Pulling it all together – Social Engineering Security Policy

profilespiro117
w4.docx

Social Engineering Awareness Policy

Social Engineering Awareness Policy

Policy statement for securing sensitive information policy

The organization is responsible for maintaining high-security standards for any electronic information under its control. Any form of data stored once accessed by the company assets needs to be protected against any unintentional or intentional loss of privacy, availability, integrity, irrespective of location.

Purpose

The policy statement safeguards information and ensures the ability of the business to carry on its operations.

Scope

The policy relates to all the company staff, contractors, users and anyone else who uses information assets.

General

All computers, electronic systems and applications ought to have a known local data owner in charge of the data and has the power to act at the point of contact.

All devices will be administered and assessed on a continuing basis for necessary security actions by information technology support specialists within the given capacity.

Safeguarding assets

The following procedures and policies that need to be applied regarding securing sensitive assets:

All computing gadgets need to have specialized technical support who are well overseen to uphold information security. Staffing levels need to be suitable to ensure that the form of private information the organization is responsible for is well managed.

The setting up of devices will be done in line with the applicable information security guidelines and standards as stated by the organization.

Installation of newer versions, regular patching, and other forms of maintenance shall be conducted to safeguard the data. Automating settings or centralizing updated security patches is highly suggested for a majority of server and desktop-based hardware.

Accessing private data shall be subject to authentication by a password, with file access privileges distinguished by the data user.

The root level or administrator passwords need to be strong. The company shall use user accounts with fewer levels of privileges as an alternative of root accounts if probable. Regular review of employee access privileges needs to be evaluated regularly.

The use of portable flash disks is strictly prohibited without preceding authorization from the administrator. All data needs to be encrypted appropriately should the decision to use flash media be taken.

All the organization's computers shall have malware filters and antivirus software installed and regularly updated except for any devices with the prior permission of exclusion by the authorization.

Physical access to the computing devices need to be restricted, especially when not in use. Strictly, devices ought to be switched off when not in use. Personal computers need to be physically controlled using usual attachment devices, and servers need to be housed within a secure and appropriate physical facility.

Hosting security log files shall be configured and regularly revised for any irregularities.

Logs need to be of adequate size and offer helpful information in the case of security events.

Servers that store sensitive information needs to be regularly scanned with vulnerability testing software to reveal any vulnerabilities and allow corrective actions to be taken.

Periodic backup copies of data and software need to be made tested and securely stored. The removable media's physical security needs to be maintained, and plans need to be made to permit for recovery of any unforeseen problems.

Protecting deletion programs or mechanisms need to be used to delete any data from the media and hard disks before surplus, transfer, or disposal of hardware.

1. PROTECTION OF SENSITIVE DATA

The following actions needs to be taken to additional protection of sensitive information dependent on the sensitivity of data, requirements and classification;

1. All private data storage needs to be limited to a hardened file server.

2. Strictly restricting the duration and volume of the stored information

3. Data must be moved to a dedicated computer that does not hold any application or data.

4. Network access shall be limited to a list of specific devices or machines

5. Use either local non-routed IP networks or addresses that prevent access to or from the internet.

How to handle requests for sensitive information

1. When the request is received, the proposal ought to be received by the necessary supervisor or whoever is in charge of securing data.

2. The request needs to be made from an encrypted source for security purposes.

3. After reviewing, the customer or individual who has studied the stated data will receive an email via their email, which is bound to expire after some time.

4. The link will lead to a secure webpage where the documents or information requested can be viewed, but first, the recipient of the data will need to verify their information.