Information Security Policies in Industry

Assignment

On
Information Security Policy
Adopted for
MORPHOSIS Media
Advertisement Agency

Submitted by,

Gopi Krishnan S,
1st year M.Tech/CSE/IS
 Information Security Policies for Advertisement Agency

MORPHOSIS Media

1 Organization’s Profile

MORPHOSIS Media is a leading advertisement agency in Chennai. They are

undertaking most of the government advertisement for public awareness such as
family control, fuel saving, power saving, etc. Also in railway stations and bus stands
they have their large LED display their other commercial advertisements.

1.1 Organization

This was organized in such a way they can easily control the people under
them. Here we have two levels of Administration or management, and multiple
hierarchy level of employers. They are commonly having a communication channel to
Industrial Standardization team and all the employers are enabled to communicate
thru IT infrastructure. The sample block of organization is shown in figure 1.1

Top level Administration Engineers

Managing Director, Partners, and Vice President Safety
Industrial
rators Engineers,
Administ
Database Middle level Administration nt System
and Human Resource Managers, Accountant, and Supervisors Manageme
Quality
s, System zation
Top level Employees
Engineer Standardi
Project Managers and Business Development Team
Network Industrial
ucture
Infrastr
Cine Unit Technology Unit
IT
Director, Assistant Directors, Banner designers, 3D Animation
Story writers, Dialog writers, and specialists, and Cartoonist
Models Managers

Fig 1.1 – Organization of our advertisement agency.

1.2 Policies should adopted or defined

As we are indented to discuss about the information security policy of the

organization, let’s concentrate more on that and define the policies. We are more
concern about the information security. Hence the information we have are more
valuable assets. So that let’s analyze the threats, prevention measure, detection, and
recovery for our information assets.
2 Threats Analysis

Before defining the policy let’s analyse the threats of various ways of the
organizations. In our organization we have an IT infrastructure which is connected
public network makes us more vulnerable for the data theft. Also we can not trust all
the employees in our organization. We need to analyse the threats as a preliminary
step for deploying a policy.

2.1 Primary Threats

• Competitors
• X-Employee
• Script Kid Cracker
• Lack of awareness

2.1.1 Competitors

As far we know that the world is so competitive. A loss of focus for a minute
can cause losses that need several years to compromise. We have several competitors
such as Square Squared Advertisement, Modern Girls Advertisement, Blue Metal
Advertisement, and etc.

Possible forms of attack they may try on our company

• Spy Employee - Truly works for our competitors to steal
our information from our office.
• Communication Steal - They may use a try to monitor our
communications with our client.
• Information Destruction - They may also try to destroy our data
over a public server. eg: corrupting our
mails and online data.

2.1.2 X-Employee

If a X-Employee intent to attack their for various reason such as politics, un-
appreciated work, termination without legal reason, etc,. Perhaps lot and lot of reasons
are there.

2.1.3 Script Kid Cracker

Generally they are the students who are practicing their hacking skills, may
use their skill set on our organization’s sensitive data for the purpose of testing their
skills or just for fun.

2.1.4 Lack of awareness

Some people make the following mistakes without having any intention to
make threat to our organization.
• Destruct the sensitive data
• Carry sensitive data out of organization without proper physical security
• Access the unauthorized information
But it may cause threat without their knowledge. These people may not have proper
skill in using computers or how to behave in a corporate environment, etc. They do
mistakes unknowingly. This possibly creates a problem for our organization.

2.2 Other Threats

Other than this we cannot able to guess other threats apart from this. Possibly
they will attack us in feature. Discovery of new threats require some experience.
After the discovery of new threats we can able to improve our security policy.
3 Possible ways for preventing the treats

Now let’s see the prevention measure of following known treats.

3.1 Preventing the Threats

• Competitors
a. We have the support of detective agency to monitor the malicious
activity of our Competitors.
b. Also we use them on the people who we suspect as spy employee.
c. We use our SSL/CISCO VPN for communication with our clients to
prevent the communication theft.
d. We have blocked the external mass storage device connectivity.
e. Our mail server and data server is from leading online storage provider
“Network Solution”.
• X-Employee
a. If an employee is going to termination / resign their job from our
company we will destroy following properties of the employee.
i. Business Cards
ii. Identity/RFID Cards
iii. Mail accounts
iv. VPN accounts
v. Data from the system
b. If the employee is terminated, we will analyze the measures. Also we
have a team to monitor the employee performance continuously.
c. We have the help of the detective agency to monitor any of the X-
Employee if we suspect.
• Script Kid Cracker
a. We have very strong protected network. We have following
components to protect our network.
i. Firewall
ii. Intrusion Detection System
iii. Set of routers, switches
iv. Untangle server
v. User end software firewall
vi. User monitoring database
• Lack of awareness
a. When ever a new employee or fresher joining our company we will
educate them about our policy.
b. Our QMS Engineer and IS engineer educate them and explain our all
the policies.
4 Information Security Policies

4.1 General Information Policies

Policy Reason Action if violate
The employees below the Perhaps, that device used Memo is given on that
top level management for the information theft. employee. If that was 3rd
should not bring any Memo the employee will
external mass storage be terminated.
device, Laptop, palm top.
Everyone should not use Perhaps, that device used Warning is given. If 3rd
mobile with camera, to record the set while warning memo is given.
Bluetooth, Infra Red, shooting the
memory card. advertisement.
All the employees should Analyse the employee Memo is given after two
be reported to the appraisal, weekly days if no communication
management once a week incentives, etc, from the unit leader.
about the character,
performance, etc.,
If any body need to take To manage the today’s Warning is given. If 3rd
casual leave, the notice plan of work. warning memo is given.
should be given properly
thru phone or mail.
Job resign notification To manage the tasks. One month salary should
period is one month be paid to buy the
notification period.
Should not open the Perhaps, There’s lot of Depends on the severity of
personal emails inside chance the company secret the threat.
office with the office will be disclosed. Time
computer system/ Should will be wasted. Also virus
not use official email may come thru personal
address for personal mails.
purpose.
A newly joined employee For contact in case of Salary is on hold until the
should produce one of the problem. proper proofs are
valid identities proof. submitted.
Should not share the To avoid the copying of Depends on the severity of
organization’s matter with creativity/ ideas. the threat.
the friends or family.
Should read the policies To avoid the problems. No training is given or no
after joining the company task assigned. Job
and before taking up the confirmation is postponed.
first task. Also at any time the
employee may be
terminated.
5. Industrial Standardization

5.1 Process of standardization

Thus an organization should define own policies to be followed. This will help
to get standardize of the organization. Writing the set of policies and following them
are a process to make our organization to meet certain international standards.

Hence the client will analyze the standards of an organization before assigning
a new job. Also these are required to run our organization smooth without any
problem.

Each new problem will help to create a new policy. This process of updating
policies will make the standardization one day.

5.2 Responsibilities
The Industrial Standardization Team has high responsibility. Thus the QMS
(Quality Management System) and IS (Industrial Safety) Engineers are the main
responsible for any problem that occurs in an organization. In all meetings these
Engineers are treated as highly prioritized persons.

Hence they should analyze the new tasks and analyse whether the existing
policy is enough or require more policy. They should update the policies for each
process whenever they are required.