Information Security Policies and Controls

Assessment of information security of an organization is considered as an ongoing process of discovering, modifying and preventing the security related issues. The study deals with the procedures of developing security policies and controls that are able to address possible threats. In addition, vulnerabilities and plan to develop business continuity can be achieved with the help of developing security policies.  The procedure followed by Telstra to address possible threats and vulnerabilities is discussed in the study. On the other hand, information security for compliance with ethical and legal frameworks is discussed in the current study that assists to provide recommendations on the use as well as application of information, which are explained in the report.

Information security of an organization is referred to the process of protecting information as well as systems from attacking of the unauthorized access, use, procedure of disruption, destruction as well as making necessary modification (Bennett, 2015). In addition, the objectives and security program consisting protection of the organization and assets are explained. The management of risks through identifying the assets is important for security program of an enterprise.

Development and management of security program is considered as an effort that the organization develops into overtime. In developing the foundation for a security program, the organizations will designate a staff that will start the procedure of creating a plan in order to manage the risk by implementation of security technologies, auditable work procedures as well as documented polices along with processes. An access control policy outlines the access that is available to the staffs related to data as well as information systems of the organization. Additional supplementary item consists of the methods to monitor the process of accessing as well as using the corporate systems and securing the workstations (Bennett, 2015). On the other hand, the change management policy is refereed as the formal procedure to make changes to information technology, software development as well as security operations.

The target of a change management program is increasing awareness as well as comprehension of the proposed changes across the enterprise It has purpose ensuring that the changes are properly conducted in order to minimize any types of adverse impact on the services as well as consumers. Remote access policy can be helpful for Telstra that outlines as well as defines the acceptable methods of remotely connecting to the internal networks of the organization (Bennett, 2015). The policy is referred as a requirement for the organizations, which have dispersed the networks with the ability extending into insecure network locations. Email and communication policy is used to outline the process of using the business selected for electronic communication medium. SANS is one of the effective email policies that can be helpful to develop effective security program for Telstra.

On the contrary, information security policies of an enterprise are considered as the high level policies that covers a large number of controls. The basic information security policy is generally issued by the organization in order to ensure that the staffs who use the assets of information technology. Apart from these, the incident response policy is one of the organized approach to the process followed by the organization in order to manage incidents as well as remediate the impact to the operations. In addition, effective business continuity plan will be useful to coordinate the efforts in the organization and will utilize the disaster recovery plan in order to restore hardware, applications as well as data deemed necessary for business continuity (Brookes, 2015). The CISCO as well as teams will manage the incident with the help of incident response policy. The above policies as well as documents are considered as the basic guidelines that are used to develop successful security programs. These resources recommend people selected for creating first security policies of the organization. Hence, it is required to focus on the development and implementation of effective security policy of the organization.

Organizational Security Policy

Moreover, directing proper to achieve the security activities with the help of information, security, policy, procedure as well as standards with the baseline and making classification of data are involved to develop security program objectives. Telstra involves with a research organization, Frost and Sullivan in order to take proper interview of the professionals, who are responsible for developing security regarding information technology processed by the organization in order to obtain the key findings on a particular security range. There are several types of threats required in order to understand the issues. In addition, the tools and processing are important components needed to put in appropriate place to mitigate the issues. The organization follows governance of information security that helps in developing as well as upholding the position and culture of security within Telstra (Brookes, 2015). It can ensure that the functions of security management are properly designed as well as operated effectively. In addition, it assures that objectives of the business and requirements of the stakeholders are properly managed for protecting the key information. The organization has deployed a range of policies that improves information security and controls of the organization.  

In order to develop effective organizational security policy, it is important to cover how the staffs can use and access the resources of information and communication technology, the policies require to be communicated properly to the employees (Butavicius et al., 2016). The policies need to cover a range of activities including the following activities.

Social networking: The particular policy by which a user can access social sites, place of access as well as time of access that is required to control.

Mobile networking: The device connecting to the specific network and circumstances, which are expected to conduct while the mobile devices are used properly. The policies for the specific process occur on the devices during leaving of the organization.

Desktop device policy: The policy can be helpful to connect the network as well as the level of patching needed. It is required to control the policy. In addition, the best possible tools of anti-virus are properly installed and conducted during the use of devices.

Physical security policy: The policy can allow the access to buildings to particular restricted areas and documents, which are restricted to storing as well as sharing the process that could assist (Butavicius et al., 2016). It is important for the procedure to share and store data.

Network security: In order to protect Telstra against the external attack, it is important to include robust network links. However, it is considered that a better security process needs to be used by using private IP network. It is generally sourced from telecommunication provider (Pallegedara & Warren, 2016). The separation of public internet traffic from Private IT network, the carriers can provide distributed denial service attack. Hence, the impact on core IP network will  not be determined that are used by the customers.  

Multiple organizations have limited knowledge regarding the procedure within IT systems and infrastructures of the network. Moreover, lack of monitoring tools can be helpful in defining the organizations are not able in identifying the signs of external security related threats as well as evidence regarding inappropriate insider activity. On the contrary, a survey carried out by Price water house Coopers that stated 23% of the respondents admitted that is not sure about the number of security happens within the enterprise (Butavicius et al., 2016). On the contrary, there are nearly 33% respondents are not able in answering the specific type of security. There are 34% respondents are not capable answering the process of nominating specific source of attacks (Pallegedara & Warren, 2014). In addition, the resulting number can indicate that approximately 96% of data breaches. These are available to the enterprises. In most of the cases, there are loss of evidences and unnoticed. Monitoring in real time and critical systems are important in this perspective. SIEM solutions are generally used for collecting and analyzing from which the specific security evidence regarding security threats is obtained. SIEM is helpful to spot the evidence about insider security threats (Cheng, Zhao & Jin, 2013). On the other hand, there are a large proportion of insider’s projects like the attacks performing technical precursors.

In order to make real time as well as determining events, where the SIEM tools are complimented with the help of extra forensic tools. However, there are complexities in the ICT system, which is needed for constant development. It keeps secured and increasingly complicated tasks (McShane, Gregory & Wilson, 2016). The policies as well as tools are generally worked together for overcoming the challenges raised through the trends like mobility, cloud computing and social networking. However, ensuring effective security infrastructure can assist to deploy, manage and develop the number of organizations turning. It is significant for ensuring that the act is vital as well as the patterns provide in-depth approach to security defense. The patterns require effective network as well as technology for the enterprise.

Information policies provide effective protection for Telstra from potential threats as well as vulnerabilities through development of security program. Top-down approach as well as bottom-up approach of the enterprise can ensure safety of the enterprise.

The specific approach of initiation, providing support and making direction generally comes from top management of an organization. The approach is usually considered as bet suitable approach that ensures that senior management is responsible in order to protect assts of the enterprise driven into the program.

The approach follows that lower end team of Telstra comes up with effective security control without proper support of the management with direction. The security controls are generally categorized as less effective as well as doomed to fail (Lindsay, 2015).  However, security controls are generally categorized into the major categories like administrative controls, technical, physical and logical controls.

It consists of development and publishing the policies, standards as well as procedures with the guidelines of the enterprise (Corones & Davis, 2017). Moreover, screening personnel, conduction of training programs for the purpose of security awareness among the staffs are important where deploying the change control procedures is included under administrative organization control.

Under the approach, deploying and maintaining the access control mechanism, password as well as resource management are important along with authentication, devices of security of the infrastructures.

It consists of controlling access into specific facility as well as various departments (Kurek, Lason &Niemiec, 2015). In addition, locking the specific perimeter of facility and monitoring intrusion as well as environmental controls can be covered under security controls.

In addition, it can be helpful to address threats as well as vulnerabilities of the organization and act as a safeguard of the organization. Strong passwords and access control mechanism within the operating system can be helpful for Telstra. Deploying primary input and output systems passwords as well as security mechanisms and security related awareness training assist to achieve the purpose.

The information system policies can be helpful to protect the organization from possible threats through development of security program. It assists in developing security policies within the business of Telstra. On the other hand, it is significant that the framework is not appropriate for the process. Security posture having proper security controls in business can be helpful in business. The embedded security in business can be helpful ensuring the procedure of integrated approach in business. On the other hand, the process results expanding branches in Australia as well as Asia (Corones & Davis, 2017). It tends focusing on the conduction of security audits as well as less on the process of conducting cyber drills program within the organization. The value of conducting cyber drills programs within the organization. The value of conducting drills for security occurrences are not underestimated as the process of highlighting deficiencies within the specific occurrence response in the system. Moreover, the demands of business are generally continuing in delivering the key products quickly as well as efficiently possible.

Email continues as the primary channel of a business organization. Thus, phishing email is a challenge for security agents. Malicious websites as well as URLs are utilized mostly and delivering method of the phishing emails (Jamasb & Nepal, 2015). It has aimed tricking the process into clicking on malicious links and attachments as well as downloaded. It can execute the ends of the particular network.  On the other hand, the specific malware can be helpful to develop backdoor to command and controlling the server. In addition, spear phishing emails have target on a specific person within the enterprise. The target of emails is senior personnel of the enterprise called as whaling. Information security policies as well as steps are taken with the help of management of Telstra, assists in minimizing the risks (Holm & Mackenzie, 2014). On the contrary, inbound email is challenging for the enterprise. Firstwave Cloud Technolgy has the ability to deliver internet protection. Email ad well as web content security for specific departments of government, enterprises and business security are consisted of the service in Australia. First wave technology scanned more than 500 billion outbound and inbound emails in the customers’ mail services in Australia.

The content security of email offers multi-layered approach for protecting the enterprise against fraud as well as malware. There are 47 million inbound threat across thee emails that can represent various threats consisting profanities as well as PCI security standards breaches, offensive materials, malware and spam. In addition, infected zip files and a common method used for evaluating the identification process are detected by Firstwave Cloud technology.

However, business email compromises the process that can be defined with the help of FBI and considered as sophisticated scam (Corones & Davis, 2017). It has target business working with the foreign suppliers as well as business that can perform the process of transferring the business process. The scam can be carried out with the help of compromising legitimate accounts of business emails by social engineering and techniques of intrusion in order to conduct unauthorized transfer of frauds. The procedures can assist in pursuing business continuity in the organization.  

Effective security compliance associated with ethical and legal frameworks in the organization deals with personal records as well as financial transactions that are able to place suitable security process and tools to maintain integrity of information. On the other hand, the organizations engaged in completing the business with larger organizations and departments of the government (Corones & Davis, 2017). On the other hand, it is helpful to adhere particular range of recognized compliance standard, which are necessary for the enterprises. In this perspective, the instances of the compliance standards can be described as followed.

ISO 27001: The international security standard is used to manage security that is useful for management of security in the organization. Moreover, compliance is required along with business partners.

PCI DSS: It is significant for Telstra accepting credit card payments. Hence, failure of complying the results as well as complete the exposure to make financial losses is resulting a security breach.

ASCI 33: The security standard is considered as prerequisite at the time of working on confidential projects of the government.

Basel II: It deals with the banking services in the counties that are signatories to specific arrangement, where compliance is necessary (Cheng, Zhao & Jin, 2013).

FISMA: Compliance is important for the agencies owned by US Federal Government. In this situation, the Federal Information Security Management Act of 2002 can be useful.  

Sarbanes-Oxley: Compliance is essential for Telstra if it is in the list as well as operating over the process.

Long-term performance for improving interest of stakeholders is significant for Telstra in order to demonstrate excellence and corporate governance. The policy framework and code of conduct is underpinned within the values of the enterprise. Hence, it is required to develop a committee and provide a structure compliance with legal obligations where maintenance is essential (Lindsay, 2015). The organization requires the staffs observing the high standards of business and personal ethics. The framework for ethical behavior involves with the values that outline the standard. Effective action regarding the matters would assist for producing successful compilation.

In order to overcome the security threats as well as vulnerabilities of using and applying the date, it is required to take effective security measures. In this perspective, the recommendations can be given as followed.

• The outbound threats may occur in disturbing communication of the emails, which are intentionally and unintentionally consist of confidential as well as threatening content of the organization.
• It is significant understanding as well as adhering financial tasks. On the contrary, offensive contents are generally received and distributed though staffs of Telstra that helps to take effective decisions about measures so that cyber bullying for the emails identified.
• Serious email threats generally take place in the organization. Thus, failure of encountering compliance obligations lead to finical losses and penalties.
• It is essential to take action that protects the organization from malware and ransomware attack.
• The exploit kits as well as tools of malware are sold in the markets of cyber criminals. Thus, it is required to organize and develop team including experienced security personnel.
• Malware distributions are increasing and utilizing the user-friendly exploit kits with the help of tools in order to distribute unknown malware. Hence, appropriate and effective security measures can be helpful identifying security threats and protection of the organization.

Conclusion

Information and security policies have a large impact on development of business of an organization. The rapid adoption of cloud services can deliver agility and and competitive benefits.  On the contrary, it leads to security threats, which can affect business of the organization. Hence, it is significant developing awareness among the staffs of the organization and provides effective training in order to mitigate the security threats. It helps the enterprise mitigating security threats as well as ensuring continuity of business of the enterprise.

References

Bennett, S. (2015). Why information governance needs top-down leadership. Governance Directions, 67(4), 207.

Brookes, C. (2015). Cyber security: Time for an integrated whole-of-nation approach in australia. Indo-Pacific Strategic Papers.12(15).p.154

Butavicius, M., Parsons, K., Pattinson, M., &McCormac, A. (2016).Breaching the human firewall: Social engineering in phishing and spear-phishing emails. arXiv preprint arXiv:1606.00887.

Cheng, J. H., Zhao, R., & Jin, C. (2013).Enlightenment from Australian Network Security Plan to Chinese Information Security.In Advanced Materials Research,Vol. 756, pp. 2542-2546).

Corones, S., & Davis, J. (2017). Protecting Consumer Privacy and Data Security: Regulatory Challenges and Potential Future Directions. Fed. L. Rev., 45(10), p.165.

Holm, E., & Mackenzie, G. (2014). The significance of mandatory data breach warnings to identity crime. International Journal of Cyber-Security and Digital Forensics (IJCSDF), 3(3), 141–152.

Jamasb, T., & Nepal, R. (2015). Issues and options in the economic regulation of European network security. Competition and Regulation in Network Industries, 16(1), 2–22.

Kurek, T., Lason, A., &Niemiec, M. (2015).First step towards preserving the privacy of cloud?based IDS security policies. Security and Communication Networks, 8(18), 3481–3491.

Lindsay, J. (2015). Legacy PSTN applications cause confusion: Disclaimers are no substitute for actual service. Australian Journal of Telecommunications and the Digital Economy, 3(4), 70–76.

McShane, I., Gregory, M. A., & Wilson, C. (2016).Practicing Safe Public Wi-Fi: Assessing and Managing Data-Security Risks.13 (8), 71–76.

Pallegedara, D., & Warren, M. (2016, January).Unauthorised Disclosure of Organisational Information through Social Media: A Policy Perspective. In IDIMC 2016: Exploring our digital shadow: from data to intelligence (pp. 86–93). LISU.

Pallegedara, D., & Warren, M. (2014).Evaluating Australian social media policies in relation to the issue of information disclosure.ACIS.31(14), 67–76.