Information Security is critical to the mission of Foothills College of the Upstate, thus the entire campus is essential to the successful implementation of the Information Security Plan. This comprehensive plan outlines top-level policies that define Foothills College of the Upstate’s objectives for managing and controlling a secure environment.
The purpose of the Information Security Plan is to:
• Assign development and management responsibilities for information security
• Provide for the confidentiality, integrity, and availability of information, regardless of the medium in which the information asset is held paper, electronic, oral.
• Develop risk management strategies to identify and mitigate threats and vulnerabilities to information assets
• Establish and maintain an incident response plan
• Maintain ongoing security awareness and training programs
This plan applies to the entire Foothills College of the Upstate, including students, faculty, who have access to FCU technologies. Such assets include but are not limited to computers, software, whether stored on hardware.
Foothills College of the Upstate considers information to be a strategic asset that is essential to its core mission and business operations. Furthermore, FCU values the privacy of individuals and is dedicated to protecting the information with which it is entrusted. Therefore, FCU is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the college. The Information Security Plan shall be established that supports the following core security values:
ASSESSING SECURITY RISKS
Risk assessments should identify, quantify, and prioritize risk against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against, physical security, network security and high-risk areas.
The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems. Each FCU department will be responsible for implementing security risk guidelines or procedures.
LAW AND ETHICS
The purpose ascertained with the information security is crucial in reducing the damage that would occur with respect to the continuity of operations at Foothills College of the Upstate. The compliance with the laws and the regulations stands to be crucial (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The compliance with the various laws is crucial as the protection of assets pertaining to the FCU stands to be significant.
The manner in which the information technology has influenced the working of processes. The development of the documented security programs stands to be essential as the processes involving a collection of data and utilizing the appropriate storage methods with the appropriate security controls that form the basis of classification of data.
The encryption with the high sensitivity of data is important, and the same falls under the regulations. Compliance with the executive orders in addressing the information security policy of FCU with the consideration of all departments stands to be a mandate. The compliance with respect to the security policies and the various regulations stand part of the contractual requirement.
The approach needs to be well-coordinated basis the measures that are of contractual nature. The ISP standards with the specifications and the associated laws need to have adhered and in case of noncompliance, the effectiveness of strategy linked to the security awareness being not ensured can have serious consequences for FCU. The operations at Foothills College of the Upstate need to be conducted in an ethical manner.
The categories linked to the unethical behavior encompass ignorance, accident, and intent. While ignorance of the law is not considerable, ignorance of policies can be still be considered as excuse. The primary method in the deterrence of security education training and awareness program (SETA). The policies need to be well disseminated, and the reminders pertaining to the training program with the linked support associated with compliance (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The accident category of the unethical behavior is linked to the management of information management within the organization with the greatest opportunity intended to cause harm by any such accident or incident taking place. The placement of controls tends to be essential.
The accident can be in various forms. The transparency in the information needs to be entrusted. The various resources that are deployed by the FCU need to provision confidentiality along with integrity and availability of information. With the third category encompassing intent, the unethical intent is linked to the state of mind which would be linked to a particular individual. The legal defense needs to be created basis the activities of the accused.
The risk analysis stands to be crucial basis the compliance at FCU. The various risks that the institution is exposed to needs to be well managed. The probability of negative outcomes is prone to take place in case of the regulations pertaining to the technology implementation. The continuous risk assessment is significant too (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The various risk management strategies that are being identified in order to mitigate the threats along with the vulnerabilities stand to be essential for FCU. The risk that can be well identified is associated with the privacy of the data pertaining to the students at the university and the transactions.
The exposure of the data and the attack that can take place in case of the network being terminated is at a higher risk for FCU. The availability of the intrusion of preventive technology is crucial with the manner in which the risk exposed poses vulnerability. The intrusion detection along with the prevention system can be compromised too for FCU. The firewalls and the routers along with the switches are part of the network environment at Foothills College of The Upstate (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The various assets encompassing computers, data along with the images, text, or software, whether stored on hardware is exposed to the risk of exposure and attack.
The control of the various risks ascertained with the Risk Management and Assessment plan being adhered. The risk management has to adhere to the ISO standards along with the enforcement of the security policies. The risk management process involves the sub-processes too which would need to be well assessed and controlled with the effective monitoring done for the controls. The risk control strategies need to be well deployed (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The five risk control policies encompass applying the safeguards which form avoidance along with the transfer of the risk associated with transference.
The reduction in the impact known to be mitigation and informing FCU of the various consequences and accepting the risks without the controls being deployed. The avoidance tends to attempt the prevention with respect to the exploitation in terms of vulnerability. Transference is well associated with the controlled approaches that tend to shift the risk associated with the other assets and the processes. The quality security management stands to be crucial.
The manner in which FCU should well respond to the security incidents with the adherence to the plans and the procedures. The understanding of the attacks and the consequences of non-adherence to the policy measures is significant (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The measures as a response to the incident need to be well controlled and adhered. The strength in the protection of data is a mandate.
The recovery from the security disaster can take place with the right approaches adhered and the policy and plan to be well established forming part of the policy. The incident needs to be well reviewed and the reduction in the frequency of the incidents taking place and compromising the security measures needs to be well controlled. The incident detection and analysis is crucial for the incidents.
The intrusion detection and prevention system entails the configuration of an IDPS that aids in the reporting of various changes taking place in the system folders. The critical data in the folders which are aligned to the security management stands to be critical (Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K., 2012). The email system needs to be deployed which would alert with high priority and also record the instances of lower priority activities.
The unauthorized changes in the sensitive areas need to be well captivated. The applications can tend to frequently modify the internal files, and these would encompass the directories and templates. As the users constantly update the data files, the configuration of IDPS needs to be well controlled with the accurate alarms being generated.
Stallings, W., Brown, L., Bauer, M. D., ; Bhattacharjee, A. K. (2012). Computer security: principles and practice (pp. 978-0). Pearson Education.