What is a Security Policy and why does an organisation require a Security
Policy? (Matthew Savage)
An Information Security Policy also known as an ISP, is a set of
rules outlined by a company to ensure that all users within the domain of the
organisation and overall network comply with rules and guidelines relating to
the security of all information stored digitally within all points of the
network and authority boundaries. An ISP’s mainly outlines the protection of an
organisations data, all programs and systems.
information security policy should safeguard three main areas:
Confidentiality – Outlines that data/information is restricted to
certain people or groups of people within an organisation department who are
authorised to access this data and is not available/accessible to other company
staff. An example would include storing data within departmental group folders
which would only contain data relating to a specific departments role and only
accessible by these departmental staff.
Integrity – Outlines that all data is stored in a complete and
accurate form. The stored data must be operationally on all required IT
systems. The data flowing around the network should be intact and contain no
viruses or corruption.
Availability – Outlines that the information or system is at the
service of the authorised user when requested and is available for use when
accessed. All unauthorised users should be prompted with an access denied
message and noted to the administrator. All permissions should be set by the
domain IT administrator inline with user’s job role and description. All data
within the domain stored on servers should be backed up daily therefore
previous data from a certain period can be accessible if requested or
accessible in case of emergency i.e. a DR scenario.
require a security policy for numerous reasons:
To create universal organisation wide guidelines for all users to
adhere to so that all information is processed, handled and stored in the same
To detect misuse of data, computer systems and highlight those
To adhere to industry standards and regulations governing all
To protect the image of the organisation in terms of its ethical
and legal requirements.
To protect the users and customers of an organisation providing a
guideline for queries or non-compliance.
Come up with an example of your own of an issue, which could be caused by
missing security policies? (Jamie Fields)
missing Security Policy –
An email security policy within a network is of vital importance
as it covers lots of areas in terms of rules for using email individually or
within an organisation. If an email security policy is not in place is can
cause a lot of issues. In terms of sending emails there will be no policy in
place to keep employees aware of their spelling/grammar, this can lead to
unprofessional emails being sent which makes the organisation look
An issue can arise in terms of spam emails. If an employer receives
one, they will not be aware of the correct process to follow and could
potentially forward it on or click on a link within it causing viruses
throughout the network by spreading it through the users contact list. Emails
being sent can be very unprofessional as no policies are in place for the
structure of emails such as company logos and signatures.
Without an email policy an issue will arise as if needed they will
have no way of making sure emails are being monitored correctly for traffic.
This means the organisation will have issues trying to identify and search for
issues that arise from sensitive data being transferred across the network.
Issues in terms of archiving of emails could arise. Without a policy in place
an organisation will have no way of knowing whether to archive emails and how
long they are supposed to be archived for. Really important and confidential
emails could end up being archived and automatically deleted after a period
without them being aware of it which could have serious consequences.
An email policy can help when it comes to having a rule in place
for scanning of emails and from not having this, a serious issue can arise.
Before messages are sent an organisation will have no policy in place to
track/proof read this before it is sent which means that inappropriate emails
can be easily sent and cause serious harm to the organisation. Also in terms of
receiving emails there would be no policy in place to reject emails that
contain viruses and spam emails from entering the network and being spread
around the organisation.
With no email security policy in place their will be no set limit
on the size of attachments that can be sent via email which can cause issues as
if employees are sending large attachments it can slow down the network and
they will transfer very slowly. If a policy was in place each user would be
restricted to a certain size limit and only authorised users where necessary
would have the size limit available to upload and transfer large attachments.
As we know within an organisation there is a need for confidential
emails to be sent and without an email policy in place there is no way of
protecting this information from being intercepted and picked up. No encryption
would be in place so that only that intended recipient can read it which is a
big security violation/risk.
Spoofing can take place without an email policy in place where
someone will pretend to be a user they are not, and this can cause a big issue
as someone outside the organisation will have the means to gain any relevant
information they need and that they are not supposed to know. If a security
policy was in place a digital signature would be able to avoid and protect
against this threat in cases where sensitive/confidential information is being
As we can see a big issue can arise throughout an organisation
without an email security policy in place and it shows the damage and
implications of having just one security policy missing from your network.
What are the basic things that need to be explained to every employee about
a security policy? At what point in their employment? Why? (Adam McBroom)
Security policies are vast but to the point, to ensure that
employees clearly understand what the policy is about, and how they are to follow
it. When preparing a risk assessment, a security officer will go over a
security policy and look at the policies and procedures in place to find any
holes or areas for possible breach.
These policies are only as good as the employees that implement them.
Organisation and companies must go over their security policy with new employee
to ensure that they are well understood, and to limit risk. Some things that
need to be explained about a security policy are:
Strong passwords: This is a must as an attacker can easily gain
access to the computer by just using common, under-case passwords like pass123,
Detecting phishing emails: Employees need to be able to quickly
detect a fake email, as this can quickly lead to an attack if the email and its
contents are malicious.
Locking Devices: Employees should know to lock down their devices
when they are leaving their computer unattended to, even if for a brief time.
Protect Sensitive Information: Any physical sensitive information
should be stored and locked away. Any electronic information that needs to be
sent outside of the organisation should be encrypted to allow for secure
Lost Devices: Any lost or stolen devices need to be reported as
soon as possible, as they may contain confidential information that attackers
will attempt to gain access to.
Employees should have network security policies explained to them
during orientation, and long before they are sat in front of a computer or
given sensitive data to handle. If the employees are fully away of the threats
and dangers, it limits the risk of having a security breach. If this is not
explained at the start, companies and organisations run the risk of:
Having sensitive information leaked or stolen
An employee unknowingly leaving their device unlocked with data
An employee may unknowingly open a fake email, which may contain
Interception of data in transit
Your organisation has an e-mail server that processes sensitive emails from
senior management and important clients. What should be included in the
security policy for the email server? (Adam McBroom)
With the email server processing sensitive information, additions
to the security policy should be:
Services and applications that are no longer used should be disabled.
Email servers should be kept in an access-controlled environment
where they can be physically located.
Email servers should have very limited physical access.
Email servers should be monitored for security purposes, and logs
for monitoring should be kept.
The servers should have daily, weekly and monthly backups in
Any security related event should be reported to security. This
All emails must be encrypted before being sent out. This ensures
that even if an attacker is eavesdropping, the file is encrypted.
All access to the server is logged, to ensure that there are no
unauthorised attempts to access the data.
Secure channel connection must be used if available. This
IPsec (Internet Protocol Security)
SSH (Secure Shell)
Read the UCL and Harvard university security policies. Compare and critique
the policies suggesting improvements/updates, as appropriate. (Jamie Fields
& Matthew Savage)
UCL provided a brief overview of their information policy
objectives so users can get a good sense of the type of rules they will be
required to comply with. Harvard’s doesn’t contain a format like this and only
contains links to the actual policies themselves. Harvard could improve upon this
area and provide a brief overview like UCL have so users reading the document
can get a good understanding of the main topics and things they are expected to
be aware of.
Harvard have a policy laid out and structured well for different
circumstances relating to passwords, it has detailed 5 different password
scenarios and the correct action to take to comply with the policy. UCL has no
mention of what to do in case of passwords incidents and this is an improvement
they can make by making users aware of the correct process to follow to be more
secure which will include details regarding sharing and protecting passwords,
using different and strong passwords and what to do if your password has been
UCL has setup an Information Risk Governance Group which is local
to the university and university owned companies for defining an information
security policy and ensuring its process is followed by everyone throughout the
university. Hardware don’t mention who is responsible for defining the security
policy and this is something they can improve on by updating the policy with
the necessary details.
UCL heads of department and divisions implement the policy by
appointing a custodian for each system operated by them and a departmental
network administrator. UCL points out who is responsible when it comes to these
roles. Harvard make no reference in terms off who implements the security
policy within the University and this is an area they could update within their
security policy by letting users know who is responsible for the information
UCL refer to breaches of security within their policy such as what
to do if the security of a computer is breached and who to inform. Harvard make
no reference on what to do in these instances as they are more tailored to
advising on the best practise to follow to comply. Harvard could improve here
by updating their policy with information on who users can contact in these
instances so that if a breach does occur it can be dealt with quickly and efficiently.
UCL’s policy refers to the supporting policies, procedures and
codes of practise that need to be followed by staff, students, contractors and
third parties when it comes to accessing the network. Harvard only refer to
staff in this instance and they could improve on their policy by focusing also
on students, contractors and third parties so they are aware of the correct
process when accessing the universities network to use its systems and
When it comes to confidentiality they both reference an agreement
and training that needs to be completed by users. Harvard refer to the fact the
staff must annually acknowledge the university confidentiality agreement. UCL
refer to the process of reviewing the policies every time additions or
amendments are made. UCL’s policy seems to be more stable in that it informs
users anytime a change to a policy is made they must make sure they review it
and become familiar with it. Harvard could improve their process by updating
their policy to include that users must review policies anytime a change is
made so they are fully up to date with the correct processes to follow instead
of only reviewing it once a year as a lot can change during this period.
Harvard refer to the sharing of confidential information with only
those who are authorised to receive it. UCL make no reference to the sharing of
information and is something they could add in to improve their policy as
without it users won’t be aware of the consequences of sharing confidential
information with users who are not authorised to receive it.
Harvard have a policy in place for the protection of devices and
they refer to their own device configuration checklist for specific
instructions. UCL have a policy in place but they refer to the fact it must
comply with the data protection policy and the Corporate Digital Data Ownership
and Access Policy. They could update
their policy with a relevant checklist detailing information on set-up, use and
maintenance and loss or disposal for both IOS and Android operating systems.
In terms of risk assessment Harvard have a good detailed policy in
place to make users aware of the correct process to follow by listing suitable
steps. UCL don’t provide any information at all on who to contact in these
instances and this is an improvement which can be made as it will help the
university mitigate risk quickly and limit damage if its handled professionally
and users know the correct people to contact.
Harvard assign different levels within their security policy to
represent the level of risk it poses e.g. level 1 is public information and
level 5 is off vital importance. UCL instead just detail their policies and
don’t state the level of risk that’s involved. This could be something they
could do to update their policy to improve it, so users are aware of the levels
of risk each policy poses so they take them more serious.
UCL’s security policy refers to the disposal of confidential
information and the correct process to follow is to speak with the records
manager. Harvard’s policy doesn’t refer to any specific process and doesn’t
provide any detail on who to contact to clarify information regarding this and
this is something which can be improved on by entering this information into the
policy as when it comes to confidential information you want to make sure no
risks are taken where it can get into the wrong hands.
Harvard’s policy refers to the handling of credit or debit card transactions and that they must
comply with University Cash Management requirements. These requirements state
what a credit card is accepted for. UCL are missing this information and this
is something they could update their policy to include.
UCL’s policy contains a document control sheet which covers the
revision date for specific changes to policies. It includes the date, summary
of changes and whether the changes have been marked. This is something Harvard
don’t have in place within their policy and it’s something they could add in to
improve their process, so users can get an overview of what has been updated
and any policies they need to review.