Security and Compliance Policy

Why is a security and compliance policy important? Businesses would not be in operation without a good security and compliance policy. Businesses need to be able to comply with government and state requirements. Security safeguards employee data, customer data, and business data. Without proper security, a business would compromise the quality of their data. There are several steps to identifying security and compliance procedures. It is necessary to any infrastructure to perform a risk assessment. This identifies any gaps in your infrastructure, classifies what is acceptable risk, and what isn’t. The first step is system characterization. In system characterization, you are identifying system components and their criticality in the environment. Production equipment would have a higher criticality in the event of an outage or virus outbreak versus a test machine which is generally open and does not contain safeguarded information. This process is important and pieces of equipment should be labeled for criticality. Servers need protection in the company, as well as other data center resources such as routers/switches. If a malicious user or rogue user were to interrupt business functionality by gaining access, this is a great risk to business continuity. Threat identification is the next step in a risk assessment. It is important to do port scans, virus scans, and observe permissions in an environment. This helps identify any possible threats in the environment and classify them. It’s important to maintain physical security and logical security in an environment. Identifying risks entails if doors are locked to certain areas, who has access to certain files and servers, as well as port scanning. Port scanning is important for identification of open and closed ports, secure and unsecure ports, and what could be a potential threat for the environment. Other steps involved are vulnerability identification, control analysis, and impact analysis. These steps help identify what is controllable, what can be prevented, and the impact of any attack or outbreak in the environment. The risk determination step helps decide the level of each risk as well as the likelihood. These risks will have steps and protocols to follow for any attack or outage that can have somewhat of a prediction. Generally if a user were to contract a virus, it’s important to have an idea of how to repair it. Risks needs to be classified of severity and this step helps with that. Control recommendations are also an important step. This approaches how to handle or steps to manage any risks or threats. Documentation and reporting is a final step and extremely important. There needs to be a system developed of any risk that occurs or has occurred, it would need to be documented such as where, why, and when. These questions need to be answered for future risks or similar occurrences. The infrastructure, file system, and configurations should be documented and safeguarded. In the event of a total loss, it would be important to have the documented installation on file in order to replicate the original system previously. It’s important to understand what needs to be protected in the company. Your equipment is extremely important, especially servers. Servers are not inexpensive pieces of equipment and provide business functionality. A router (such as Cisco) is expensive as well, and also need to be properly protected. Physical security is very important in an environment. Locked doors, key cards, cameras are critical for monitoring. It’s important to enforce password policies in order to protect user data and machines transported by users. It’s important to guard files and information used by the company. Security in any environment is important. It’s important to understand the concept of protecting data and resources. Employees depend on their privacy while working in an environment and don’t want to feel they are being watched their whole entire shift. They want to feel trusted and generally will become happier, but need to be aware of the controls and security measures in place. Employees need to be made aware of government regulations and security regulations in order to provide a safe and structured environment. These measures will ensure employee privacy, data security, and business continuity.