Anda di halaman 1dari 12

Updated: Nov08

Page # 1 of 11

IT SECURITY POLICY & RISK MANAGEMENT


1. INTRODUCTION:
Correct functioning of information system is important to most business. Threats to computerized information and process are threats to business quality and effectiveness. The objective of IT security is not put measures in place which eliminated or reduced significant threats to an acceptable level. What needs to be protected, against whom and how? Security is the protection of information, systems and services against disaster, mistakes and manipulation so that the likelihood and impact of security indicates is minimized.

2. WHY IT SECURITY IS NECESSARY


CREATIVE SHIRTS LTD. Uses electronic information extensively to support its daily business processes. Data is stored on customers, products, contracts, financial results, accounting e.t.c. If this electronic information were to become available to competitors or to become corrupted, false or disappear, what would happen? What would the consequences be? Could the business to still function? A. Customer Information or accounting or accounting information could be disclosed, affecting credibility. B. This information could be used by competitors to launch more effective marketing campaigns.

C. Competitors could be launching an invisible, but effective attack which could be difficult to prove. If such an attack
disrupted customer service, destroyed some accounting data, it could be reduce customer confidence and help competitors increase their market share. D. It system have been under attack for decades now, but never before were so many computers net worked, never before have so many cheap automated information attack weapons been available to would be enemies. It is often impossible or very difficult to know if we are under attack and from whom. Recently many automated attack tools have appeared on the Internet, making it much easier for ignorant attackers to cause considerable damage. E. Virus development has continued at an alarming rate in the last few years, leaving few companies untouched. F. System interconnection increases security risks significantly.

3. FOLLOWING TO BE AVAILABLE TO IMPLEMENT FULL SECURITY:


a. b. c. d. e. f. g. h. i. j. Information Security Policy Documents Allocation of security responsibilities Information security education & training Reporting of security indicates Virus controls Business continuity planning process Control of proprietary copying Safeguarding of company records Compliance with data protection legislation Compliance with security policy

Updated: Nov08

Page # 2 of 11

4. EXAMPLE OF MAJOR RISKS / WEAKNESS IS :


Managements do little to encourage and support security measures. There is an inadequate information security policy, information is not classified. A user is not security aware & generally uses bad passwords. Unused terminals are rarer protection. Few computers are installed with homogenous, standard softwares. Most users install what they want in their machines. The internet connection to the is made by a weak Firewall, with few access control mechanisms, no audit log, no official policy and no monitoring/intrusion detection or incident response team. Certain servers are not kept in locked computers rooms, have no backup Certain servers are not kept in locked computers rooms, have no backup power circuit, air-conditioning or static/electromagnetic protection. No off site tape backups are made. Employees are not identified adequately, visitors may roam unchecked.

5. OUR COUNTER STRATEGY & COUNTER MEASURES SHOULD BE :


Eliminate risk, or Reduce the risk to an acceptable level, or To limit the damage(reduce the impact of a threat), or To compensate the damage(insurance)

6. FOLLOWING TO BE FOLLOWED TO ENSURE SECURITY : Employees working with computer and in the network should be reliable and their proper verification should
be done before they made permanent as employee. No unauthorized person should be allowed to sit in computer. C-TPAT should be followed in the company. Terminated/resigned employees should not be allowed to sit in computer. Password should be changed monthly or as a when required. Password should be made mandatory for all users. Reliable operating system should be used such. Virus protection should be used. File /folder guard software should be used. Sharing of file / folder should be closed after completion of work Important file should be kept hidden Maintenance of the hardware should be done at regular interval.

7. TYPES OF INFORMATION SECURITY CONTROLS


PHYSICAL CONTROLS Physical security is the use of locks, security guards, badges, alarms, and similar measures to control access to computers, related equipment (including utilities), and the processing facility itself. In addition, measures are required for protecting computers, related equipment, and their contents from espionage, theft, and destruction or damage by accident, fire, or natural disaster (e.g., floods and earthquakes).

Updated: Nov08

Page # 3 of 11

PREVENTIVE PHYSICAL CONTROLS Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters. Examples of these controls include:
Backup files and documentation. Fences. Security guards. Badge systems. Double door systems. Locks and keys. Backup power. Biometric access controls. Site selection. Fire extinguishers.

BACKUP FILES AND DOCUMENTATION


Should an accident or intruder destroy active data files or documentation, it is essential that backup copies be readily available. Backup files should be stored far enough away from the active data or documentation to avoid destruction by the same incident that destroyed the original.

FENCES
Although fences around the perimeter of the building do not provide much protection against a determined intruder, they do establish a formal no trespassing line and can dissuade the simply curious person. Fences should have alarms or should be under continuous surveillance by guards, dogs, or TV monitors.

ACCESS CONTROL SOFTWARE


The purpose of access control software is to control sharing of data and programs between users. In many computer systems, access to data and programs is implemented by access control lists that designate which users are allowed access. Access control software provides the ability to control access to the system by establishing that only registered users with an authorized log-on ID and password can gain access to the computer system.

ANTIVIRUS SOFTWARE
Viruses have reached epidemic proportions throughout the micro computing world and can cause processing disruptions and loss of data as well as significant loss of productivity while cleanup is conducted. In addition, new viruses are emerging at an ever-increasing rate currently about one every 48 hours. It is recommended that antivirus software be installed on all microcomputers to detect, identify, isolate, and eradicate viruses. This software must be updated frequently to help fight new viruses. In addition, to help ensure that viruses are intercepted as early as possible, antivirus software should be kept active on a system, not used intermittently at the discretion of users.

Updated: Nov08

Page # 4 of 11

COMPUTER NETWORK OF CREATIVE SHIRTS LTD.

OUR DOMAIN SERVER (Windows Server-2003)

Updated: Nov08

Page # 5 of 11

OUR E-MAIL SERVER

SECURITY PASSWORD AGE

Updated: Nov08

Page # 6 of 11

USER LIST

USER NEW PASWORD SET

Updated: Nov08

Page # 7 of 11

USER POLICY

USER ACCESS /ACCOUNT POLICY

Updated: Nov08

Page # 8 of 11

CRISTAL REPORT

CC CAMERA (CLOSED CIRCUIT CAMERA)

Updated: Nov08

Page # 9 of 11

OUR BACKUP FOR C.C CAMERA

OUR PAYROLL SYSTEM

Updated: Nov08

Page # 10 of 11

DESCRIPTION: 1. 2. 3. 4. 5. 6.
01 Server Computer. 05 Networks Personal Computers. 01 Pcs. Switch. 02 PC. For Closed Circuit Camera (With fourteen cameras). 04 Pcs. Printers. 02 Pcs. Scanners

OUR IT FACILITIES:
Our server operating system is using Windows Server 2003. 05 computers with network connectivity (LAN & Switch). 24hours online. Every individual machine is using XP (Windows Operating System). Every user has an individual Email Address. Our web server is maintains by IT. One Photocopier Machine. Every computer has UPS. Scanner Digital Camera Broadband LAN connectivity to all computers. This software also tells the system information & users details that the users do in office. Our IP are permanently blocked from other Network. So, nobody can access our network. Everyday check our system by IT. There are two backups in our System. Everyday Check the MRTG Graph by IT. Everyday Check the web services Log, Mail Log, Queue Log for security purpose. There are 14(Fourteen) Cameras now running in different places. They are: Camera 1 (Finishing-A Gate-1) Camera 2 (Sewing-A Gate-1) Camera 3 (Sewing-B Gate-2) Camera 4 (Sewing-A Gate-1) Camera 5 (Finished Goods Area) Camera 6 (Packing Area) Camera 7 (Finishing-A Gate-2) Camera 8 (Sewing-B Gate-1) Camera 9 (Loading Gate) Camera 10 (Finishing-B Gate-2) Camera 11 (Bonded warehouse) Camera 12 (Finishing-B Gate-1) Camera 13 (Inside Road) Camera 14 (Loading / Unloading)

Updated: Nov08

Page # 11 of 11

PROTECTION NEEDED
The type and relative importance of protection needed for the LAN/WAN must be considered when assessing risk. LAN and WAN systems and their applications need protection in the form of administrative, physical, and technical safeguards for reasons of confidentiality, integrity, and availability.

CONFIDENTIALITY
The system contains information that requires protection from unauthorized disclosure. Examples of confidentiality include the need for timed dissemination (e.g. the annual budget process), personal data covered by privacy laws, and proprietary business information.

08. CONCLUSION :
IT security cannot be overlooked in any way. To safeguard the important documents of our company we all are to follow our security policy. All the users and management of the company should understand the requirement of the policy and should be committed to follow for the greater interest of the company.

Checked & Verified By :

Prepared By

....................................

......................................

Abdul Mottaleb
Compliance Manager Sonia & Sweaters Ltd.

Mahamud Hasan
MIS & HR Executive

Updated: Nov08

Page # 12 of 11

Roaming Profiles (Auto Desktop Backup)

Anda mungkin juga menyukai