Security Standards, Policies, and Procedures Manual

Posted: August 26th, 2021

WK 3 – Security Standards, Policies, and Procedures Manual

Name

Institutional Affiliation

WK 3 – Security Standards, Policies, and Procedures Manual

Importance of Implementing Security Policies in Amazon

Information security in an organization is the aggregate of processes, people, and technology that is implemented in protecting information assets. The policies prevent unauthorized access, disclosure, use, disruption, or modification of a company’s information security and assets. In this case, therefore, Amazon should implement security policies and procedures as the plans will be fundamental in the protection of information assets by defining the employees’ requirements from security perspectives. The systems will also reflect the management’s risk appetite and managerial views regarding information security (Peltier, 2016). More so, security standards provide direction on which control frameworks can be developed against internal and external security threats in the company. After implementing the company’s policies, the employees can be held accountable for compliance with the expected information security behaviors regarding information security. Furthermore, Amazon will benefit from information policies as it provides a mechanism for Information security policies to support the company’s legal and ethical responsibility in information security. Thus, in the case of a security breach, the company can take legal actions against internal or external perpetrators.

HowSecurity Policies Will Improve the Whole Security of Amazon

The overall securities of Amazon will improve the organization’s security system through improved encoding of several security controls, such as the use of multi-factor verification and passwords, access controls, and data classification. The system will possess features such as data encryption, patching, backups, server security, and employees’ onboarding and off-boarding, improving the company’s general security (Peltier, 2016). Finally, the information security system will enhance security by use of remote access, acceptable use, and change management, which will improve the company’s physical security and protect malicious codes.

Data Privacy Policies and Procedures

Data protection policies and procedures guarantee a company sufficient protection on the customers, employees, partners, and other stakeholders that their information is secure (Safa et al., 2016). The GAPP comprises ten privacy principles: monitoring and enforcement, management, disposal, notice, access, choice, collection, content, use, retention, disclosure to third parties, quality, and security for privacy.

Data Isolation Policies and Procedures

The policies on data isolation determine when and how data changes effected by one operation are visible to other contemporaneous users and systems (Safa et al., 2016). The policies include air gapping and cloud providers.

NDA Policies and Procedures

These policies are also referred to as confidentiality agreements. The policies outline confidential materials, knowledge, or information the personswant to share with others for specific purposes and also the one they wish to limit their access (Peltier, 2016). The policies can be unilateral, bilateral, and multilateral.

IP Policies and Procedures

The procedures provide a framework for identification, management, and support systems of the intellectual property (IP) assets as well as rights to a company or third parties (Safa et al., 2016). The policies comprise of copyrights, innovation and inventions, creative works, and moral rights.

Passwords Policies and Procedures

A company should have a good password policy per the compliance policies in ISO and NIST. This involves ensuring secure practices are adopted and preserved by every employee in the company for the information infrastructure protected by passwords (Peltier, 2016). The policies on Amazon’s policies include lockout policy to disable passwords after 90 days of use, never sharing passwords by employees, passwords should not be visible on a screen, and administrator’s password disabled when he leaves the company. Also, employees are required to create strong passwords, changed regularly, which should not be rooted in automated applications.

Policies and Procedures for Acceptable Use of Organizational Assets and Data 

These policies are crucial in Amazon as they ensure uniform and suitable usage of the company’s network, information assets, computer, and electronic resources by the end-users (Safa et al., 2016). AUP in Amazon includes electronic resources should not be used to violate law and end-users should not mail bomb, send junk e-mails, and break any computer.

Employee Policies and Procedures on Training and Duty Segregation

New employees in Amazon Company are formally trained regarding the company’s security policies and procedures on security awareness, training, and education (Safa et al., 2016). On segregation of duties, the company uses split knowledge and dual control measures in information security.

Risk Response Policies and Procedures

Risk response is controlling identified risks in business operations adopted through planning and decision making. The company can respond to threat by avoiding, mitigating, transferring, and accepting the risk. Risk avoidance refers to eliminating hazards and activities that would negatively expose the company’s assets by entirely evading compromising events. Risk mitigation strategies lower the impacts of threats in a data center by reducing the adverse effects of disasters in the company’s business continuity (Evans, 2016). Risk transfer is a control strategy that entails shifting real risk in business from one entity to another. It is mostly done by purchasing an insurance policy where risk is passed from the insured to the insurer. Risk acceptance or retention is a strategy that entails accepting the entire risk and its impact without taking any action. It is mostly done in known hazards in a business whose influence is already identified.

Compliance Policies

The policies ensure the company is conforming to the set security-related requirements to offer protection to the information assets and technology of a company (Safa et al., 2016). There are different compliance regulation policies, such as FERPA, HIPPA, ISO, SEC, NIST, and Sarbanes/Oxley. The most suitable strategy for Amazon Company would be SOX, as it offers protection for public companies’ financial information and statements. PCI DSS can also apply to Amazon as it takes credit card payments in its retail stores and transmits cardholder sensitive authentication data.

Incident Response Policies

It is a plan outlying the company’s reaction to information security incidents. The policy comprises information on the instance response team, roles of team members, the person liable for testing, putting the strategy into action, and technological resources to data recovery (Safa et al., 2016). The procedure entails different phases, which are explained in the following;

Preparation Phase

It is where the IT specialists are trained and prepared on the response of security incidents by identifying the tools and resources to be used in an event (Evans, 2016). It also includes preventive measures by conducting periodic risk valuations and improving end-user awareness.

Identification Phase

It entails security incident recognition and detection by determining the priority and severity of the perceived incident (Safa et al., 2016). The phase includes recognizing events with common attack vectors, signs of episodes, and establishing detectable precursors. It also involves performing initial analysis, running packet sniffers, filtering data, and evidence preservation.

Containment Phase

It offers guidance on ways to isolate affected systems from an attack preventing damaging of other systems (Evans, 2016).

Eradication Phase

It involves searching for the incident causes and putting measures to eliminate the affected systems from the entire system.

Recovery Phase

It consists of returning the affected areas to their healthy operating environment.

Lessons Learned Phase

It is a post-incident phase that involves documentation of the entire incident, conducting the investigation, identifying the incident caused, calculating the associated costs, and developing prevention mechanisms to preclude similar events.

Auditing Policies

The policies govern a company’s internal audit to add value and apply a systematic approach in estimating and enhancing the efficiency of corporate governance, control process, and risk management (Evans, 2016). The audit process involves defining audit objectives, audit announcements, audit entrance meetings, fieldwork, reviewing results, audit exit meeting, and issuing the audit report.

Environmental/Physical Policies

The policies protect the company’s systems, infrastructure, and buildings against the physical environment in protecting information (Peltier, 2016). The security policies include deterrence, denial, and detection.

Administrative Policies

The policies govern the company’s employees by providing set behavior, roles, and responsibilities (Evans, 2016). The procedures in Amazon Company include leave days policies, customer service policies, and data protection policies.

Configuration Policies

Configuration policies stipulate the company’s responsibilities and also compliance requirements in supporting information technology (Evans, 2016). The strategies include documentation and maintenance of the configuration baseline, active tracking of all systems and changes made, and planning on the deployment of software, hardware, and firmware development.

References

Evans, L. (2016). Protecting information assets using ISO/IEC security standards. Information Management, 50(6), 28.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations, computers & security, 56, 70-82.