safeguardsintheworkplace

Running head: INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 1

Information Security: Best Safeguards in the Workplace

Adam Richards

INFORMATION SECURITY: BEST SAFEGUARDS IN THE WORKPLACE 2

Information Security: Best Safeguards in the Workplace

Abstract

Information security refers to the means in which one can detect and prevent the

unauthorized users from accessing the network, the computer, and the personal information.

Information security is very vast, and various casual users never think about it. It is a worst thing

that an individual can do nowadays more so with standard technology in the live today (Eric &

Goetz, 2009). An individual must care and take concern about all the levels of the information

security as the breach in the security could lead to the financial ruin, stolen off the trade secrets,

and even the personal embarrassment.

The intruders always come from various places, which may be even an individual who

works in the same workplace. The complexities of the software nowadays lead to the

vulnerabilities to the exposure. For that matter, the every user must stay on the top of the

security. It implies that one need to apply the latest operating system and the software patches.

The firewalls and up-to-date scanning software for the virus should also be maintained. This

paper aims to discuss the various types of the attacks on the computers and numerous security

threats to the network. It will also cover the preventive measures utilized to minimize the

exposure to the attack. The paper will focus on the best safeguards in the workplace and more so,

the best technology that will block the security (Stanton & Stam, 2013).


Introduction

There are numerous threats to the security of the information in the workplaces yet there

are no particular, definite means of preventing all incidents, which may befall the information.

The attack on the confidential information in the workplace can be minimized by developing

proactive security practices, which will encompass most of the known threats to the information.

In the workplaces, there are different levels of the information of the customers and various

records of the financial information on the computers (Ortmeier, 2012). The best ways of

preventing the loss or the corruption of the information for the organization are to develop well-

rounded security practice. It contains the proactive solutions that include the security hardware

and the software as well as the policies for the physical safety.

The hardware security solutions begin with the protection of the firewall of the

computers. Other physical protection includes the restrictions put on the access of the network

closet as well as the smart card access to the sensitive information contained within the

computer. All the cablings and the ports unused within the computer will be closed and secured

in accordingly (Stallings & Brown, 2011). The access to the computers with the sensitive

information will be limited, and only the individuals with the proper clearance will be allowed to

have access to the sensitive information such as the financial information of the customer.


Common Threats to Information Security

Various organization experiences different threats to their security of information. Those

organizations face the security threats across the board starting from the external attacks that are

on the websites, the internal attacks, and the data corruption or the misuse of the data. The

computer viruses is an issue for all the companies worldwide since they use the information

systems within the organization, or they practice the business transactions with the firms that use

the information systems (Jain et al., 2010). The viruses’ threats come from the emails, removable

storage devices, the websites, or any other entry points in the computers utilized by the workers

in the workplaces.

Another threat is the attack caused by the distributed denial of the services on the

computers that contain the confidential information. They are internet-based attacks and they

flood the system with various packets to bog it down. It makes the services not to operate in the

normal way, bringing the system down in terms of its functionality. Another attack is the

backdoor entry into the system (Vacca, 2012). This type of the attack involves getting the

information in the system through the unintended way of accessing that information. It can be a

program installed on the system to create a loophole for the credential information.

All these threats lead to different risks depending on the kind of the effects it could cause

to the information. For example, the computer virus may affect the whole network since it may

spread from one computer to another computer. The denial of service attack would affect the

individuals that access the websites from the external sources but not the internal users. The

backdoor attack could change very sensitive information depending on where it is granted to

access that information (Kaufman et al., 2012). Thus, it calls for the safeguarding of the


credential information from the attacks. There are various ways in which the organization can

protect itself from the various threats that may rise.

The firm may need to have the software for the anti-virus and have a constant updates for

such software in the cases of the computer viruses. Even though there are tools that the

organization can use to prevent the denial of services attacks, it should best protect itself by

using both the preventive measures and the monitoring measures (Teer et al., 2014). It will

enable the organization to take an immediate action when a possible attack occurs. The best way

to prevent the backdoors attacks is having the continuous tests for the penetration issues and

other tests on the reoccurring basis.

Reasons for Safeguarding the Credential Information

The organizations have different reasons as to why they should protect their confidential

information, which may include the legal, the ethical, and the regulatory requirements depending

on the nature of the firm. There are various things that will happen for the organization that does

do not store its information, according to the regulatory requirements such as the fines to the

licenses. Such fines cut off a large portion of the profit percentages of the firm. The company

also has the ethical reasons to protect its information (Eric & Goetz, 2009). The security

practices protect all the information and not just the information that are under the regulations

alone. The best security practices that the company should consider is compiling the regulatory

controls, the ethical controls, and the legal controls. It will make such organization to take the

most restrictive control for each area and apply to all the system.


Security goals

The first security practice is setting the security goals, which entails listing of the various

issues that the security control will target to achieve. The first security goal is the confidentiality,

and it involves determining the needs for the access to the information by the employees. It puts

some of the limitations to the access of the information through different layers of the security

(Stallings & Brown, 2011). The initial layer will just be the protection of the hardware for the

access to the information. It will then increase with the use of the password for the protections

and the restrictions to the users. Another target of the security practice is the integrity. It involves

granting each user a password for the access to the required information.

The computer will not allow the external users to access the information. Another

objective of the security practice is to attain the availability, which involves giving both the

formal and the written guidelines for every employee (Stanton & Stam, 2013). The computers

will be connected in the manner that it becomes accessible in all the locations with no remote

access. The information will also be linked with the cloud-based way of storage to back up the

information for easy recovery. All the sensitive and significant information are to be located

offsite but totally accessible.

The physical security

Another practice is to come up with the policies for the physical securities. Under this

section, the physical controls of the entries will be set in most of the offices so that they can

provide high security at least amount of the capital. The management needs to lock the external

access points of the building to allow the entry of the permitted employees. It can be achieved

through issuing of the key fobs and the smart cards to each employee. Another one is checking

on the security of the offices, facilities, and even the rooms. All the facilities that are internal and


the rooms must be controlled individually according to the information that is gathered in the

initial consultation with the organization (Ortmeier, 2012). The access to the individual offices

will be dependent on the risks associated with security. The security may be as simple as just

having the mechanical locks on the doors to the use of the smart cards and fobs to access the

sensitive areas.

Besides, one may need to employ the security guards to the areas that require an

additional level of the protection. Another one is the protection of the loading areas and the

isolated deliveries. It involves monitoring all the external regions of the company using the

surveillance equipment. The material may consist of just a simple security patrols to the

utilization of the CCTV systems, thermal, and the audio monitoring. The extent in which the

security system will be used depends upon the sensitivity of the information that are in the

location. There will be a high level of monitoring in the isolated areas using the night vision

cameras and even increasing the number of the security personnel to take the patrols (Stanton &

Stam, 2013). One can also employ the bright zones in the perimeters of the facilities to deter the

physical breaches of the company's security.

The information Systems Security

One will initiate the protection of the workplaces to ensure that all the information

systems are secure. The company will have to review all its locations to determine the potential

threats. The management will then set the policies that reflect an adequate protection of the

assets and the workers depending on the levels of the threats found. The types of the securities

offered to the employees include the typical fire and the medical protection (Stallings & Brown,

2011). The policy may be escalated so that it can provide the protection in the form of the guard

dogs and the armed guards depending on the perceived level of the threat.


Another way of protection the information systems is closing all the unused cablings and

the ports for the networks. One need to close any cable that is disconnected from the workstation

at the hub to prevent the individuals from having access to the information on the computers

(Stallings & Brown, 2011). To enhance the computer security, the security administrators need to

disable different protocols such as the SNMP and the FTP using the Web Image Monitor and the

SmartDeviceMonitor. It helps to prevent the theft of the user names and the passwords. It also

reduces the risk of the outside threats from the getting into the computer networks via the unused

printer and MFP port.

Another security measure for the information system needs to be on the server

equipment. To address the primary concern of the information systems, one must understand and

identify the type of the information assets to be protected. It may include the personal

information, the business information as the databases of the customers or any other sensitive

information. Other ones may contain the information of the national security and the ability of

the company to operate and use its network. A need also arises in the protection of the physical

infrastructure, which supports the information systems (Stanton & Stam, 2013). The control of

the access to the computers and the workstations is very vital. The administrator will restrict the

access to the main servers and the network hub to an absolute minimal amount of the authorized

workers. If the computers and their components are secured electronically yet vulnerable to the

physical destruction, then it may need more protection.

The equipment also needs to be maintained since they are the integral parts of the

security and the functions of all the companies. The administrators will reduce the general

operation costs by designing a standardized maintenance program that performs the routine


maintenance on the system (Stanton & Stam, 2013). There will also ne need to secure the laptops

and the roaming equipment. The individuals with the highest ability of the clearance and the

accessibility should connect the laptop to the company's server.

Access Control Practice

Another practice is the control of the access to the information stored in various

computers of the organization. Under this part, there will be authentication of the credentials to

establish the qualified users within the system (Kaufman et al., 2012). Using the authentication

credentials assist to determine the control of the access to the sensitive information with the

computers of the company. The security administrators should set the credentials for the

transparency to the users. They can also configure the user policy in the way that only specified

users can create, import, and even manage the credentials.

Using the credentials also assist to monitor and offer safety to the information and the

computers. The incidents of the identity theft or any other issue can be detected before many

damages by observing the person accessing the information and the reason as to why he or she

have to obtain that information (Jain et al., 2010). The use of the passwords is a defensive way of

protecting the computers that store the information. However, most people are not fond of using

the stable and secure enough passwords, which leads to the attack on the information system by

the intruders.

Three keys should be used to safeguard the passwords for the company. One should use

at least fourteen characters or even more and also ensure that a variety of the characters is used.

The passwords should also cover the entire keyboard but not just the letters and the characters

seen in most cases (Stanton & Stam, 2013). When one follows these simple rules, the strength of


the password will be enhanced exponentially compared to the person who uses the birthdates or

any other thing that is easy to remember the password.

Another method of authentication is through the utilization of the multifactor

authentication. The multifactor authentication will take the password as a single factor

authentication and add it to the secondary physical token so that it can grant the access to the

computer and the information inside them (Kaufman et al., 2012). This method of authentication

is crucial since one will still require the physical item to access the information even after

acquiring the passwords. It makes the security high since it creates some layers of obtaining the

information from the computers.

One can also use the biometrics as another method of authentication to the access of the

information from the computers. However, use of the biometric is for the advanced level of the

security and very sensitive information. The method allows for the single signing on the account,

which is the property of the control to the access of the multiple independent but information

systems that relates to one another (Jain et al., 2010). In the cases that an individual does not

necessarily need to authorize the identity of various systems, he or she will use the SSO permits

to access all the computers and the systems. It has the permission of obtaining the information

without necessarily using the passwords. The single sign-on ensures that there is a reduction in

the human error, which is an important component of the failures of the system. Thus, it is highly

desirable yet very difficult to implement.

The access control does not just come on its own. There must be strategies set in

achieving those access control to the information. The first strategy is the use of the discretionary

control access to the information. This approach allows every user to control the access to the

information. It is typical default mechanism for the access control in most of the desktop


operating systems. It has a list of the access control associated with it (Vacca, 2012). The list

contains the users and the authorizations for the access of every user or the group of the users. It

is used in the front position of the computers meant for few individuals that enter the data in the

system. It also provides the more flexible environment, but it increases the risk of the availability

of the information to the unauthorized users.

Another strategy to control the access of the information is the mandatory access control.

It takes a hierarchical approach to ensure that it controls the access to the resources. The system

administrator controls the access to the information. The mandatory access control issues the

labels for the security, which is assigned to all the information on the computers. The users of

that information are also classified and put into different categories. It is evaluating the users as

they try to access the information with a cross reference to the clearance levels (Stallings &

Brown, 2011). It is the most secure control environment for the access to the information.

However, it requires some considerable planning before it is implemented effectively. After its

implementation, it imposes high overhead to the computer management since it needs a constant

updates and the account labels.

One may also use the role-based access control as another method of controlling the

access to the confidential information in the workplaces. It takes the approach of the real world

in structuring the access control. Under it, the access to the information is based on the job

functions of the users within the organization whereby the computer system belongs. It assigns

the permission to every role within the established roles (Teer et al., 2014). For an instant, an

accountant in the company will just be assigned to the roles of the controller whereby he or she

will gain access to the information that are relevant to all the accountants. This mechanism

applies to implementing the policy of the separation of the duties. It is obtained through the


statistical and the dynamic regulation of the actions of the users by establishing and defining the

roles, the role hierarchies, the relationships, and the constraints.

Remote Access

Another security practice to safeguard the credential information in the workplace is the

application of the remote control. For one to provide a secure remote access to the information,

he or she should evaluate carefully the needs of the employees to connect remotely (Kaufman et

al., 2012). After confirming that the employee require the access to the information, a grant

access on the per-user basis is issued. When the restrictions are not put in place, the users that are

connected to the Internet through the remote access will be in the position of doing anything

from the onsite computer. The most significant thing to consider in the security is the way in

which the remote clients will provide the authentication.

There may be a computer level authentication if the internet protocol security is used for

the VPN connection. It takes place through the exchange of the computer certificates or the pre-

shared keys during the time when the IP security is established. The dialling of the users will be

authenticated suing the Remote Authentication Dial-in User Service, also known as the

RADIUS. When the users log into the RADIUS, the router will send the authentication request to

the RADIUS server (Jain et al., 2010). The communication process that is between the RADIUS

server and the client are authenticated and encrypted using the shared secret not transmitted

through the network and grants the access for the user.

Network Security Practices

The administrators need to implement some policies that relate to the network security.

The system of the organization is the combination of the LAN network for various purposes such

as the inventory purposes in every store and location. It enables the wireless scanning of the


information for the purpose of the controlling the information and shrinking of the credential

information (Vacca, 2012). The network is an imperative thing in the organization since it will

allow for the sharing of the information. Thus, it calls for the services of the network security.

The first service is the authentication for the access to the system, which is in the form of the

encryption by the passwords and the taking into the account the levels of the access for every

user.

The credential information will only be availed to the users cleared to access them the

way the network administrator determines. The authentication will be used any time in which the

information is obtained to ensure that the user has some reason to access the information

(Kaufman et al., 2012). The access control to the network will be another service. It is the

fundamental principle of the high standard of the network security since it ensure that the access

to the computer system is authorized on the basis of the need to use.

IT Department

The management of the organization should create the IT department and split it into two

units so that they can handle the functions of the Information Technology. The first category

needs to control the way in which the hardware and the software are installed. They will also

handle the updates of the various software and handle the issue of granting the access to the

information to multiple users whenever they require such information. They should also deal

with the day-to-day training that the company needs (Stallings & Brown, 2011). These training

include creating the awareness among the employees on the way in which they can handle the

incidents of the security threats. On the other hand, the second department of the IT should

handle the security side of the things such as the cyber-attacks and the natural disasters. They are

also expected to carry out the planning for the power outages and any assessment of the risk or


anything that deal with the security of the information of the company. Thus, it will lead to an

efficient way of handling the security issues in the workplaces.

Information Security Governance

The governance refers to the way in which the board and the executive management of an

organization set the responsibilities and the practices to various employees with the target to

provide the strategic direction. It ensures that the workers achieve the set objectives. The

management also ascertains that the management of the risks is appropriately, and they also

verify that the resources of the enterprise are used in a responsible manner (Teer et al., 2014).

The leadership of the security management group will have to monitor and manages all the

structure of the organization and the processes that ensure that they safeguard the credential

information. The governance of the information security handles the application of principles of

the corporate governance. The responsibility of the executive management is to provide the

strategic direction and ensure that the set objectives of the company concerning the security

issues are accomplished.

The executive managers also oversee that the risks associated with the attacks on the

credential information are managed appropriately. They also validate the utilization of the

resources in a responsible manner for the functions of the information security. The objectives of

the information security should be addressed at the highest levels of the management team of the

organization for effectiveness and sustainability.

The Test Plan for the Disasters Recovery

Setting the test plan for the disaster recovery is another significant security practice in the

workplaces. The security administrators should come up with a definite set plan for handling the

disaster recovery that has risen due to the attack on the information. The first test program is the


walk-through designed to give the whole firm with the opportunity of meeting and discussing the

disaster recovery plan (Teer et al., 2014). It also provides the individual steps that should be

taken if there is an issue with the intrusion. Its purpose is to provide the feedback by every single

department in the regards to the issues with the disaster recovery plan and to determine the

effective way for the overall project in the company.

Another method is the simulations, which involves a design set to provide the company

with the mock disaster and the test responses to each department. It is an effective means of

gauging the effectiveness of the disaster recovery plan and the way in which it interacts well

throughout the organization. It also enables the employees to understand the functions and the

fundamentals of the disaster recovery plan (Vacca, 2012). Under the test program, there should

also be the checklists that provide an outline for the disaster recovery plan and ensure efficient

supplies. The list determines the existence of any small issues that may cause the bottlenecks or

the shortfalls in the disaster recovery plan. Another one is the parallel testing, which is

performed in conjunction with the checklist test and the simulation test. It involves comparing

various information from different sources.

Firewall System

Another security practice is the incorporation of the firewall system into the computers

that are in the workplaces. There are various types of the firewall systems that can be

incorporated into the computer system. The first one is the packet-filtering router firewall

system. It sorts the contents of the packets and the addresses of the TPC/IP of the packets. They

are useful as a first line of the defense (Ortmeier, 2012). Another one is the use of the screened

host firewall system. This type of firewall system allows for the control of the access to and from

the information in the single host through the router that operate at the network layer.


The single host is a bastion host, which is a highly defended and has a high point that can

resist the attack. This type of firewall system is usually adequate and could be a viable choice for

most of the companies that have minimal chances of the breaches. Another type of the firewall

system is the screened subnet firewall system (Teer et al., 2014). It involves variation of the

dual-homed gateway and the screened host firewall. It isolates separate components of the

firewall into different computers. It enables the ability for the throughput and the flexibility.

Thus, it is the most complex type of the firewall since it does not increase the complexity of the

security of the system.

Conclusion

The security practices is a very significant function in the workplace. There are always

the records for the customers, the workers information, and much more confidential information.

This paper has discussed the best practices for the security measures and the security monitoring

within the place of work to safeguard the confidential information. The organization that follows

these practices will have an organizational structure designed in a better way of managing the

security threats (Eric & Goetz, 2009). The business will not incur much loss due to the

corruption of the data. The IT department will also spend less amount in taking care of the

information since there will be a constant monitoring of the information system a laid down

procedures of curbing up the threats. Additionally, the secrets of the firm will also be secure

since there will be surveillance survey for the monitoring of the information, making them safe.


References

Eric, M., & Goetz, E. (2009). Embedding information security into the organization.

Jain, A. K., Ross, A., & Pankanti, S. (2010). Biometrics: a tool for information security.

Information Forensics and Security, IEEE Transactions on, 1(2), 125-143.

Kaufman, C., Perlman, R., & Speciner, M. (2012). Network security: private communication in a

public world. Prentice Hall Press.

Ortmeier, P. J. (2012). Introduction to Security: Operations and Management. Pearson Higher

Ed.

Stallings, W., & Brown, L. (2011). Computer Security. Principles and Practice.

Stanton, J. M., & Stam, K. R. (2013). The Visible Employee: Using Workplace Monitoring and

Surveillance to Protect Information Assets--without Compromising Employee Privacy Or

Trust. Information Today, Inc.

Teer, F. P., Kruck, S. E., & Kruck, G. P. (2014). Empirical study of students ‘computer security

practices/perceptions. Journal of Computer Information Systems, 47(3).

Vacca, J. R. (2012). Computer and information security handbook. Newnes.

safeguardsintheworkplace

Documents