A security administrator’s key role involves developing policies and guidelines that will secure the information systems of an organization, and such details are found documented in his or her handbook. An organization like the Highfliers Institute of Technology faces security threats constantly which requires the administrator to include fundamental procedures and guidelines in the handbook that will address and protect the information assets and network from any harm. Most of the security alerts on information systems arise from malicious unauthorized users’ penetration into the devices. In cases of hacking, the equipment may suffer malware and viruses which pose risks of numerous data loss (Peltier, 2016). The security administrator’s handbook of the organization will contain security policies such as password, acceptable use, incidence response, and user awareness and training to secure the systems. Some of the procedures to boost information security will include remote access security, vulnerability, and penetration testing, wireless and physical securities. Therefore, a usable and accurate administrator’s handbook must contain both the procedures and policies of protecting information systems from security threats.
SECTION ONE
Network Architecture and Security Considerations
The security administrator secures the corporate networks and information assets by ensuring that the networks developed to promote best practices that are specific to the organization regarding security capability. Focusing on the network architecture will help the administrator, as well as security practitioners, keep tabs on vital security concerns. Therefore, the security administrator’s security concerns in the company will revolve around authentication, authorization, asset protection, audit, risk management, administration, availability, and assurance of the system. Another vital guideline will require the administrator to compile the architectural artifacts such as risk analysis, data classification and published security policy documentation to avoid any confusion. It is also the security administrator’s duty to work with the executive in establishing security policies which will act as the requirements of all the networks architecture (Shields, 2015). If the security administrator discovers new security requirements or necessary changes in the networks, he or she then develops new architecture initiatives of improving the performance of the existing infrastructure.
Delegate your assignment to our experts and they will do the rest.
Checking the condition of the network security is a daily procedure that the administrator together with the architect observes to boost the company’s information assets. Frequent observation of the network architecture is essential since no singular specific technology or tools can guarantee safety all the time. Additionally, security threats are usually more often and unpredictable, thus necessitating security assurance tests. Most of the tests done certify that the security systems and policies designed work as expected ( Baskerville, Spagnoletti & Kim, 2014 ). The other procedure of ensuring maximum protection of the network's architecture will require the administrator to conduct and oversee security policy audits. Carrying out such exercises regularly will help the company understand the policies that require enforcement and those to be applied before a crisis strikes.
Wireless security
The company’s administrator is responsible for developing extra tips for making the wireless network system more secure. Therefore, an administrator must take a few precautions of ensuring that any unauthorized user and hacker using the network is monitored to avoid unforeseeable security threats. For instance, the administrator develops stronger encryption that is untraceable and difficult to crack, creating a firewall and probably create separate networks to be used by the guests ( Baskerville et al., 2014 ). Several basic guidelines could be taken to ensure the safety of wireless security. It is crucial for security administrators to understand all the details of how wireless networks function before going into other details. In case a crime is committed or spams sent to the network by malicious users within the access point, the administrator could employ emergency solutions such as temporary shutdown.
The next guideline would be to form or rather use encryption on the company’s wireless network. The encryption will prevent unauthorized users from accessing private information since it will be scrambled into a code. Some wireless networks, router, and computers may have Wi-Fi Protected Access (WPA) while others use the Wired Equivalent Privacy (WEP). The security administrator will advise the company to purchase routers with WPA2 capacity that will always be turned on for better security (Shields, 2015). Despite making strong encryptions to the wireless networks, the administrator must manage the trouble of security breaches by limiting the networks’ access. For example, only specific devices could gain access to the wireless network. Securing the routers will be the next precaution measure to keep off attackers. Furthermore, the administrator could change the default name of the router and pre-set password into something unique. Securing routers and other related devices will also involve keeping them up-to-date, turning off all features of remote management then the administrator to log out.
Remote Access Security
Having remote access security in the company is as important as managing the related risks throughout to avoid rendering the information systems vulnerable. One of the guidelines for protecting remote access security will be to install internet protocol security (IPsec) that will ensure proper authentication and encryption order for virtual private networks. Another guideline will require the security administrator to check and regularly correct the root causes of issues around remote access such as regulating third-party file storage services, virtual private networks (VPN) risks and screen sharing. Hence, the administrator should ensure the remote access security works under strong authentication and identity validation system (Shields, 2015). Moreover, the administrator will take the initiative of restricting admin rights as well as monitoring non-HTTP traffic for flawless operations. The fact that a company’s information assets and networks could be accessed any time remotely should make the administrator treat all external users as hostile a basic guideline of beefing security.
Several steps could be taken by the security administrator to protect remote access security in the company. The first step will involve him or her assuming the possibility of hostile threats such as theft of equipment, malware infections and data inception happening. An additional consideration would be for the company to use anti-malware software and direct the workers to use separate networks at the workplace. The next step requires the security administrator to establish a telework security policy that defines remote access for the company. The policy identifies the devices granted access, data sensitivity, and servers’ administration and updates. Next, the security administrator should configure all the remote access servers to avoid any information systems attack (Peltier, 2016). Thus, the administrator will ensure that the remote access servers are placed within the company’s network perimeter to avoid numerous entry points for the network. The other step involves securing the telework client devices against common threats like viruses and cracked firewalls. The security administrator develops security controls that can support multiple policies for governing the devices in the workplace. Most importantly, the security administrator formulates strong encryption and user authentication to drive away external threats.
Laptop and Removable Media Security
Security risks that laptops and removable media such as floppy disks, digital cameras and external hard drives cause can be associated with their characteristics, hence some precautions are necessary. The security administrator’s duty entails establishing guidelines of proper management of devices to eliminate possible information threats. For instance, the administrator will ensure to install anti-virus solutions on all computers so that all the removable media devices can be scanned for malware. Encryption of all the removable media devices will also be vital in protecting the stored information from unauthorized users (Shields, 2015). The employees at the company should also be warned against disclosing passwords and that they should be changed regularly. For instance, all laptops should have a login, screen lock, and password set up to at least keep introducer away from accessing information easily. When it comes to personal computers, the security administrator will advise workers not to connect any removable devices they don’t know as well as separating personal and business data.
Making regular backups on the removable devices and computers will secure the information they carry. Such a measure will always make it easy for one to retrieve information even upon loss or theft of the laptop or removable media devices. The other guideline of protecting computers and removable media devices would be to disable the autoplay and autorun features on all devices ( Nazareth & Choi, 2015 ). Such features disallow the computer time to scan the removable devices before playing which is risky. Another important aspect of protecting laptops and removable media devices is keeping a close watch on them so that they don’t get lost or damaged due to carelessness or negligence. Whenever a laptop or removable media device is lost, the security administrator advice on reporting the incident immediately to increase the chances of finding the device.
Vulnerability and Penetration Testing
The security administrator usually administers automatic vulnerability scans and assessments to identify the areas of weaknesses then assign experts in penetration tests to correct the vulnerable areas. The administrator will choose from blind, external, internal, double-blind and targeted testing methods the most appropriate one to perform the ethical hacking plan. Besides penetration testing, the administrator also ensures that web application firewalls (WAFs) configurations are updated upon completion of tests to protect the identified weak spots from further exploitation (Peltier, 2016). The penetration tests can be done in stages to achieve the desired results. The first stage involves planning and reconnaissance whereby the security administrator highlights the goals and scope of the tests as well as the gathering of intelligence on the vulnerable points in the system.
Scanning or inspecting applications for attempts of intrusion will be the following stage in the pen testing. The next step involves gaining access to the information systems using backdoors, SQL injection or cross-site scripting applications that can locate the targeted vulnerabilities. After gaining access, it is crucial to maintain access and watch out for the re-emergence of the persistent security threats. The fifth step requires the security administrator to give an analysis of the test findings such as the duration of undetected pen testers, crucial information accessed and the vulnerabilities exploited ( Baskerville et al., 2014 ). The administrator then works with security personnel to configure WAF settings and implement recommendations in addressing the vulnerabilities.
Physical Security
Physical threats such as intentional and unintentional destructive actions have high chances of occurring, and one of the security administrator’s duty is drafting the countermeasures. One such measure will include the creation of a secure environment at the workplace by minimizing external access points and maximize structural protection on information assets. Another guideline would be to prepare for emergencies such as warning people from eating, drinking or leaving the doors and windows open in the offices. Security administrators also ensure that equipment is always guarded through proper housing, keeping records, foot traffic protection, and repair (Shields, 2015). Another measure of physical security includes rebuffing theft through limited authorization to keep away information attackers. The administrator can always remind employees never to leave computers and equipment unattended to prevent any losses. The other measures will entail protecting the output devices and regulating power supplies appropriately to control risks from happening.
Guidelines for Reviewing and Changing Policies
Security administrators formulate guidelines for reviewing and also changing policies to protect information systems, employees and the entire organization’s information from invaders. Before conducting the exercise, the administrator ensures that the policies state the reason, enforcer, implementation, approval, assets protected, and expiration date for easier identification of the specific security needs. When the security administrator drafts the guidelines for reviewing the policies, he or she must ensure that the language used to convey a proper tone. The other stakeholders will appreciate more if the document is straightforward, creative presentation of ideas, concise and have a glossary list (Shields, 2015). After the reviewing of security policies process, the administrator moves to the implementation stage so that the changes could be enforced. However, the administrator must make the implementation realistic through at least communicating the security policy needs and expectations, introduce staff training and assign experts some duties. The changes are then broken down into manageable bits of information considering personnel issues and outsiders’ interests.
SECTION TWO: POLICIES
Acceptable Use Policy
The Highfliers Institute of Technology’s acceptable use policy highlights the principles that govern the use of information within the company’s infrastructure. Both the old and the new employees of the organization sign the policy document before the security administrator grants them access to the information systems ( Baskerville et al., 2014 ). The policy also defines who the authorized and unauthorized users are of the organization’s security system. Additionally, the policy explains the possible sanctions that may apply in case an authorized user breaks the segments of the policy. All the company’s stakeholders are expected to comply with the policy since it is always updated after regular audits.
The purpose of the acceptable use policy is stating the appropriate use of the organization’s information systems, technology, and networks. Additionally, the policy serves as a set of rules or rather principles that require all people, especially the employees to revere and respect the order established for a smoother operation ( Nazareth & Choi, 2015 ). The acceptable use of policy also functions as a polite reminder to the users to observe the privacy and confidentiality of information. Above all, the policy protects the members from possible consequences or harassments.
The acceptable use policy bears a lot of responsibilities as detailed in the security administrator’s handbook. The topmost responsibility of the document is protecting the organization’s information systems against unauthorized users or security threats. Hence, the security administrator has the power to conduct regular inspections of the computing infrastructure to detect and solve the vulnerability issues (Peltier, 2016). In case of unacceptable use, the document also allows the administrator the right to block and disclose information. The same policy also watches out for plagiarism and outlines the consequences of violating the policy.
The review and change management guidelines for the acceptable use policy will involve confidentiality and compliance with certain laws. If one wants to disseminate information from the company’s system, he or she must be in line with the lawful use and comply with the copyright law as well as the regulations of export control ( Nazareth & Choi, 2015 ). Unless revised, the policy remains true to the course and is applied objectively. The other procedure will foster the electronic privacy right and confidentiality of the content in the organization’s equipment.
Password Policy
The password policy states that all employees or rather authorized users of the organization’s information system are responsible for protecting the access and login of the equipment. Hence, the passwords set in the computers should have complexity requirements and also remain a top secret (Shields, 2015). The key purpose of the policy is protecting the information systems of the company against any attackers through setting up complex user logins protected by passwords. The objective is to keep unauthorized users from accessing sensitive information of the corporate, which is why the passwords are made complicated and tedious for invaders to crack.
The policy also entails several responsibilities for individuals and administrators to consider. Every employee of the Highfliers Institute of technology is expected to take personal responsibility of maintaining the confidentiality of the passwords throughout. The security administrator also has the role of ensuring that the systems have the capacity to accept and safeguard passwords ( Baskerville et al., 2014 ). Additionally, the administrator has the duty of training the authorized users on the password requirements so that they can set up complex ones that will take time before breaching. The security administrator will also be on the lookout for the expiry of passwords and those compromised then advice for regular changes.
Several standards exist regarding the password policy for both privileged and usual users. For standard users, passwords have an expiry of six months, no reusing the same password and changing passwords cannot exceed once per day, and the complexity requirements remain. The administrators who enjoy privileged usage have password expiry duration of ninety days. The review and change management guidelines concerning password policy advocate for account lockout on a few unsuccessful attempts (Peltier, 2016). The standard users’ accounts will automatically lock after eighteen invalid trials within fifteen minutes, which is also the time an account could remain locked without intervention. Privileged users’ account will lock after twelve unsuccessful password attempts.
The security administrator could go ahead and train users on creating other types of compliant passwords such as using acronyms, secret codes and a passphrase that will produce complex passwords that will give hackers a difficult time. In case of password issues, the security administrator will inform authorized users on the reset options such as using video conference, fax, visit the device’s offices, and the password self-service ( Nazareth & Choi, 2015 ). The administrator also reminds users to report compromised passwords to the right channels such as the ITS support and privacy office immediately.
Incident Response Policy
Incident response policy requires the management and administrators to establish quick yet effective response measures whenever security issues arise. Moreover, the management led by the security administrator is responsible for designing the objectives of the policy basing on the institute’s security threats priorities. For instance, one of the objectives of the policy is ensuring that the organization has a reliable method of handling security incidents effectively. The management’s duty in the case will involve identifying and reporting security weaknesses and events so that the appropriate action plan is known (Shields, 2015). When the reported security weaknesses are filed, procedures for reducing the likelihood of future occurrence are also taken. For instance, the security administrator handbook defines the function and expectations of the policy, the contact person during incidents and the right communication channels used for incident responses.
The primary concern of the incident response policy is covering all the identified incidences while delegating roles and defining the procedures of handling security issues efficiently. The policy covers activities such as eradication, recovery, containment, detection, and analysis of security incidences. Several members of the organization including the security team, director of information security and the whistleblower take responsibilities of finding solutions to the problems. Procedures and guidelines for effecting changes in the incident reporting follow a process that will meet the requirements of the organization ( Nazareth & Choi, 2015 ). The first step of the process includes a detection phase followed by the analysis phase which altogether gives the causes, effects, and solutions to the security incidences.
The next guideline of strengthening the incident response policy entails the creation of notifications on abnormal activities observed on the information systems and data breach which fall under the containment, eradication and recovery phases. In cases where communication and notifications failed to yield reliable information of combatting the security incidences, the administrator’s handbook advises the carrying out of the process of seeking assistance from external investigators, internal and external incident communications ( Baskerville et al., 2014 ). However, the employees of the institute must be advised against sharing information with outsiders and media without any direct order from the communication channel. The last procedure is the follow-up in ensuring that the security incidences get resolved.
User Awareness and Training Policy
The policy contains all the information necessary for the stakeholders of the institute to understand the operations of the information and security systems. For example, the members learn the interoperability of the organization’s information assets, the functions of the information systems, security concerns, and information technology standards. The purpose of the policy which is also in line with state requirements sets out to teach and train the system users about the information threats, proper action plans and individual responsibilities concerning security. Additionally, the awareness training champions for the organization’s best practices in safeguarding information systems (Peltier, 2016)). The policy also adheres to a few standards that include security training records, program delivery, and role learning. All authorized users of the organization’s information systems are first trained on the basics such as electronic updates, self-service, and employee handbook then move to the general awareness training.
The series of training requires the members to have a deeper understanding of everyone’s responsibilities. Some of the distinct roles explained in the policy include those of the third parties, covered personnel, the management, and information security officer. Thanks to the established employees’ handbook, newsletters, and pamphlets the authorized users of information systems can make extra efforts to master the information about the training. Additionally, some of the topics taught in the awareness training include cybersecurity threats, technical staff roles, and basic security expertise (Shields, 2015). After the security awareness training, the management keeps records of attendance and follows them up to confirm their commitment to mastering the concepts. Another crucial guideline for the better performance of the policy is the aspect of enforcement. Members who violate the policy should be subjected to disciplinary actions so that the training gain more power in securing the information systems. The training should also be held regularly due to trends in security threats so that the reviews and change management are effective.
A security administrator’s handbook contains policies and guidelines of ensuring that the organization’s information systems are uncompromised at all times. The breaches of information systems mostly come from hacking. Therefore, the security administrator outlines the essential countermeasures of keeping off hackers and other malicious intruders from accessing private information. Some of the critical measures of restoring the information assets in an organization include encrypting all the equipment, limiting access and creating complex firewalls and passwords that will be difficult to crack. The security administrator’s handbook contains policies such as incidence response, acceptable use and awareness training to meet the issues of the system. Basic procedures of protecting information assets also documented in the security administrator’s handbook include physical security, remote access, laptop, and media securities.
References
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & management , 51 (1), 138-151.
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management , 52 (1), 123-134.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management . Auerbach Publications.
Shields, K. (2015). Cybersecurity: Recognizing the risk and protecting against attacks. NC Banking Inst. , 19 , 345.
