. So, included in this subsection is a reference to FADE, an additional, secure, seamless cloud overlay with very fine access controls. Access controls are unique to the user and can be as fine-tuned as warranted by the user (Tang, 2012). Including FADE in GFI's security policy will further protect GFI information and afford an extra layer of confidence against data infiltration, either by inside or outside forces.

There has also been some discussion about the use of GFI's wireless service by employees and others while still maintaining protection and integrity to GFI's information. To that end, included is a summation of the subsection "Wireless Communication Policy." The Wireless Communication Policy directs and manages wireless infrastructure devices, such as Ambient Backscatter, and sets forth the parameters within which connection to GFI's network. Most importantly, this policy, among other things, directs that any wireless infrastructure device must have formal approval, use approved encryption procedure, maintain a hardware address that can be detected and tracked, and sign an agreement stating the same.

The "Real-Time Threat Management" policy resolves concerns that GFI's current standalone intrusion detection systems are dated and puts GFI at risk to sacrifice the integrity of GFI stakeholders', including its clients', sensitive information (International Organization for Standardization, 2014). The ISP proposes a real-time intrusion detection system developed by Cisco offering the complete wireless package. Cisco's Wireless IPS Software ("wIPS") records real-time information such as MAC address, timestamp, RSSI and attack IDs. Real-time tracks events in context which mean security personnel know what to investigate, where to investigate it, and the recommended actions to take.

The final section up for discussion herein is the "Compliance" policy. This is where things get a little dicey. The list of reports due in order to remain compliant with the ISO is around 15 items. That does not include whatever internal audits and/or reports need to be generated on a regular basis. The thrust of the policy sets out what the IT or ISP overseer must do in terms of assessing compliance, making recommendations about the ISP when a policy is ineffective or just does not fit, and completing then submission of annual reports -- internal and external. As GFI is aware, the cost of noncompliance has the potential to be staggering or approximately 2.65% higher than the cost of compliance (Ponemon Institute LLC, 2011), without contemplating the value of losing client/customer trust or losing clients' business altogether. In a way, noncompliance voids the ISP making its existence an exercise in futility.

While the cost associated with in-house IT personnel appears excessive, when offset against the cost of loss due to a security breach or viral attack, it is not so much. In addition, there is something to be said for in-house familiarity and response time. With the ever-changing corporate culture, employee turnover, mergers and splits, security needs to keep up with those changes (Ponemon Institute LLC, 2011) as an outdated ISP is as good as no ISP.

There is a strong argument for in house security monitoring and ISP oversight as IT outsourcers are unaware of the corporate culture, may not even have read the actual ISP and post-installation service companies with a knee-jerk reaction rather than having day-to-day contact with the company and its stakeholders. The "Compliance" policy section is probably the most important policy in that it brings all the subsequent policies together and demonstrates the importance of the ISP.

Conclusion

GFI's ISP in its entirety consists of over 50 pages and includes security policies for GFI's information and/or information support systems right down to how often GFI disposes of its IT consumables. It's broad spanning yet precise, written to fit GFI's corporate landscape yet includes ISO guidelines and policy requirements, federal rules and regulations, and any applicable foreign country or out-of-state laws. Because it is so thorough, it will be a huge undertaking for GFI to implement and enforce. By all means, the IT department should arm itself with only certified (when applicable), seasoned, knowledgeable staff with oversight of the entire ISP conducted by an individual with commensurate experience in IT security, certified in several specialty areas of IT and the ability to understand, implement, maintain, troubleshoot and assess all the areas contained in GFI's ISP.

With that having been said, the ISP stands alone in that it needs no support or depends on any other system or standard in order to successfully maintain the integrity of GFI's information. Properly enforced, the ISP will serve to increase GFI's bottom line by affording the company to operate without costly and time-consuming interruptions, volume capable and worry-free.

References

International Organization for Standardization. (2014, March 2). iso.org. Retrieved from iso.org: http://www.iso.org/iso/home/about.htm

Ponemon Institute LLC. (2011, January). The true cost of compliance. Retrieved from http://www.tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Report.pdf

Stanton, J. M. (2004). Analysis of end user security behaviors. Computers & Security, pp. 1-10.

Tang, Y. L. (2012). Secure overlay cloud storage with access control and assured deletion. IEEE Transactions and Dependable Secure Computing, 9(6).