Security Policy Defined
A financial institution's security policy is the foundation upon which all information security related activities are based. In order for a security policy to be effective, it must receive senior management approval and support. The security policy must keep up with the information systems technology that provides access to the company resources. eScope Solutions' Security Engineers will create or update your credit union's security policy to help balance the operational requirements with the state-of-the-art in security solutions.
Service Description
eScope Solutions' steps to create or update a security policy:
- Information Classification Definitions / Methodology - Before resources can be protected, it must first be understood what is being protected and why. The "what" is derived from data classification of company proprietary data (e.g., very confidential, confidential, internal, and public). The "why" is based on how important the information is to Management and the Board of Directors and what the cost and/or the effect of loss would be.
- Employee Responsibility / Function Identification - Once the corporate information has been defined and valued, then the method of access needs to be addressed. An employee or job function needs to be defined in order to grant access to and distinguish responsibility for the institutions resources. Since access to information is accountable, there must be layers of management in the approval chain.
- Risk Assessment / Strategy Testing - A risk is defined to be a vulnerability inside or outside the network environment that has the potential to be exploited and thus cause harm to information or a system. Assessing risk for all aspects of the network is paramount in maintaining a secure environment. A strategy must be formulated to perform periodic testing of the network's vulnerabilities. Test results should then be used to perform remediation on found vulnerabilities. This is an on-going process that is a routine security measure.
- Monitoring and Compliance - A security policy is considered a moving target. It should be updated at regular intervals and periodic audits should be conducted to test its compliance.
eScope Solutions' Security Engineers will customize and develop a comprehensive security policy tailored to your specific network environment. All aspects of network security will be detailed in a complete policy. Areas of interest covered by the policy will include:
- Information Resource Technology Management
- General Definitions
- Classification of Data
- General IS Security Policy and Goals
- IS Security Principles of Behavior
- IS Security Rules for Specialized Users
- Information Systems Security Audit Reviews
- Perimeter Security / Firewall Management
- Vulnerability Assessments, Internal and External
- Intrusion Detection and Prevention Systems
- Data Center Access Security Policy
- Network Equipment Security Policy
- Data Protection Security Policy
- Data Backup Security Policy
- User Accounts Management Policy
- Operating Procedures for Specialized Systems
- Password Policy
- Electronic Mail Policy
- Malicious Code Policy
- Web-Based Services Policy
- Internet / Intranet Usage Policy
- Computer Security Incident Response Capability
- IS Security Awareness, Training and Education
- Remote Access Policy
- Wireless Access Policy