Developing a Security

Policy for DR Alarms

Table of Contents

Introduction.........................................................................................................2
Development of security policy..............................................................................................2

Types of security policies....................................................................................2

WWW policy..........................................................................................................................2

Email security policy..............................................................................................................3

Confidentiality........................................................................................................................5

Integrity..................................................................................................................................5

Availability.............................................................................................................................6

Security Policy to Protect the Data Center Resources....................................7

Physical Security....................................................................................................................8

Virtual security.......................................................................................................................8

Vulnerabilities and Common Attacks....................................................................................9

Security Policy to Educate Staff to Protect Company Data...........................9

Scope and Purpose of Security Policy.............................................................10

PURPOSE.............................................................................................................................10

SCOPE..................................................................................................................................10

Mandatory Requirements for Rules or Actions.............................................11

Example................................................................................................................................11

Conclusion.........................................................................................................13

References..........................................................................................................14

1|Page
Introduction
Security policy is a method about how an organization executes the principles
and techniques of information security. Information security strategy is the description of
judgments taken by the Agency to secure information Security policy includes general and
detailed guidance on how companies should secure their records or secure them from cyber
threats. Different organizations, businesses, institutions, and colleges have various kinds,
styles, and types of security strategies. The following figure demonstrates the overview of the
Security policy cycle process:

Development of security policy

Security strategy is a structured document in a company
detailing how to defend the organization from a range of malicious threats cybersecurity
attacks, threats, and how to deal with circumstances where these sorts of threats happen.

Types of security policies

WWW policy
The World Wide Web (www) is a web-based knowledge network that is built
from a specific writing software called a site server that makes information accessible on the
internet. Other programs called web browsers can be used to obtain data placed on servers.

The following security measures are enforced by www:

 No offensive or harassing content available on the organization's site

 No private commercial ads on the website of the company.

 Personal content should be kept to a minimum on the web.

2|Page
  No sensitive information should be made available to the company.

 Users of a company should not be able to install or run a web browser.

Email security policy

Mail can be used to communicate; exchange data threaten others,
participate in criminal acts and serve as proof against the activity. In reality, e-mail is an
electronic form of a postcard and involves special policies and guidance. A company may
have some email policies included. Users will offer some value as verbal contact. User tests
the pronunciation, the grammar before submitting it. The user is not sending some sort of
spam. No chain letter will be forwarded to the recipient. The user will not send any
confidential data. The customer will send no unauthorized documents. The consumer cannot
use the broadcast except to make the necessary notifications. Security policy for
Confidentiality, Integrity, and Availability of data.

Organizations and users using computers may explain their needs for data protection and
system support in three key specifications:

 Confidentiality: monitoring who catches to read data.

 Integrity: promising that data and plans are altered only in a definite and legal
way.

 Availability: promising that legal consumers have continued entry to data and
assets.

In different implementations, the above three conditions can be stressed differently. In

the case of a nationwide defense structure, the main concern would be to ensure the security
of complex data while the movement of finances may entail severe integrity panels. The
conditions for apps that are related to outside networks would differ from those for
applications that are not linked. The technical principles and control for data security can also
differ. The context within which an entity seeks to meet its data security needs is formalized
as a protection policy. Security policy is a succinct declaration made by those accountable for
the framework, such as senior leadership data principles, safety obligations, and
organizational commitment. This plan can be implemented by taking real steps driven by
organization command rules and using precise safety standards, procedures and protocols.
Alternatively, the choice of criteria, practices, and processes should be driven by the most
appropriate policies.

3|Page
 To be effective, a security plan should not only set out the security needs (e.g. for
privacy purposes that information should be revealed only to designated individuals but also
must discuss the variety of situations in which the need has to be encountered and the related
operational procedures. Without this second section, a safety plan is so common that it is
pointless (Although the second portion can be implemented through the processes and criteria
set for the implementation of the policy). In any event, certain threats are more likely than
others, and a wise policymaker must evaluate risks allocate a degree of priority to each, and
set out a strategy in which attacks are to be avoided. E.g., until lately, most safety rules did
not need security standards to be met in the context of a worm threat since that form of attack
was unusual and not widely understood. As viruses have progressed from a theoretical threat
to a common risk, it has turn into important to reconsider certain plans on the ways of
delivery and procurement of software. Implied in this phase is the organization's option of the
level of remaining risk in which it can live, a level that differs across administrations.

Administration monitors are managerial, operational, and technological processes and

procedures for implementing a security plan. Some management control is specifically
associated with the protection of data and information networks but the idea of administration
control involves far wider than the basic role of computers in the enforcement of protection.
Consumers utilize notice that administrators do not only utilize administrative controls but
can also. An effective leadership control program is required to cover all dimensions of data
security like physical safety identification of data, ways of healing from data breaches, and,
most of all, training to increase people's knowledge and approval. There are many trade-offs
between the panels. E.g., if control activities are not accessible, formal panels can be applied
before a practical solution has been identified.

The importance is given to all of the three main conditions defining the privacy,
honesty, and availability of information requires depends heavily on the situations. For
example, the detrimental effects of a device that is not accessible must be partly linked to
retrieval time criteria. A network that must be repaired within an hour of failure reflects, and
needs, a more challenging collection of systems and regulations than a comparable method
that does not need to be replicated for two to three days. Similarly, the possibility of a breach
of privacy concerning a significant product release can change over time. Early exposure may
compromise the competitive edge but disclosure only before the expected notification may be
negligible. If the data remains similar, the control of its publication greatly affects the
probability of loss.

4|Page
Confidentiality
The objective of Confidentiality is to avoid the disclosure of highly classified
data to unauthorized recipients. Secrets may be relevant for purposes of public safety (nuclear
bomb data), law protection for the identity of deep-cover drug agents, market edges, such as
product prices or bid tactics, or individual confidentiality such as acknowledgment history.
The most thoroughly developed privacy policies represent the interests of the U.S. National
Security. Communal, as this society has been prepared to pay for the definition and
implementation of rules and because the worth of the data it seeks to guard is deemed very
high. Given that the spectrum of the danger is very wide in this sense, the strategy needs
structures to be resilient in the presence of an extensive range of assaults. Limited DOD
policies to ensure privacy does not set out the spectrum of possible risks that the strategy
must face. Instead, they represent an organizational approach, explaining the policy by setting
out the control mechanisms that must be used to meet the privacy necessity. They, therefore,
avoid mentioning risks that would pose a serious risk and prevent the hassle of poor safety
design inherent in a new perspective to each new concern.

In the business world, secrecy is typically secured by protection measures that are
fewer strict than those of the nationwide defense system are. For Example, the data is
allocated to the "master" (or protector) who regulates access to the data. Such protection
measures can cope with certain circumstances but are not as immune to some assaults as they
are to sorting and mandatory labeling mechanisms, partially since there is no method to say
where backups of data can pass. For example, with Trojan horse threats, even lawful and fair
users of the holder system can be fooled into revealing secret data. In return for greater
organizational efficiency and device efficiency generally compatible with comparatively poor
security, the commercial environment has borne these flaws.

Integrity
Credibility is a need to guarantee that databases and codes are updated in a clear and
approved way. It might be necessary to keep information stable or to allow data to be updated
only in an authorized way (like in extractions from a bank). It might also be important to
determine the scale to which the information is reliable.

Some measures to ensure transparency represent regard for the prevention of theft and
are set out in positions of management authority. For example, any action containing the
potential for cheating must be detached into sections conducted by changed persons, a

5|Page
technique called the division of duties. A perfect example is the buying system, which has
three components: purchasing, collecting, and paying. Someone should sign off at each point,
the same individual should not sign off at two times, and archives can only be modified by set
procedures, for instance, credit is deducted, and a verification published for only approved
and traditional orders. In this scenario, though the strategy is specified functionally, that is,
the risk model is also specifically revealed in terms of basic administrative control

Other integrity techniques raise questions about the avoidance and control of mistakes
and oversights and the effects of program reform. The rules on integrity have not been
researched as thoroughly as the rules on confidentiality have been. Software mechanisms that
have been placed in place to preserve integrity tend to be ad hoc and do not flow from
existing integrity replicas.

Availability
Availability is a prerequisite to guarantee that services run quickly and that
product is not denied to customers. From an operational perspective, this condition applies to
an acceptable reaction period and/or assured bandwidth. From a safety point of view, it
reflects the capacity to defend against and recuperate from a harmful occurrence. The
existence of well-operative computer networks (For example for long-distance calls or airline
bookings) is important for the activity of numerous huge companies and even for the
maintenance of life (For Example, air traffic control or automatic medical systems).
Eventuality management is associated with identifying risks and implementing measures to
prevent or restore adverse outcomes that could make the device inaccessible.

Modern strategic thinking to ensure readiness typically requires reaction only to actions of
Divinity (e.g. earthquakes) or unexpected anthropogenic cases (e.g., a poisonous fume
leakage averting entrance to an ability). Even so, possibility preparation must also include
responding to intentional actions, not merely performances of God or events, and, as such,
must provide a clear evaluation of the hazard-founded on a model of a particular enemy, not
on a probability distribution of nature.

For instance, a clear accessibility rule is generally described as follows: "On

maximum, the terminals will be lower for less than 10 minutes per month." A specific fatal
(for example, an automated teller device or a keyboard and shade booking agent) is up if it
reacts appropriately to a regular service request within one second, or it is down. This

6|Page
strategy shows that the volume at each terminal, calculated over all terminals, must be at least
99%.

A safety plan to ensure accessibility generally takes a dissimilar form, as in the next
example: "no input into the system by any client who is not an approved administrator shall
make the brain cease to serve those users". Notice that this regulation does not say something
about device failures, other than to the degree that it may be triggered by user behavior. In its
place, it detects a specific danger, a malicious or inept act by a frequent system user, and
allows the structure to continue that activity. It speaks nothing of other forms in which a
foreign party may refuse facility, for example by breaking a telephone line; a different claim
is compulsory for each other attack and representing the degree to which opposition to that
hazard is considered essential.

Security Policy to Protect the Data Center Resources

Datacenter protection is a
collection of procedures, precautions, and practices implemented to prevent unauthorized
access and misuse of data center resources. The data center hosts business applications and
data, which is why having a proper protection system, is important. Denial of service (DoS),
theft of sensitive data modification, and data destruction are a few of the main security
concerns influencing data center environments. The method of protecting a data center
involves both a systematic system review approach and an ongoing effort that enhances
security standards as the data center develops. The Information Center is continuously
changing as new technologies or services become accessible. Threats are getting more
complex and regular. These developments need a steady assessment of safety preparedness.

The rules governing the implementation of protection in the network, such as the
Datacenter, are a key component of security preparedness assessment. The specification
involves both the design of best practices and the specifics of implementations.
Consequently, protection is also seen as a major element of the main technology demand. As
the main duty of data centers is to ensure the accessibility of facilities, data center
management structures also consider how their protection affects traffic flows, disruptions,
and scalability. Because security procedures differ based on the nature of the data center, use
of unique characteristics, compliance criteria, or the corporation's business objectives, there is
no collection of standard measures to cover all potential scenarios.

7|Page
There are usually two types of physical security and virtual security data centers:

Physical Security
Physical protection controls for a data center rely on the scale of the center.
Data centers also have a significant amount of IT machinery, switches and routers energy and
cooling infrastructure, and communication devices. Such devices can be stored in a cabinet,
which can be quickly and secured by a functional lock, or in a warehouse, where additional
physical protection procedures such as badge entry, video monitoring, alarms, or security
officers may be more suitable. Fire prevention is another issue for physical safety. Since the
data center includes sensitive electronic devices, chemical fire extinguishers are a safer
option than fire protection sprinklers.

Virtual security
Most data centers are now using virtualization technology that enables data
center servers, the system, and storage to be removed. This paper allows IT managers to
remotely manage data center resources, use software to run data center operations, and
deliver workloads to multiple servers as required. Few data centers use virtualization
technologies to connect and use the cloud service as part of their data center infrastructure.
Using technology or cloud solutions to organize and operate a data center provides versatility,
but also renders the data center more susceptible to cyber threats. A few data center network
software protects part of an offering or is built to work with other virtual security resources
such as firewalls and intrusion avoidance and detection programs. IT administrators can use
this software to develop policies that classify users and decide which users may enter the data
center. Two-factor authentication, where user authentication is validated by asking for
anything they know (such as a password) and using something that they have (such as a
mobile phone) is a trusted mechanism that IT agencies can use to guarantee that only
approved users have exposure to a network that is linked to a data center. Datacenter
protection software not only prevents unauthorized users from accessing or stealing
confidential data; it could also be used to back up data in the information center to secure it
from destruction.

8|Page
Vulnerabilities and Common Attacks
Cyber attackers are using a range of methods to gain
entry to information centers. Societal engineering hacks threaten users, tricking them into
poor passwords or enabling other forms for illegal users to get in. Unsuspected users can
install malware such as "ransomware," which prohibits legitimate users from signing in and
keeps the device hostage until the perpetrators are paid. Poor credentials are another way for
cybercriminals to manipulate users who are not careful about protection to obtain entry to a
data center. To keep data centers, secure, IT administrators must inform their users about the
various types of threats and implement good user safety practices. Users are not the only bugs
on the network. Improperly designed networks or protection software techniques can often
allow cybercriminals to enter a data center. Cyber attackers may shut down an
inappropriately designed software program or database either by overwriting requests or by
submitting a transmission gate that is not designed to handle. Data centers are often subject to
"spoofing" attacks, where the true source of the existence of the malicious software is secret.
In IP spoofing, a text appears to be coming from a trusted entity and passes as secure to
access a private system. Firewalls are the only way to defend against IP spoofing threats.

Security Policy to Educate Staff to Protect Company Data

It is vital to ensure
that workers are aware of the risks they face and the part they perform in maintaining your
company's security. Our managers must follow their duties, such as keeping good passwords
and passwords, how to recognize and prevent cyber-attacks, what to do when they experience
cyber threats, how to report cyber-attacks.

Here are some aspects where we can secure the data and resources of the organization:

 Back up your data

 Safe your devices and network

 Encrypt important data

 Make sure you use multi-factor authentication (MFA)

 Manage passphrases

 Monitor use of computer equipment and systems

9|Page
  Put policies in place to guide your staff

 Train your staff to be safe online

 Protect your customers

 Consider cybersecurity insurance

 Get updates on the latest risks

 Get cybersecurity advice

Scope and Purpose of Security Policy

PURPOSE
This Data Security Plan aims to clearly define the function of the University in
securing its data assets and to convey minimum standards for ensuring that the required. The
achievement of these goals enables St. Lawrence University to introduce a robust system-
wide Data Safety Policy (see the Guide to the New York Six Information System
Management System (ISMS) text).

SCOPE
The reach of this strategy covers all data properties under the authority of the
University. All staff and system providers who have exposure to or use the data assets of the
Organization, like rest, transit, or processing data, shall be topic to these specifications. This
policy extends to all information properties managed by the University; to all data assets
provided by the University by contracts, according to contract conditions and obligations, and
all user authentication of information assets of the University of St. Lawrence.

All third entities with exposure to non-information shall function in compliance with a
service contract that includes security requirements compatible with, but not restricted to, the
requirements of the Gramm‐Leach‐Bliley Act (GLBA), the Family Educational Rights and
Privacy Act (FERPA), the New York State Information Security Violation and Notification
Act and the Payment Act.

10 | P a g e
Mandatory Requirements for Rules or Actions
Who is responsible for protecting
the details of the organization? Perhaps the Department of Research and Evaluation? Not
exactly that. The staff of the Management Information System (MIS)? It is wrong again. At
the end of the day, not only individual workers or agencies are responsible for the protection
of sensitive information, but also the agency itself. It is also the responsibility of the top
managers responsible for protecting the best interests of the organization to ensure that an
acceptable and efficient security strategy is established and implemented within the
organization.

Although policies themselves do not resolve issues and can exacerbate matters if they
are explicitly written and implemented, the policy does describe the ideal to which all
organizational efforts should be directed. Security plan refers to transparent, detailed, and
well-defined plans, rules, and practices governing access to and data on the organization's
systems Good governance safeguards not only knowledge and processes, but also individual
workers and organizations. It also serves as a key message to the outer world about the
organization's dedication to security.

Example
Like several people, Fred Jones felt he had a tough job to do. As the Data Systems
Administrator in the small school district, he was responsible for managing a district-wide
computer system, ranging from installation and repair to user education and assistance.
Although it was not a one-man job, it was his one-man workers. Fred had tried to
demonstrate to his supervisor that the district network was vulnerable to a range of attacks
because his limited budget and lack of resources hindered him from adequately managing
system security, but his concerns had still been dismissed.

One morning at a team meeting, but much to Fred's surprise, the administrator
revealed that he had read a newspaper story about a student hacking into the computer
network in the nearby school district and modifying the report card information. The Chief
continued to announce that Fred had been tasked with designing and implementing an
information security strategy for the school system.

11 | P a g e
 As fast as the conference was over, Fred contacted the supervisor to seek an
opportunity to meet a common vision for the implementation of security policy. "The
successful security policy needs feedback and dedication from the entire company, so I think
we must sit down and plan out a strategy to improve our security plan," Fred said.

However, the Supervisor refused an offer to engage in the phase of policy formation.
"Fred, I'm just too exhausted to get interested in the project. I believe you will do a work that
will make all of us proud." When Fred asked to broaden his staff and budget to accommodate
the growing demand, the administrator again dismissed the matter. "Fred, the times are hard
and the expenditure is lean. Maybe we will be able to figure something out next year. In the
meantime, you are cracking on protecting our system as if your work relies on it. I think your
work depends on it."

Fred saw his unreasonable, if the well-intentioned, boss walks away, realizing that his
work was no longer hard but impossible. It was now necessary, to create define, maintain and
control an organization-wide security plan without help, approval, or buy-in from a single, far
less authorized high-level administrator. He knew that the organizational help he failed to
obtain indicated that there was no hope that he could successfully protect the system—and
that it was only a matter of time before a major breach of the security system took place. Fred
finds himself in a horrible position to be accountable for preventing the inevitable, but
unable, to do so.

12 | P a g e
Conclusion
We can conclude from the above data that we design the security policy to
protect the main system of our company or the organization. To protect that information, we
develop it first in the written form to protect from cybersecurity attacks and different threats
and how to handle them when they occur. To protect we chose different types of policies,
which ensure that no company confidential material should be made available, and personal
material should be minimum on the website. The main three points, which include in it,
which are confidentiality, includes keep sensitive information, integrity includes that
information can be changed in an authorized manner and availability includes that system
work promptly. As we know security policy is design to protect the main data center so
security is done by two methods here physical and virtual in the physical data is protected
which is contained in the physical locks form such as in warehouses and virtual one which
can be changed remotely on servers etc. It also protects the common attacks, which are done
by social engineering such as try to find out the passwords and change them. Therefore, in the
end, we can say that these policies are made to protect from the attacks but our staff should
also be capable of protecting them if they found out someone is attacking the system. They
should have the backup of the data if in a situation someone got successful to breach our
system and have stolen the data.

13 | P a g e
References
1) How to protect your business from threats | business.gov.au. (2021, March 10).
https://www.business.gov.au/online/cyber-security/how-to-protect-your-business-
from-cyber-threats
2) Nitto Avecia Pharma Services Inc. (2019). Basic Information security Policy:
Overview, Purpose, Scope, Compliance. https://www.aveciapharma.com/legal/basic-
information-security-policy
3) Policy: Information Security Policy (2017, May 3). Information Technology.
https://www.stlawu.edu/it/policy-information-security-policy
4) System Security Study Committee. Computers at Risk: safe computing in the
information age (pp 50-73). National Academy Press
5) Szuba, Tom (1998). Safeguarding your technology: practical guidelines for
electronic education information security. National Center for Education Statistics.

14 | P a g e