General Security Policy for C & C Title Services, LLC
A paper submitted to Webber International University
In partial fulfillment of the requirements for the
Masters in Business Administration degree
Aimee M. Lopez
Instructor: Dr. Wunker
Table of Contents
Table of Contents …………………………………………………………………………...2
I. Purpose of a Security Policy……………………………………………
Company Background .……………………………………………………
for C & C Title Services, LLC
Purpose of a Security Policy
As an organization grows, the need fo
r computers and networks to perform specified
duties will also grow. This prospering organizations’ computer system, the data stored in the
system, and any information derived from the network should remain the sole possession of the
s and affiliates. (Forcht, 2000/2001)
With the use of computers
growing in today’s market,
security policies and procedures are detrimental for an organization
to function properly and safely in this hostile environment. Various threats such as:
hackers, disgruntled employees and natural disasters make a security policy valuable to protect
the organization’s personal information.
One of the most common threats to a company’s
information system are viruses’, a code fragment that copies
itself into a larger program then
altering that program and doing various sorts of damage to the computer. The reason this threat
is called a virus is due to the fact that the virus can replicate itself, which then infects other
programs as it reproduces.
In general, hackers are individuals who write programs designed to
break into an organization’s personal computer system. Thes
e individuals can be classified
their motive and the type of damage they can cause to harm the computer systems. Disgruntle
employees can potentially cause the most damage to an organization’s personal system, due to
their knowledge and skills of that company’s particular system. Natural disasters ranging from
fires, lighting storms to water damage can cause enough destructi
on to a computer system to
temporarily or permanently halt the organization’s day to day business operations.
The goal of an information systems security policy is to ensure that proper steps are taken
so that everyone is held responsible a
nd accountable for maintaining security fo
The policy should define the information that needs protection and delineate which
technological and procedural
are in place to do that. It should, for example,
incidents should be reported, what records should be kept and what the
response will be. The policy should also describe what is expected of each group of
employees with regard to achieving these goals.
The policy should define acceptable
behavior as we
ll as disciplin
ary guidelines for infractions.
In addition, the company should set forth measures for staff to follow
limit the potential for
future liability arising from the handling of electronic data. (Blake, 2000)
What are the best
ways to minimize threats from occurring?
Development of a security
policy that inco
rporates a privacy procedure,
lities for personnel to
a secure website, proper backup and disaster recovery into the organization’s newly
formed security guidelines.
entails the ability to log onto th
computer network. As a user, the individual will enter his or her identification name followed by
this in turn will set several
actions in motion
first occurs when
the user is verified by the system for proper entry, normally
by matching the password with the
user ID. Authorization
after the user has been allowed
o access into the system
(Loshin, 2001) Thi
takes place when the user is able to
view files but not delete or modify.
The most frequent way to gain illegal entry into the network
system is by simply using a computer already in a logged
in state or by coming across an
In terms of breaching the company’s security
employees with unlimited daily
access to that company’s private information
require extra attention. (Hulme, 2000)
the security policy is going to
of each employee
with the company’s
system and information.
Security should not be viewed as a burden by employees, but as a way
for them to perform their assigned responsibilities and protect the interest of their or
is a document that needs to be frequently
updated to handle new
To ensure proper fulfillment personnel must be adequately trained for usage,
in addition, unannounced audits should be conducted for security purpos
In most cases, an organization already has a web site or is in the process of constructing
The key to an effective approach to online confidentiality liability is public restrictions of
that websites’ collection of information and
distribution practices. (Jacobs, 2001)
is administered so
that the Web server does not threaten the security of
the local area network. (Stein, 1997)
Even though you can never fully protect a company’s web
ense and supervision can make that server extremely diff
icult for vandals to
Such problems are maintained by isolating the Web server
or installing encryption
programs to secure confidential information
. This can be performed by insulating the s
the rest of the organization.
In this situation, the Web server is placed on its own screened sub
When private information
methods are used to
That way, only the two parties involve
d are capable of reading maintaining this
The organization should be prepared for any disaster that may arise if the
In order to rebuild the network efficiently, a full copy of the
ting system, support files, and Web software should be accessible.
(Stein, 1997) In most
cases, a good backup system is mandatory for the organization’s future business. Be it natural or
made, disasters can strike an organization at any given time or
must have practices and procedures in place to protect their personal information
he operations of the business.
is primarily about technical restoration, business
continuity addresses the
human business processes.
The level of disaster recovery
planning an organization needs to undertake is dependent on the level of risk that
company is willing to
Since some disasters are unavoidable, a plan of
recovery is developed that encompasse
s two main elements: a recovery point
and a recovery t
ime objective.” (Elliot, Udelson, 2005)
A particular group can only operate without assets for a short period, at which, a solid disaster
recovery plan can save a company’s
C & C Title Services, LLC is a year and one half old real estate title company and serves
as the Sebring Branch for the main office located in Wauchula, Florida. C & C is in direct
partnership with Century 21 Advanced All Service Realty
, serving, but not limited to all of their
real estate agents conveniently located in the same building. What type of service does a title
company provide? C & C Title Services sells title insurance for real estate transactions and
nce is a contract to protect an owner against losses arising through defects
in the title to real estate owned. If the title is insurable, the company guarantees the owner
against loss due to any defect in title or expenses in legal defense of the title pu
rsuant to the
terms of the policy.
Our company specializes in cash, loans and for
transactions in Highlands, Hardee, DeSoto and Polk counties.
(Leslie Conerly, personal
interview, September 29, 2005, C & C Title Services)
Although C & C Ti
tle Services uses some of the basic skills of a security policy in the
day operations, the company does not have a formal network security policy. Some of
the current practices used include: daily back
up tape routine, network password usage, firew
virus protection and other personnel responsibilities. However, there is not a specific
policy to highlight any of these practices to the employees. Therefore, any lapses in the security
measures would be the responsibility of the manageme
nt and not necessarily the individual
employee. With the implantation of a policy with a strong foundation, C & C Title will be better
equipped to protect its network information.
(Leslie Conerly, personal interview, September 29,
, C & C Title Service
C & C Title Services, LLC does not currently conduct a formal
, the company requires the initials of all clients on a privacy statement concerning their
real estate transaction, however, there is nothing
required of employees.
To protect it
s future, C
& C Title should implement privacy procedures such
monitoring computer usage. This in turn
can minimize theft of the organization’s personal client information.
The biggest concern at C &
C Title is tha
t the server runs continuously day and night.
Only one computer in the office
requires the use of passwords for log
ins, whereas, the remaining computers do not require
Requiring passwords for each individual employee, will not only prote
organization from external/internal intrusion, but also can moni
tor computer usage of employees.
(Elliot, 2005, Loshin, 2001)
At C & C Title, the only
conducted on a day
day basis is the
For example, at t
he end of the working day, the last person leaving is responsible
for locking up office doors, front entrance door and the money drawer.
In addition, there are at
3 employees responsible for switching out the daily information
up tape. By
ning a single employee to
the daily changing of the back
up tape eliminates any
confusion amongst employees.
is also of major concern, because of the use of
Yahoo Messenger from employee to employee as well as office to office
s type of
communication potentially opens external threats into the company’s network system. The use
of an alternative type of messenger that is more secure can help to minimize potential web based
(Hulme, 2000, Stein, 1997)
At C & C
is replaced and stored at the end of the day in a locked
fire proof cabinet in the main office.
The company’s sister offices replace their back
tapes into a safety deposit box at their
local bank each day. However
, the main
office does not
have access to any outside storage for the company’s personal information.
At this time,
external storage at the local bank is under discussion to continue to protect the organization’s
In case of a disaster, be it natural or man
made, there is no set protocol for
The purchase of a
cabinet as well as safety deposit box at the local bank will
eliminate permanent closure of C & C Title’s doors.
(L. Conerly, personal communication,
Blake, S. (2000, April) Protecting the Network Neighborhood,
Retrieved September 25, 2005, from http://search.epnet.com.
Elliott, M. (2005, May) Secure it or Lose it,
ved September 25, 2005
Forcht, K. (2000/2001, Winter) Developing a computer security policy for organizational
use and implementation,
Journal of Computer Information Systems
August 22, 2005 from http://sea
Hulme, G. (2000, October)
Beware of the threat from within,
Retrieved August 26, 2005 from http://search.epnet.com.
Jacobs, J., Pearl, M. and Irvine, S. (2001, March) Protecting online privacy to
, Retrieved August 26, 2005 from
Loshin, P. (2001, February 5) Single Sign
, Retrieved September 25,
2005, from http://search.epnet.com.
Stein, L. (1997, September) WEAVING A SECURE
Retrieved September 25, 2005, from http://search.epnet.com.
Udelson, T. (2005, September) A Guide to Disaster Preparedness Planning,
, Retrieved October 2, 2005, from http://search.epnet.com.