General Security Information for C & C Title Services, LLC

pyknicassortedSecurity

Nov 3, 2013 (3 years and 1 month ago)

43 views

Policy
1



General Security Policy for C & C Title Services, LLC




A paper submitted to Webber International University

In partial fulfillment of the requirements for the

Masters in Business Administration degree












By:


Aimee M. Lopez











Jef
f Talbert












Shannon Terrell







Date:


October 25
, 2005





Course: MBA610




Semester:

Fall 2005








Instructor: Dr. Wunker




Policy
2




Table of Contents

Table of Contents …………………………………………………………………………...2

Body

I. Purpose of a Security Policy……………………………………………
.
…………………3

II.

Company Background .……………………………………………………
..

……
……7

III. Recommendations………………………………………………………………………
..8

References ………………………………………………
.
………………………………….10


























Policy
3




General Security
Policy
for C & C Title Services, LLC


Purpose of a Security Policy



As an organization grows, the need fo
r computers and networks to perform specified
duties will also grow. This prospering organizations’ computer system, the data stored in the
system, and any information derived from the network should remain the sole possession of the
company,
its

employee
s and affiliates. (Forcht, 2000/2001)
With the use of computers

rapidly

growing in today’s market,
security policies and procedures are detrimental for an organization
to function properly and safely in this hostile environment. Various threats such as:

viruses’,
hackers, disgruntled employees and natural disasters make a security policy valuable to protect
the organization’s personal information.
One of the most common threats to a company’s
information system are viruses’, a code fragment that copies
itself into a larger program then
altering that program and doing various sorts of damage to the computer. The reason this threat
is called a virus is due to the fact that the virus can replicate itself, which then infects other
programs as it reproduces.

In general, hackers are individuals who write programs designed to
break into an organization’s personal computer system. Thes
e individuals can be classified

by
their motive and the type of damage they can cause to harm the computer systems. Disgruntle
d
employees can potentially cause the most damage to an organization’s personal system, due to
their knowledge and skills of that company’s particular system. Natural disasters ranging from
fires, lighting storms to water damage can cause enough destructi
on to a computer system to
temporarily or permanently halt the organization’s day to day business operations.
(Heller,
2001)

Policy
4

The goal of an information systems security policy is to ensure that proper steps are taken
so that everyone is held responsible a
nd accountable for maintaining security fo
r the
organization’s network.

The policy should define the information that needs protection and delineate which
measures

technological and procedural

are in place to do that. It should, for example,
explain how

incidents should be reported, what records should be kept and what the
response will be. The policy should also describe what is expected of each group of
employees with regard to achieving these goals.

The policy should define acceptable
behavior as we
ll as disciplin
ary guidelines for infractions.

(Blake, 2000)

In addition, the company should set forth measures for staff to follow
to

limit the potential for
future liability arising from the handling of electronic data. (Blake, 2000)


What are the best

ways to minimize threats from occurring?

Development of a security
policy that inco
rporates a privacy procedure,

password usage
,

responsibi
lities for personnel to
follow,
a secure website, proper backup and disaster recovery into the organization’s newly

formed security guidelines.
A
privacy procedure

entails the ability to log onto th
e company’s
computer network. As a user, the individual will enter his or her identification name followed by
the
password
;

this in turn will set several

actions in motion
. A
uthentication

first occurs when
the user is verified by the system for proper entry, normally

by matching the password with the
user ID. Authorization

then

comes

after the user has been allowed

t
o access into the system
resources.

(Loshin, 2001) Thi
s aut
hentication/authorization

takes place when the user is able to
view files but not delete or modify.

The most frequent way to gain illegal entry into the network
system is by simply using a computer already in a logged
-
in state or by coming across an
unprotected password.
(Elliott, 2005)

Policy
5

In terms of breaching the company’s security
system,

employees with unlimited daily
access to that company’s private information

require extra attention. (Hulme, 2000)
In general,
the security policy is going to

def
ine
responsibilities

of each employee

with the company’s
system and information.
Security should not be viewed as a burden by employees, but as a way
for them to perform their assigned responsibilities and protect the interest of their or
ganization.
The
policy

is a document that needs to be frequently

updated to handle new

and threatening

security challenges
.

To ensure proper fulfillment personnel must be adequately trained for usage,
in addition, unannounced audits should be conducted for security purpos
es.
(Elliott, 2005)


In most cases, an organization already has a web site or is in the process of constructing
one.

The key to an effective approach to online confidentiality liability is public restrictions of
that websites’ collection of information and

distribution practices. (Jacobs, 2001)

In this
situation,
web security

is administered so

that the Web server does not threaten the security of
the local area network. (Stein, 1997)

Even though you can never fully protect a company’s web
server, commons
ense and supervision can make that server extremely diff
icult for vandals to
penetrate.

Such problems are maintained by isolating the Web server

or installing encryption
programs to secure confidential information
. This can be performed by insulating the s
erver from
the rest of the organization.
In this situation, the Web server is placed on its own screened sub
network.
When private information
is,

transferred encryption

methods are used to
safeguard

this
information.
That way, only the two parties involve
d are capable of reading maintaining this
personal information.
(Stein, 1997)

The organization should be prepared for any disaster that may arise if the
system is
compromised.
In order to rebuild the network efficiently, a full copy of the
B
ackup

and
opera
ting system, support files, and Web software should be accessible.
(Stein, 1997) In most
Policy
6

cases, a good backup system is mandatory for the organization’s future business. Be it natural or
man
-
made, disasters can strike an organization at any given time or
moment.
Currently
,
companies

must have practices and procedures in place to protect their personal information

and
continue t
he operations of the business.

While
disaster recovery

is primarily about technical restoration, business
continuity addresses the

human business processes.
The level of disaster recovery
planning an organization needs to undertake is dependent on the level of risk that
company is willing to
accept.

Since some disasters are unavoidable, a plan of
recovery is developed that encompasse
s two main elements: a recovery point
objective

and a recovery t
ime objective.” (Elliot, Udelson, 2005)

A particular group can only operate without assets for a short period, at which, a solid disaster
recovery plan can save a company’s
future.











Policy
7

Company Background


C & C Title Services, LLC is a year and one half old real estate title company and serves
as the Sebring Branch for the main office located in Wauchula, Florida. C & C is in direct
partnership with Century 21 Advanced All Service Realty
, serving, but not limited to all of their
real estate agents conveniently located in the same building. What type of service does a title
company provide? C & C Title Services sells title insurance for real estate transactions and
property.
Title insura
nce is a contract to protect an owner against losses arising through defects
in the title to real estate owned. If the title is insurable, the company guarantees the owner
against loss due to any defect in title or expenses in legal defense of the title pu
rsuant to the
terms of the policy.
Our company specializes in cash, loans and for
-
sale
-
by
-
owner by
transactions in Highlands, Hardee, DeSoto and Polk counties.

(Leslie Conerly, personal
interview, September 29, 2005, C & C Title Services)

Although C & C Ti
tle Services uses some of the basic skills of a security policy in the
day
-
to
-
day operations, the company does not have a formal network security policy. Some of
the current practices used include: daily back
-
up tape routine, network password usage, firew
alls,
basic anti
-
virus protection and other personnel responsibilities. However, there is not a specific
policy to highlight any of these practices to the employees. Therefore, any lapses in the security
measures would be the responsibility of the manageme
nt and not necessarily the individual
employee. With the implantation of a policy with a strong foundation, C & C Title will be better
equipped to protect its network information.
(Leslie Conerly, personal interview, September 29,
2005
, C & C Title Service
s)



Policy
8


Recommendations

C & C Title Services, LLC does not currently conduct a formal
privacy procedure
.
Presently
, the company requires the initials of all clients on a privacy statement concerning their
real estate transaction, however, there is nothing
required of employees.
To protect it
s future, C
& C Title should implement privacy procedures such
as

monitoring computer usage. This in turn
can minimize theft of the organization’s personal client information.

The biggest concern at C &
C Title is tha
t the server runs continuously day and night.
Only one computer in the office
requires the use of passwords for log
-
ins, whereas, the remaining computers do not require
password usage
.

Requiring passwords for each individual employee, will not only prote
ct the
organization from external/internal intrusion, but also can moni
tor computer usage of employees.
(Elliot, 2005, Loshin, 2001)


At C & C Title, the only
employee responsibility

conducted on a day
-
to
-
day basis is the
office lock
-
up.
For example, at t
he end of the working day, the last person leaving is responsible
for locking up office doors, front entrance door and the money drawer.
In addition, there are at
least 2
-
3 employees responsible for switching out the daily information

back
-
up tape. By
ass
ig
ning a single employee to
handle,

the daily changing of the back
-
up tape eliminates any
confusion amongst employees.

Web security

is also of major concern, because of the use of
Yahoo Messenger from employee to employee as well as office to office
. Thi
s type of
communication potentially opens external threats into the company’s network system. The use
of an alternative type of messenger that is more secure can help to minimize potential web based
threats.
(Hulme, 2000, Stein, 1997)

Policy
9


At C & C
Title, the
back
-
up
tape

is replaced and stored at the end of the day in a locked
non
-
fire proof cabinet in the main office.
The company’s sister offices replace their back
-
up
tapes into a safety deposit box at their
local bank each day. However
, the main
office does not
have access to any outside storage for the company’s personal information.

At this time,
external storage at the local bank is under discussion to continue to protect the organization’s
future.

In case of a disaster, be it natural or man
made, there is no set protocol for
disaster
recovery.

The purchase of a
fireproof

cabinet as well as safety deposit box at the local bank will
eliminate permanent closure of C & C Title’s doors.

(L. Conerly, personal communication,
9/15/05)

(Elliot, 2005)




























Policy
10

References



Blake, S. (2000, April) Protecting the Network Neighborhood,
Security Management
,




Retrieved September 25, 2005, from http://search.epnet.com.


Elliott, M. (2005, May) Secure it or Lose it,
Data Security
,
Retrie
ved September 25, 2005



from http://search.epnet.com.


Forcht, K. (2000/2001, Winter) Developing a computer security policy for organizational



use and implementation,
Journal of Computer Information Systems
, Retrieved



August 22, 2005 from http://sea
rch.epnet.com.


Hulme, G. (2000, October)

Beware of the threat from within,
Information Week
,



Retrieved August 26, 2005 from http://search.epnet.com.

Jacobs, J., Pearl, M. and Irvine, S. (2001, March) Protecting online privacy to


avoid liability,
Assoc
iation Management
, Retrieved August 26, 2005 from


http://search.epnet.com.


Loshin, P. (2001, February 5) Single Sign
-
On,
Computerworld
, Retrieved September 25,



2005, from http://search.epnet.com.


Stein, L. (1997, September) WEAVING A SECURE

WEB,
Security Management
,



Retrieved September 25, 2005, from http://search.epnet.com.


Udelson, T. (2005, September) A Guide to Disaster Preparedness Planning,
Association



Management
, Retrieved October 2, 2005, from http://search.epnet.com.