Draft policy for the non-profit organization,SNPO,MC

Draft policy for the non-profit organization, SNPO-MC

Name:

Number:

Course:

Lecturer:

Purpose

The aim of this policy is to offer guidance to SNPO-MC managers, executives, and cloud computing service providers on matters of information and IT infrastructure security. This fresh policy will replace the existing Enterprise IT Security Policy which focuses completely upon enterprise safety needs for organization owned equipment which consists of database servers, Web and email servers, file servers, remote access servers, desktop computers, workstations, and laptop computers, licensed software applications among others. The IT security policy also tackles incident reaction along with disaster revival.

Policy review requirements

The Office of chief information officer (CIO) and the office of finance will be responsible for facilitation of this policy review with the support of executives. Thorough assessment of the existing system infrastructure will be required for informed evaluation prior to any correction.

Review procedure and amendment

The process of policy review will be based on the assessment result of the existing policy guidelines. The weakness(s) found within the guidelines becomes the starting point of policy amendment through the help of IT team led by the chief information officer and with the help of cloud service providers.

I. Scope

As part of policy development task the following issues list which was developed during brainstorming sessions by executives and managers in the three operating locations for the non-profit organization will be taken into consideration. The issues include content ownership, private and confidentiality, enforcement, penalties for violation of policy, use by sales and marketing, customer service/outreach, teleworkers, advertising and e-commerce as well as use by the public relations and corporate communications. Other issues brainstormed include review requirements, use of content and service monitoring tools and content generation and management among others as described below.II. Statement of policy

The ICT system resources are basic assets of SNPO-MC. The whole organization staff shall be responsible for ensuring the ICT infrastructure facilities are effectively and efficiently used in a lawful and ethical way. This policy document recognizes several responsibilities and staff roles for securing ICT resources. Nevertheless, the policy cannot probably cover all circumstances or prospect development. Consequently, these policies are to taken as flexible document that can be modified according to the requirements of the organization. The document shall be revised after at least three years for purposes of correction and to guarantee compliance with the existing regulations and rules.

III. Definitions

Employees: Are the employees of SNPO-MC organization.

Loaned staff members: These are executives and other staff who are “on loan” from fortune 500 companies. The loaned staff members do telework for SNPO-MC for one to two days per week for a year.

Volunteers staff members: These are volunteers who carry out their duties or work for SNPO-MC. Volunteer staff members also telework from their homes for one to two days per week.

Individual users: An authorized connection with SNPO-MC organization is needed to get the right of entry into the network system. This authority of access is to be shown by the availability of user credentials within the organization’s network system. The users shall have to agree to put up with all relevant policies, cooperate with the procedure of registering every ICT device used to access the network, with laptops and desktop computers all inclusive. The users will also have to know the procedures of operation and special needs of the devices together with the software applications used.

IV. Policy

Application of policy

The policies in this document shall apply to every staff member of SNPO-MC organization, including volunteers, service provider consultants and any other individual who have access to SNPO-MC ICT resources. The policies also apply to all resources of electronic systems of information for the organization in plus every ICT hardware, licensed, leased or owned software used for processing, storage, retrieval and transmission of data. The hardware and software equipment which are personally owned such as laptops are also covered by the policy as long as they are used to access the resources of SNPO-MC. However, the organization will not alter the software or even information contained in the personal equipment unless given permission by the owner.

Responsibilities and security roles

All staff shall have the responsibility of securing ICT resources. Therefore, any individual or person who uses the SNPO-MC resources shall keenly observe these ICT security policies and processes during and after their time at the organization. It will be the responsibility of the information security specialist to develop these policies. The new Chief information officer to be recruited by the organization will be responsible for the implementation of the policies together with the assistance of other personnel with responsibility of system security in the organization. The chief information officer will also be responsible for speaking with authority for the organization. Both the chief information officer and the chief security specialist will be responsible for managing compliance with laws and regulations.

Content ownership and users

The website content will be owned by SNPO-MC organization but managed by the cloud service providers. The cloud service providers offer information as a service, platform as a service and software as a service (NSA, 2009, SANS, 2010). These three services will be provided to the SNPO-MC organization by the providers. The users will include public relations and communication individuals such as shareholders, customers/clients which are mainly charities and non-governmental organizations and the general public. The teleworking employees, SNPO-MC executives and volunteers will also use the content mainly for advertising and e-commerce. The content will also be used by sales and marketing individuals a s well as by customer service persons to reach to clients. The content generation shall include documents, email and cloud storage to be managed by the cloud service providers

Requirements for privacy and confidentiality

User names and passwords shall be employed, verification of usernames and passwords, hardware device registration (whether personal or organization owned), assignment of network identities, disposal of equipment, registration of servers as well as security of third party services (services offered by cloud computing service providers). Other means of enforcing privacy and confidentiality shall include software configuration which in turn comprises of antivirus installation, firewall installation and configuration; use of licensed software, software patch updates use of safe data transmission across the channel as well as using secure approach of data storage. All these requirements are meant to ensure that access to sensitive data in for the organization are restricted or minimized. As a result, the cloud service provider will configure various user levels within the organization.

Enforcement

In the case where there is any violation of any part of this policy, the matter shall be reported to the chief information officer. The chief information officer shall be responsible for investigating the occasion and then take the suitable action to the solution. The actions to be taken shall include but not limited to temporary or permanent loss of privilege for access, education remedy, prosecution under the probable violation of local, federal or state civil or criminal laws may be transferred to the suitable authorities. SNPO-Mc shall take necessary action(s) to assess and tackle violations of these policies which may include temporary or permanent termination of computer or network access privileges, waiting for the result of investigation process

To make sure that compliance is achieved, the information security specialist together with the IT team of the organization shall keep constant monitoring of network traffic in order to detect or recognize any illegal activity and network intrusion effort by either internal or external attackers. They will also examine any software or file stored on the organization’s system or any transmitted file across SNPO-MC network. They will conduct and examine results of network system security scan and devices on the organization’s network for the purpose of detecting familiar vulnerabilities. They will also report the same result found to the suitable manager or executive in the organization. Consequently, steps will be taken to disable the access to the SNPO-MC network to the systems affected in case the security vulnerability is significant in nature. The enforcement of privacy policy will also need suitable controls to be put in place, especially where data is stored in the infrastructure of the cloud service providers like is expected in this case( Security, 2012).

Access to SNPO-MC records

The limited access shall be provided by the SNPO-MC to its employees, volunteers and executives for the sections of data or information that they need in order to carry out their job operations. A number of access levels are available which are depends on the type or kind of position that an individual holds. Since cloud computing consists of both server and client side, this will also ensure that the environment of client computing meets the security and privacy requirements of the organization for cloud computing (Jansen & Grance, 2011). This will also make sure that restriction of access on data is consistent and depends on legal, ethical and practical concerns. The rights to access data shall be assigned automatically depending on the role of the staff or individual within the organization.

Security breach reporting

Any security breach on the organization’s information and other resources shall be reported to the information security specialist who will in turn report to the chief Information officer.

Backing up and Recovering of data

The servers and other computers used in the organization to offers shared resources of the network shall be used to regularly back up information. Much of the information shall be backed up by the cloud service providers at their data center. Backing this information at the provider’s data center will be very helpful in ensuring business continuity and disaster recovery during and after downtime. In fact, the policies and procedures for backing up and recovery of data using cloud providers can be more superior as compared to those that can be adopted by the organization itself and hence can be extra robust. As a result, the data stored within cloud can be extra available when needed and can be faster to recover and more so dependable in many situations as compared to conventional data centers. Therefore, disaster recoveries capabilities are inbuilt in the environment of cloud computing (Wayne & Timothy 2011). The information as a service (IaaS) services offered by the cloud providers provides backup and recovery of file systems including raw data stores on servers and systems of desktops (Liu et al., 2011).

A awareness and training

All the basic aspects of ICT security, privacy, confidentiality as procedures connected to access of the system shall be incorporated within formal staff employees and volunteers through the orientation and training processes which shall be mandatory for all.

References

Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication, 800, 144.

Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., & Leaf, D. (2011). NIST cloud computing reference architecture. NIST special publication, 500, 292.

Opportunities. Retrieved on 19th/04/2015, from, http://www.nsa.gov/ia/_files/support/Cloud_Computing_Guidance.pdfSANS Institute InfoSec Reading Room: Cloud Security and Compliance: A Primer.(2010). Retrieved on 19th/04/2015 from, http://www.sans.org/reading-room/whitepapers/analyst/cloud-security-compliance-primer-34910Security for Cloud Computing 10 Steps to Ensure Success.(2012). Retrieved on 19th/04/2015 from, http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdfWayne Jansen Timothy Grance.(2011). Guidelines on Security and Privacy in Public Cloud Computing. Retrieved on 19th/04/2015 from http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf