Trade Space and Policy Assignment

Email Trade Space Concerns

With respect to the use of email either on corporate or university networks, the primary concern of trade space analysis will often be the security of the network from email-based phishing attacks. These are most often conducted through the use of malicious attachments, so an effective email access policy will clearly define how to safely deal with email attachments. Another large concern is often the leak of sensitive data by employees, and rightfully so. Human behavior studies have found that 50% of employees take company data with them when leaving their job and 40% of them planned on using it at their new position (SpectorSoft, 2013). The leaking of sensitive data isn’t always intentional; as such data can be extracted when unsecured emails are sent off a specific organization’s intranet.

A tertiary concern when conducting a trade space analysis of email use is the prevention of offensive content from the body of emails sent by members of a given institution. This isn’t done merely to ensure that emails sent don’t digress from the sensibilities of an organization’s leadership, but also limit potential liability as the content of some offensive emails could promote a hostile working environment or constitute sexual harassment.

Example Email Policy

1.0 Attachments

1.01 - The use of email attachments for personal matters is not permitted.

1.02 - The use of email attachments is permitted whenever necessary for company business, but must follow the standards expressed below.

1.03 – Attachments should only be opened if the source of the email containing them is known and trusted.

1.04 – No attachments should be sent to, or opened from, a personal email account.

1.05 – Attachments with a file type of .exe should never be opened or saved to a workstation unless prior approval has been given.

2.0 – Protection of Sensitive Data

2.01 – Sensitive company data should never be sent to an email account outside of the company intranet unless the email is encrypted and doing so is necessary for company business.

2.02 – Sensitive company data should never be sent to a personal email account.

2.03 – The Company owns any communication sent by a company email account or that is stored on company equipment. Your email may be monitored at any time to ensure compliance with this or any other policy.

3.0 – General Conduct

3.01 – Company email accounts are to be used for company business only. You are not to conduct personal business from a company email account or computer.

3.02 – Any email content that discriminates against any protected class is prohibited, in addition, emails should never contain any sexual content. Violations of this policy will be dealt with according to the company’s harassment policy and could result in immediate termination.

Data Classification Trade Space Concerns

For matters of privacy and data classification, a trade space analysis will be concerned with the classification of data with respect to its need for protection or availability. Data classification policies will classify data into various categories and detail how data in each category should be treated. They will also define who is responsible for the classification and protection of data. There are a number of risks present in the inappropriate use of sensitive data including incompliance with regulations, loss of promised confidentiality, and leak of personal information. Establishing a data classification policy is an essential step in minimizing the risk that sensitive data is inadvertently mishandled (NIST).

Example Data Classification Policy

1.0 – Categories of Data

1.01 – Public Data: Data that poses no risk to the company when disclosed without authorization should be considered public. Public data includes directory information, marketing materials, and calendars of upcoming events.

There have been no controls placed on the distribution of this data and it can be provided to anyone who requests it and published with no restrictions. While no controls have been placed on the publication of such data, it is not to be modified or destroyed without prior approval.

1.02 – Internal Data: Data that is meant solely for consumption by employees of the company for use in company business is considered internal data. Some types of internal data could pose a risk to the company if published without permission, as this data is often used to make strategic decisions. Any data not explicitly categorized as confidential or public should be assumed to be internal data by default. Some examples of internal data are financial records, employee evaluations, and project management documents.

Employees must request access to internal data from that data’s owner and should only do so when such data is required for them to perform their duties. Access to such data may be granted to groups of employees by default depending on factors such as their job classification or the department in which they work.

1.03: Confidential Data: Data should be classified as confidential when the risk posed by unauthorized disclosure of that data could pose a significant risk to the company including violating regulatory statures or breaching confidentiality agreements. Examples of this data include customer credit card information, trade secrets, and employee health information.

Access to confidential data must be carefully controlled at all times and should only be granted for individuals to whom such data is absolutely necessary to perform the responsibilities of their position. Access to confidential data must be requested on an individual basis and should be approved by both the Data Owner and the supervisor of the employee requesting the access.

2.0 Access Request and Removal Procedure

2.01 – The term “Data Owner” is defined as the individual or committee which is accountable for maintaining controls on forms of protected data as well as approving requests for access to such data.

2.02 – Access requests to internal data must be submitted in writing and approved by the relevant Data Owner before the requested access can be granted. A record of all access requests, approved and rejected, must be maintained.

2.03 – Access requests to confidential data must be submitted in writing on an individual basis and approved by both the relevant Data Owner and the supervisor of the individual requesting access. A record of all such requests, approved and rejected, must be maintained.

2.04 – Whenever an employee transfers to a new department, any access roles specific to their old department must be revoked.

2.05 – Whenever an employee is terminated, all access roles they possessed must be revoked and their workstation should be audited to ensure no sensitive data has been transferred off-network.

Remote Access Trade Space Concerns

Over the past few years, the ability to remotely connect to internal networks via an outside internet connection has allowed the practice of doing so to become increasingly widespread. This practice can offer a number of advantages to companies including a reduction in office overhead, an improved ability to attract and retain talent, and improved efficiency (Booth). Using remote access does carry some risks, however, and trade space concerns about the possibility of both data loss and damage to internal systems are valid.

A remote access policy is essential to define the process by which an individual can safely access internal systems and resources while on an outside network. Establishing such a policy is particularly important because of the high possibility of inexperienced users accidentally exposing the internal network to security risks by the use of practices such as split tunneling, which is when a VPN user connects to a public network and a local LAN at the same time or using dual-homed hardware, which is a networked device built with more than one network interface.

Example Remote Access Policy

1.0 – General

1.01 – Storing confidential or internal information on any personal device is strictly prohibited unless prior approval is obtained.

1.02 – All remote access users are expected to comply with all policies that they would adhere to when directly connected to the network, may not perform illegal activities, and may only use the connection for company business.

1.03 – Remote access methods covered by this policy include, but are not limited to, frame relay, ISDN, DSL, VPN, SSH, WiFi, and cable modems.

2.0 – Connection Requirements

2.01 – It is the responsibility of the individual making a remote access connection from an outside network to ensure that their connection is secure. This should be done through the use of unique user credentials.

2.02 – At no time should any employee provide their login id or password to anyone including co-workers and family members.

2.04 – Any remote access connections that make use of a common infrastructure, such as the internet, must utilize encryption.

2.05 – All computers, including personal ones, which establish a remote connection must at least one up-to-date anti-virus program.

2.06 – Reconfiguration of a home user’s hardware for split-tunneling or dual-homing (SpectorSoft, 2013) is strictly prohibited.

References

Booth, N. (n.d.). Can business benefit from remote access? Retrieved from http://www.computerweekly.com/feature/Can-business-benefit-from-remote-access

Bringing Your Acceptable Use Policy Up to 2013 Standards. (2013). Retrieved from http://downloads.spectorsoft.com/…/WhitePapers/WP_InternetAcceptableUsePolicy.pdf

National Institute of Standards and Technology (n.d.). NIST.gov - Computer Security Division - Computer Security Resource Center. Retrieved from http://csrc.nist.gov.