Handbook for Security Administrator

Security threats have been an occurring challenge in many organizations today. For this reason, security administrations have been pushed to update their policies and security measures in a bid to protect against future security threats. Developing their security policies helped to defend these organizations from possible threats. The security policies are essential as they guide the organizations and give necessary information on security in case of an attack. (Nieles, Dempsey, & Pillitteri, 2014). The Security measures created should be useful, flexible and should be in line with whatever security challenges the organizations may face.

Policy Statement

Security remains to be one of concerns of this organization. As the Security Administrator, one has the responsibility to ensure the smooth management, integration, coordination and execution of the organization’s security initiatives. Organizational safety requires input from all stakeholders including the employees, visitors, internal and external security personnel all working together to ensure the guarantee of security. The organization provides guidelines in planning and coordination of security activities with all partners in a bid to encourage readiness in an otherwise volatile environment. The policy creates a framework to enable the organization to understand and be ready to deal with possible security threats while ensuring safety at all levels.

Michael Jones

Security Administrator

Purpose of Security Policy

• Protect the Organization from external and internal security threats.
• Establish guidelines on the course of action in the event of a security threat.
• Outline best security practices while ensuring compliance with the policy.
• Identify the security controls to govern systems in the organization, behavior, and activities of both external and internal personnel.

Objectives

• To protect valuable assets, information from unauthorized access or disclosure.
• To define a set of conditions that help protect the organization’s assets.
• To protect both internal and external personnel from potential security threats.
• To limit security liability from either the employees or third parties.

Standards

The security policy document designed from the highest level in the organization must have standards. The developed standards will be in line with those outlined in the organization. The standards indicate the technologies and methods that will be used to secure the organization. NIST’s cybersecurity framework is helpful in ensuring that systems used are reliable and can be used to reduce risks (National Institute of Standards and Technology, 2017). The established standards in the organization will be based on;

• Information security standards
• Personnel protection standards
• Standards on Management of Risks
• Information technology standards
• Selection of safeguards standards
• Standards on delegation of duties on Security Functions
• Standards on Security Awareness training
• Standards on Management of Security Guards

Section One: Procedures and Guidelines in;

Network Architecture and Security Considerations

The network architecture will be designed in such a way that it incorporates the aspect of access control. Not every user can access the organization’s network. The system will equally be designed to recognize users and devices accessing the network (Cisco, 2017). Limited access will be given to noncompliant users to protect the system from possible breach (Vukalović, & Delija, 2015).

Wireless Security

Products will be put in place by the organization to protect unauthorized access. The system will be designed to have features that facilitate rogue detection as a way of preventing attempts to gain access to the network (Cisco, 2017).

Remote Access Security

An authentication method will be used to allow remote access to the system. Authorized users have a responsibility to uphold in ensuring that appropriate use of the system takes place.

Laptop and Removable Media Security

Employees are not allowed to use personal laptops and removable media on organizational devices. All organizational businesses will be conducted using the company’s devices and strictly for transactional purposes. The use of personal devices will only be allowed in exceptional situations such as when there are no alternatives, but this must be authorized by senior management personnel.

Vulnerability and Penetration Testing

Vulnerability and penetration testing will be done periodically. The activity will be done on a weekly basis. However, this can be done at any given time when new systems are introduced in the organization.

Physical Security

The security guards will be deployed in every section of the organization to ensure the physical security of the users and gadgets in the organization. Security issues that arise will be reported to the nearest security guards for an appropriate course of action.

Guidelines for Reviewing and Changing Policies

Policies will be reviewed on a monthly basis to check their suitability to the changing security conditions. The Security administrator will work in coordination with a team of security professionals to check in such cases.

Section Two: Policies

Acceptable Use Policy

The security administrator working with the network administrators will be in charge of setting up the acceptable use policy which will govern the use of the organization’s network, website, and system. The administrator will equally set the guidelines on the overall usage of the network. The administrator will set rules as to the individuals who will be having access to the network. Employees are expected to adhere to the rules that will have been implemented.

Password Policy

Accessibility to various systems will be governed by the rule of password policy. Users will have passwords provided to them that will help them access the system at their convenience. Each user is expected to keep the password confidential to bar unauthorized access to the system. Passwords will be provided at different security levels so each user can only access the system based on their clearance levels.

Incident Response Policy

Incidences that occur in the organization will be addressed in a vertical manner. The issue will be reported to the immediate departmental head who will then report the same to the senior management. Each of the incidences that occur must be documented for future references. The problem will be recorded and the course of action on the same documented.

User Awareness and Training Policy

Users will be trained on a monthly basis on the proper use of the system. The goal will be to create awareness on the use. This will be done through training in workshops and seminars. The training will be done sequentially to ensure every user is made aware of the security policies in the organization and what to do in the course of potential attack.

Responsibilities

The responsibility of maintaining security in the organization will be bestowed on every individual. The policy requires each member to take responsibility to ensure protection from both external and internal threats. Issues that arise should be reported through the established channels as outlined in the Security administration handbook.

Review and Change Management

The security administrator acknowledges the continued changing patterns as regards to the concept of security. In response, the policy will be reviewed on a monthly basis to ensure that it adheres to organizational standards and those established by certified agencies.

References

Cisco, P. (2017). What Is Network Security?. Cisco. Retrieved 11 March 2017, from http://www.cisco.com/c/en/us/products/security/what-is-network-security.html

National Institute of Standards and Technology. (2017). Framework for Improving. New York: National Institute of Standards and Technology. Retrieved from https://www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework

Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2014). An Introduction to Information Security. New York: Olympia Publishers. Retrieved from http://csrc.nist.gov/publications/drafts/800-12r1/sp800_12_r1_draft.pdf

Vukalović, J., & Delija, D. (2015, May). Advanced Persistent Threats-detection and defense. In Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2015 38th International Convention on (pp. 1324-1330). IEEE.