Creating and Communicating a Security Strategy
CIS333 – Networking Security Fundamentals
Professor Roy P. Fune, PhD, CCNA, CCDA
August 12, 2018
What is a security strategy?
Working in the IT Industry as a professional in the field for close to 2 years now, I had work in a security company as security policy assist create the best IT Security policy, directing the method of creating a communication Security management strategy which Lead a day to day operational movement of the Company.
Companies advance and equally carry out necessary strategic plans for most of the company resourceful activities they carry out. Then strategic plans go a long way to put out the need for action alongside the impact of that same action. When we talk about security strategy in any known company, its all start with an in-depth analysis of the business. A security strategy is, therefore, important paperwork in an organization or company which different layout kinds of procedures for a company to categorize, remediate and equally monitor risks while remaining compliant.
It is crucial that all IT employees get basic training on the security of an organization or Business so that they know how to handle critical or top secured materials of the company.
Developing a security strategy is a detailed process that involves initial assessment, planning, implementation and constant monitoring. It may also include a grouping of actions that counter credible threats and vulnerabilities: policies and procedures, access management measures, communications systems, technologies and systems integration practices.
Information Technology policy is established in compliance with the Department of the Navy (DOD) Information and Personnel Security Programs to ensure that information classified under the authority of Executive Order 12958 or any predecessor order protected from unauthorized disclosure. Network IT and that the granting of access to classified information or assigned to other sensitive duties is consistent with the interests of national security. (Dobie J. August, “Rules that govern the security of classified information do not guarantee”, 2018, p. 2)
? Prevent unauthorized persons from gaining access to classified material.
? Provide security for detailed information consistent with those requirements established by higher authority and sound management principles.
? Develop security awareness through education and familiarize personnel with the requirements for safeguarding classified information.
? Security is a means, not an end. Noted that the rules governing they do not protect classified information, so they do not attempt in any way to meet every conceivable situation. All personnel who work with detailed information must preserve a balance and common-sense approach toward the subject. Furthermore, all new employees must get full training on their duties alongside proper working on the security of classified information of the company or the organization as a whole.
? Provide procedures for internal and subordinate security reviews and inspections.
? Provide producers for the destruction of classified material.
? Implement annual security awareness and compliance training for all employees to further enhance the security posture and to update their security education to meet up with day to day changing the IT industry
Each individual, staff and managers, is individually responsible for complying with all aspects of this program.
Employee Orientation for IT Security
An orientation briefing will be given to all personnel who will have access to classified information as soon as possible after reporting aboard or being assigned to duties involving access to classified information. The briefing will include the IT security structure any special security precautions within the framework (i.e., restrictions on access); and their general security responsibilities.
OJT (On-the-Job Training)
Supervisors must ensure subordinates know the security requirements impacting on the performance of their duties. This training may consist of verbal reminders, meetings, or written instructions. The IT Manager will assist supervisors in identifying appropriate security requirements. Supervision of the on-the-job training process is critical. Supervisors are ultimately responsible for procedural violations or for compromises that result from improperly trained personnel. Expecting subordinates to learn proper security procedures by trial-and-error is not acceptable.
1. Classified information will not be disclosed at conferences, seminars, exhibits, symposia, training courses, or other gatherings (hereafter called meetings) unless disclosure of the information serves a specific purpose and adequate security measures are taken to control access to the information and prevent its compromise
2. The use of conventional channels for dissemination of classified information will not accomplish the purpose of the meeting.
3. All discrete and financial records of the company kept classified alongside any other company data, and procedure should be followed in place to enable accessing of these files by end employees or assign company representatives.
4. The security of the company or organization as a whole should be limited to specific employees as the managers or team leads with the top interest of the organization at hand.
5. Areas within the company where senior classified meetings concerning the organization, well secured with protocol put in place for unauthorized access (conference room)
6. Sessions are monitored to ensure discussions are limited to the level authorized.
7. Any trustworthy or classified data/information related to the organization should be kept secured and access control for security reasons.
Emergency Action Plans
Emergency Action Plans (EAP) are vital to the security of classified information and equipment. The absence of viable emergency planning could seriously degrade the security of classified material in the event of natural disaster, civil disorder, terrorist attack, or hostile enemy action. Listed below are different types of emergencies that could occur and the actions that will be enacted to ensure the security of the command’s classified material. In the event of a natural disaster, security of the classified material will be maintained until the natural disaster stabilizes.
Plans to mitigate the effect of hostile action must take into account the possible scenarios that could occur. Correspondingly the risk associated with each scenario in the mall in order to prevent all treats of hacking, fraud or breach.
Protection in contingency situations refers to the employment of security measures. This includes posting an armed perimeter guard force during a mob disturbance, in addition to the normal physical security currently in place at the facility that stores it.
Annual Security Refresher Briefing.
The IT Manager will provide a security refresher brief annually to all personnel who have access to classified information. The briefing will cover new security policies and procedures, counterintelligence reminders, continuous evaluation, security concerns or problem areas, and security safeguards and measures to protect classified and sensitive unclassified information. Other security-related topics may be included as necessary.
Full Security Awareness Education
The purpose of security education is to ensure that all employee personnel, regardless of transfers or newly hired, understand the need and procedures for protecting how the IT environment operates or the classified and sensitive unclassified information. The goal is to develop fundamental security habits as a natural element of each task.
No individual will be given access to classified information or be assigned to sensitive duties unless a favorable personnel security determination has been made regarding their loyalty, reliability, and trustworthiness. A Personnel Security Investigation (PSI) is conducted to gather information pertinent to these determinations. Only the minimum investigation necessary to satisfy the requirements for the level of access required or sensitivity of position occupied will be requested. Access will not be granted automatically and does not have to be granted at the level of eligibility.
Bowheadsupport.com. (2016). online Available at: http://www.bowheadsupport.com/images/pdf/2016_Annual_Security_Briefing_Final_Bowhead.pdf Accessed 29 May 2018.
Cuny.edu. (2015). online Available at: https://www.cuny.edu/about/administration/offices/CIS/security/training/new_employee.pdf Accessed 5 May 2018.
Happiestminds.com. (2014). Developing a Security Strategy. online Available at: https://www.happiestminds.com/whitepapers/Developing-a-Security-Strategy.pdf Accessed 3 May 2018.
NASA. (2017). IT Policies and Standards. online Available at: https://www.nasa.gov/content/it-policies-and-standards Accessed 29 May 2018.
the Guardian. (2015). Businesses must become better at communicating about security risks. online Available at: https://www.theguardian.com/media-network/media-network-blog/2014/jan/15/businesses-better-communicating-security-risks Accessed 5 May 2018.
National Security Agency