Potential business data of a corporation typically resides in many resources including Server, E-mail, Network, Browser, PBX, and Software. Therefore, all information owned by the organization must be protected as a rule of thumb. It must not be disclosed to unauthorized individuals in any manner, as the data is considered a company intellectual asset. This section comprises integrity and privacy of data that mainly focuses on keeping confidential, classified, etc. information safe of an organization. Moreover, every single piece of assets must be classified according to its usage and intended users. For example, the classifications of public, personal, confidential, classified, and secret, which are implemented by various individuals like a custodian, owner, etc. we have had a general introductory discussion about the theory of “cyber security policy” in the previous article. Here, the following section deals with couple of essential commodities of data assets in detail as following;
An employee or even customer information of a company must be kept confidential, should not reveal to an outsider at any cost, except in a national security emergency. However, there is no risk of disclosing joining and tenure-related data. Moreover, an organization should duly prepare policies, especially related to disgruntled employees, in advance to implement them legally.
The company-provided email should only be provisioned for official communication rather than personal. It should also specify the size of attachment to be sent, file type, and non-disclosure of confidential office data in the policy. Finally, it must be clear to their employees that all communication through emails shall remain under surveillance to detect any inflammatory circumstances. Most importantly, emails containing sensitive data or not meant to be revealed must be in encryption form across nodes.
It is important to keep valuable information intact from malware infections. Data integrity must not be compromised. Therefore, servers and end-user machines must constantly be monitored and scanned periodically for malware along with all incoming emails attachments. In case of abnormal behavior of a system, webpage, or from-users’ activity, the system administrator must immediately inform management for a suitable response.
Limited Data Access
Corporate official data stored on hard disk, flash drive, or other medium should only allow access according to legitimate business requirements. Each user should be granted access to corporate data on the ground of their designation, roles, and responsibility.
Disaster recovery policies concern the recovery of the technical components of your business such as software, network, data, and computer. The stipulated guidelines should consider all possible natural or man-made unfortunate events such power blackout, hurricane, terrorist attack, anthrax, virus infection on a mass scale, fire or many more that could impact the business. So, such policies guide the organization each entity, how to deal and overcome with such events as well a comprehensive recovery plan does in standby to ensure the continuity of normal functioning.
Restricted Server Access
Common access to server system must be blocked or restricted except the authorized person has a valid reason for admission, as the server web farms are the data warehouses. They contain all of the crucial information of a company and therefore always remain in a locked state. End users will be granted permission only to command required for them to perform their specific task.
All essential information including written documents, webpages, or stored as data owned by an organization must be properly labeled with copyright note wherever it should be marked or noted (for example, Copyright © 2017 InfoSec Inc, All Rights Reserved).
There are numerous categories of networks such as LAN, Wi-Fi, intranet, etc. through which information transmits. Therefore, they must be protected by applying a firewall, IDS, and IPS, along with a robust encryption mechanism to ensure the privacy of communication between protected and other networks. Moreover, all form of e-data entering or leaving the network must be monitored to detect and alert security breach and access control system employed to block unauthorized attempts.
Ethical Hacking Training – Resources (InfoSec)
Data owned by an organization that has been classified as being accessible to a subset of users, but not to all users. Hence, stored in such a way that illegitimate access is not possible.
Hackers are frequently exploiting websites, network, etc. resorting to dumpster diving the information, as organization usually doesn’t sanitize or discard waste papers properly. This is an open the door to penetration. Thus, no more unused papers that contain sensitive, classified information must be shredded before disposing.
A system or network may fail with or without obvious reasons. Thus, all critical server systems and networks must be redundant off-site and also have full- fledged automatic failover capabilities should be included in policies.
Encryption typically requires into two aspect data and communication. All kind of communication across the network must use a proper encryption mechanism to protect the privacy of information. Backup in which data is stored must be ciphered to remain intact. Apart from that, email as long as it contains proprietary information and password in clear text may not be sent in clear text over the internet or any network.
Software such as an operating system, application or database, is typically procured from third party vendors and software obviously requires new definitions (patches) to be updated. Hence, it is strictly outlined in the policies that patches must be tested first before installation.
Backup Facility Testing
Backup facilities contain all the essential information of an organization, prepared due to the risk of damage to on-site facilities due to natural or intentional factors. Therefore, a back-up facility, especially off-site, should be tested periodically to ensure their viability by a mock drill.
FTP Server Access
Some data is often freely available to public use or for their employees’ ease work through an FTP server by the organization. So, the admin must categorize the data based on sensitivity and decide which will be free to access and what requires restrictions in the form of authentication from the end-user. Moreover, he has the right to monitor what and from where data is being accessed by the FTP server.
Mobile Phone Usage
The company often procure cell phone for their employees to streamline job. However, there must be strict cell phone usage policies in effect due to the huge risk of disclosing company private information via cell phone resorting to eavesdropping.
All information owned by a company is considered intellectual property, thus protected from unauthorized individuals and should be used on the ground of valid reason. To make it stringent, data security policy must be drafted and included in the job responsibility of each employee to be in compliance. This article provided a detailed insight of the data policies and breaks it down it further into its various significant components, such as backup, encryption, data sharing, copyright, and many more with details overview too.