Policy Monitoring and Enforcement Strategy Paper
The possibility of abuse of company’s resources is a real risk “that can lead to regulatory noncompliance” Monsoons, 2011). To ensure the company’s profitability and survivability would need strict enforcement of security policies. The two most monitoring and enforcement policies I would be most concerned about is, Access Control, and virus protection.
The monitoring regulations I would rely on for this activity are audit trails provided by logs, and ISO 27001/27002 formerly ISO 17799:2005), ITIL and NIST SP-800 53 ” Recommended security controls for Federal Information Systems” standards. Logs are a great monitoring tool that provides a record of events. As such, I need every occurrence to be logged, tracked and reported on. For each entry, I want to know “what” occurred, “when” it occurred, and “who” or what cause it.
Monitoring compliance would allow me to: (1) “Detect and correct violations (2) Provide evidence to support enforcement actions (3) Evaluate program progress by establishing implicate status (4) Provide case studies for staff training (The SANS Institute, 2012). At each location I would nominate SIS enforcement officers who will be held responsible for monitoring and enforcement strategies to ensure that employees act in according with acceptable use policies (Pups), set forth by management to ensure the organization assets are protected.
Sigil (pronounced swell) is one of the best GUI monitoring tool around I would use that provides “real time events, sessions data, and raw packet captures. ” It facilitates seamless analysis, as when an alert that deeds more investigation has been identified, it makes a decision on how to handle the situation. Sigil uses a backbend database for most of its data, which allows users to perform SQL queries against several different types of security events (The SANS Institute, 2012).
For access control, I would use “The least privilege principle”– whereby employees will be granted only enough privilege to accomplish assigned tasks and no more. I would also use “Separation of duties principle” whereby employees responsibilities and privileges would be divided to prevent a person or mall group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss’ Monsoons, 2011). DoD business transactions rely on EPIC ADS to prevent card data being stolen.
As such, we need the early detection of virus protection to detect mallard, and prevent a breach of the system from occurring. Regular patch management updates will be a mandatory requirement In all locations. Policy enforcement can be accomplished through automated or manual controls Monsoons, 2011). Some of the controls I would utilize are: (a) Authentication methods b) Authorization methods (c) Data encryption (d) Data segmentation (e) Network segmentation.
According to Johnson (201 1), “automated policy management tools take security policies and Implement them as configuring updates. Once the device Is configured, the automated control enforces the policy. The enforcement can be enforce is a preventative control, which would have employees changing their passwords every 30 days. To ensure monitoring and enforcement policies are adhered to, a security awareness policy would be implemented to raise awareness of these regulations.