Security Management Policies in Information Security

Managers have responsibilities for security just as employees do in Software Development Companies. Detailing expectations for managers is crucial to ensure compliance with senior management’s expectations.

Employee Non-disclosure Agreements: All employees must sign a non-disclosure agreement that specifies the types of information they are prohibited from revealing outside the organization. The agreement must be signed before the employee is allowed to handle any private information belonging to the organization. Employees must be made aware of the consequences of violating the agreement, and signing the agreement must be a condition of employment, such that the organization may not employ anyone who fails to sign the agreement.

Non-disclosure Agreements: All business partners wishing to do business with the organization must sign a non-disclosure agreement that specifies the types of information they are prohibited from revealing outside the organization. The agreement must be signed before the business partner is allowed to view, copy, or handle any private information belonging to the organization.

System Activity Monitoring: All internal information system servers must be constantly monitored, 24×7×365, by trained security analysts. At least the following activities must be monitored:

• Unauthorized access attempts

• Root or Administrator account usage

• Non-standard behaviour of services

• Addition of modems and peripherals to systems

• Any other relevant security events

Software Installation Monitoring: All software installed on all servers and end-user systems must be inventoried periodically. The inventory must contain the following information:

• The name of each software package installed on each system

• The software version

• The licensing status

Security Document Lifecycle: All security documents, including the corporate security policy, must be regularly updated and changed as necessary to keep up with changes in the infrastructure and in the industry.

System Vulnerability Scanning: All servers and end-user systems must be periodically scanned for known vulnerabilities. The vulnerability scan must identify the following:

• Services and applications running on the system that could be exploited to compromise security

• File permissions that could grant unauthorized access to files

• Weak passwords that could be easily guessed by people or software

Security Audits: Periodic security audits must be performed to compare existing practices against the security policy.

Penetration Testing: Penetration testing must be performed on a regular basis to test the effectiveness of information system security in Software Development Companies.

Security Drills: Regular “fire drills” (simulated security breaches, without advance warning) must take place to test the effectiveness of security measures.

Extranet Connection Approval: All extranet connections require management approval before implementation.

Non-Employee Access to Corporate Information: Non-employees (such as spouses) are not allowed to access the organization’s information resources.

New Employee Access Approval: Manager approval is required for new employee access requests.

Employee Access Change Approval: Manager approval is required for employee access change requests.

Contractor Access Approval: Manager approval is required for contractor access requests. 

Employee Responsibilities: The following categories of responsibilities are defined for corporate employees. These categories consist of groupings of responsibilities that require differing levels of access to computer systems and networks. They are used to limit access to computers and networks based on job requirements, to implement the principles of least privilege and separation of duties.

• General User

• Operator

• System Administrator

• Customer Support Staff

• Customer Engineer

• Management

Security Personnel Responsibilities: The following categories of responsibilities are defined for security personnel. These categories consist of groupings of responsibilities within the security organization that require differing levels of access to security information and systems based on job function, in order to implement the principles of least privilege and separation of duties.

• Security Architect

• Facility Security Officer

• Security Manager

• Technical Security Administrator

Employee Responsibility for Security: All corporate employees are responsible for the security of the computer systems they use and the physical environment around them.

Sensitive HR Information: Sensitive HR information (such as salaries and employee records) must be separated and protected from the rest of the corporate network.

Security Policy Enforcement: Enforcement of this corporate security policy is the responsibility of the corporate Human Resources department.

HR New Hire Reporting: HR must report required information about new hires to system administrators one week in advance of the new employee’s start date.

HR Termination Reporting: HR must report required information about terminations to system administrators one week before the termination date, if possible, and no later than the day of termination.

Contractor Information Reporting: HR is responsible for managing contractor information and providing this information to system administrators.

Background Checks: HR must perform background checks on new employee applicants in Software Development Companies.

Reference Checks: HR must perform reference checks on new employee applicants.