Course Project

profilesmithlm3
CourseProject1_INFORMATIONASSURANCEPOLICY_-3ProfessorComments.docx

Running head: INFORMATION ASSURANCE POLICY 1

INFORMATION ASSURANCE POLICY 8

Information Assurance Policy

Latorrie Smith

Liberty University

Studies in Information Security, CSIS 340

February 7, 2021

TG CHARITY INFORMATION ASSURANCE POLICY

Overview

This organization (TG) is based in the United States of America. This is a charity organization whose primary focus is to help developing countries with basic needs of their citizentheir citizens' basic needs, such as food, shelter, and education. The organization ensures that it collects donations, which are then sent to the impoverished countries, helping them do various things such as the construction of infrastructure, housing, and sending teachers in the schools who are essential assets in improving children's education level countries languishing in poverty. Therefore, this organization works with various shareholders and donors. The vast transactions that are done in the organization require to be safely safeguarded. The Organization secures the donors and their business associates' PHI on any form, whether written or not. The organization, therefore, must ensure the safety of information through an Information Assurance Policy that includes transmission, storage, and processing of data. 

Purpose

This Information Assurance Policy aims to guide and restrict the use of some algorithmssome algorithms' use, thus helping the organization maintain the security of the enormous amount of data it holds. The guidelines are critical because the information that is protected is not only in the United States where the organization is based but also in the countries that the organization works with to help elevate the lies of the citizens in these countries. Therefore, the policy has strong structures and mechanisms for federal regulations that are required to be followed and give legal authority of disseminating information outside the United States. The policy also addresses all the areas that should be addressed to secure the IP-based session call that is made using public networks. According to Al-Shaboti, Chen, & Welch (2019), “IP-based multimedia communication systems, such as Session Initiation Protocol (SIP) have the concept of a call identifier that is globally unique. The identifier is intended to represent an end-to-end communication session from the originating device to the terminating device”. This policy aims to allow the information systems to have a very high level of security. This is only achievable by effectively controlling the potential threats to possible vulnerabilities that are not easier to mitigate through the company’s information systems capabilities. 

Scope

This policy helps in guiding on the right use of the organization’s data and information system of this charity organization. The policy covers all employees of this company, merchants, and agents.

Algorithm requirement 

Each individual will receive a user account that will be attached with appropriate privileges level of each employeeattached with each employee's appropriate privileges level. All the employees will use their user accounts to log into any company’s computer.

It is only authorized users who are allowed to access the information systems. the users are, however, restricted to specific defined applications as well as given different levels of access rights

Any user who is accessing the networks of the company must be authenticated. The authentication level must be appropriate to the data classification as well as the transport medium. The identity authentication includes automatic logoffs, unique user identifiers, a password, personal identification number, or a telephone call-back response

The IT manager will be responsible for assigning all employees a distinctive username.

Any employee who violates the policy will be subjected to disciplinary action that may include termination.

The policy applies to all company’s computers and communication systems

The policy applies to all employees of this facility and all business partners, contractors, consultants, and temporary employees.

“Since identity is part of the company’s hiring process, upon termination, the employee’s user account is supposed to be deactivated” (Sosin, 2018).

All kinds of file transfers must be encrypted before being transferred from one department to another, hindering unauthorized users from accessing the data. 

Cryptographic hash Function requirement 

These are critical security algorithms that have much practical application in digital signatures. For the hash function to be utilized effectively in practice, they must satisfy the security properties that prevent an attack on the applications or functionality. These play a critical role in various cryptographic applications like digital signatures, authentication, and key derivation. This is mostly because public and private network infrastructure is exposed to many cyber-threats. “The operating environment for critical infrastructure is increasingly complex, driven by several factors, including globalization, the evolution of technology, and the interconnected nature of critical infrastructure supply chains, networks, and systems” (THIS, et al., 2018). 

Key agreement and authentication 

It is very important to always use the MAC algorithm for the purpose of guaranteeing call authenticity. 

Before any endpoint user or any caller is given any information regarding the company; they must be authenticated. 

For authentication purposes, it requires that public keys are used. The process may either involve sending cryptographically signed message or through manually entering the public key 

All the company’s servers that use MAC are required to have the certificate signed by the telephone service provider. 

Key generation 

  The department assigned to generate the cryptographic keys and store them has a duty of ensuringmust ensure that the keys are secure. Any loss or compromise of the public keys would lead to disciplinary action that may include termination.   

The key generation is required to follow the standard number generator (RNG). This will help in picking truly random numbers between any two numbers. This version creates many random integers or decimals (Yang, et al., 2018). It is also capable of dealing with large numbers to generate unique codes. 

Policy Compliance

Compliance measures 

It is the responsibility of the IT managerIT manager's responsibility to verify and ensure that the policy is complied with. There are various methods thatVarious methods will be used for this purpose. Some of them include both internal and external audits. The external audits will take place annually, where an auditor who is independent will conductsoccur annually, where an independent auditor will conduct the audits. The company is responsible for hiring an auditor and arranges all required assembly before the audit taking place. The external audits are required to be different from all the other audits carried out internally by the company for the avoidance ofto avoid a conflict of interest. The audit will also be used in looking at the staff and mayto look at the staff and interview them to confirm whether their regular responsibilities match with their job description. It will also show whether they have the requisite training to allow them to access the information of the company safelysafely access the company's information.

Exceptions

In case of any exception, it must be accessed and approved by the IT team in advance. 

Noncompliance 

Violating these policies will be considered as a breach of a security breach. Therefore, this means that any person who will be found guilty will be dealt with depending on the violation they have committed. This will include a warning letter for a minor breach; multiple breaches or a major breach will call for the employee's suspension, and subsequently, there may be termination in case of a serious breach.

Related Standards and Processes

Information sources reliance and charitable giving decisions. An open exchange of information requires that every party involved in this transaction understands each party's goals. The stakeholders are thereforefore, the stakeholders are supposed to ensure that the set policies are working effectively (Zhuang, et al., 2018). This will ensure that there is enough security for both the personal ad of all the shareholders as well as the organizational data. The policies are critical in maintaining trust between all the parties that are involved.

Education

All the stakeholders should be educated about the significance of data security. Similarly, The IT in organizations is given extra responsibility, and a well-built IT infrastructure has become necessary for showing law compliance. The IT division is required to give various kinds of control documentation as well as documentation regarding these controls' effectiveness.

Definitions and Terms

MAC-this addresses wireless network security by adding a significant level of convenience for the users.

RNG-this is a random number generator, a key generation that helps pick truly random numbers between any two numbers.

IT Team: information technology team. 

Public Key: this can be defined as the form of cryptography where the transmitter of a message and its recipient use different keys. This is very important as it helps to eliminate the need for the sender to transmitting the code risking its interception.

References

Al-Shaboti, M., Chen, A., & Welch, I. (2019, August). Automatic Device Selection and Access Policy Generation based on User Preference for IoT Activity Workflow. In 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) (pp. 769-774). IEEE. Retrieved from: https://ieeexplore.ieee.org/abstract/document/8887388

Sosin, A. (2018). how to increase the information assurance in the information age. Journal of Defense Resources Management, 9(1), 45-57.

THIS, A. R. O., IMMEDIATELY, A. U. P. I. E., POSTING, U. S., & GOVERN, W. (2018). Acceptable use policy. Retrieved from: http://www.roweinternet.com/wp-content/uploads/2018/09/Rowe-Internet-Acceptable-Use-Policy.pdf

Yang, Y., Bi, J., Chen, X., Yuan, Z., Zhou, Y., & Shi, W. (2018). Simple hash function using discrete-time quantum walks. Quantum Information Processing, 17(8), 1-19. doi:10.1007/s11128-018-1954-2

Zhuang, Z., Hsu, Y., Nurmi, K., Chen, C., Liu, H., & Tseng, T. (2018). A hybrid session key exchange algorithm for highly-sensitive IP-based institutional communications. Microsystem Technologies, 24(1), 273-283. doi:10.1007/s00542-016-3263-