As we are proceeding ahead, and we have two more topics to be covered to complete this Sample I.T Security Policy, hope fully it will be good and useful to you all. I would like to have some comments which may boost my morale to take up more interesting things in future. Here we are with Data Security.
“IS” CONSIDERED THE FOLLOWING:
1. Create a strong backup & Disaster recovery strategy and test backups regularly.
2. Create separate partitions for the Windows System files and the volume the server will share. Then don’t share the system boot partition, share only the empty volume created for file storage.
3. Implement strong permission-based security for all files stored on the server.
4. Never use the FAT file system on the hard disk of a Windows computer when security is a concern.
5. Remove default assignments to the everyone group.
6. Repair damaged drives in mirror or stripe sets as soon as possible.
7. Store backup tapes in a waterproof, flameproof safe in the server room. If tapes must be moved off site, be certain security measures are in place to prevent their being compromised while off site.
8. Use disk mirroring or duplexing for critical data. Use duplexing when possible.
9. Consider using hardware RAID, which is faster and is independent of the operating system.
10. Consider using SAN for huge amount of data.
11. If the server’s physical security could be compromised in any way, and the data on the disk warrants protection, use file system encryption.
12. Use file system encryption to protect sensitive data when operating system features are not effective (when the hard drive has been removed or the operating system has been replaced).
13. For extreme fault tolerance, consider using a third -party server replication system.
14. Access to information and documents is to be carefully controlled; ensuring that only authorized personnel may have access to sensitive information.
15. With poor or inadequate access control over your documents and files, information may be copied or modified by unauthorized persons, or become corrupted unintentionally or maliciously.
16. High risk systems require more stringent access control safeguards due to the confidentiality of the information that process and / or the purpose of the system e.g. the funds transfer used by banks. Ideally, the operating systems for such systems should be hardened for further enhance security.
17. Properly mark proprietary and confidential documents. The confidential markings can be minimized if they are seen on routine documents. Mark only proprietary documents, not everything.
18. Track printouts from any computer. Have confidential and proprietary markings automatically put on every printed proprietary document.
19. Limit access to source code; limit physical access to documents.
20. Access to data and information is at the heart of every set of Information Security Policies. Inappropriate access to data may contravene Organization policy and infringe legal regulations.
21. The right to access systems and data is based upon identified and approved business needs and should be withdrawn when the need ceases.
22. Denying unauthorized person’s access, both physical and logical, to the Organist ion systems is part of an effective Information Security process. Physical access to the data centre or computer room’ should always be restricted to authorized persons only.
23. However, data access goes beyond access to PCs and servers; it also includes access to written and printed information on the desks of personnel, notes pinned to notice boards etc. Access to such information must also be controlled. Traditionally, door locks and keys ensured security; nowadays, even greater security can be provided by electronic keys, biometrics with the additional benefit that they may also monitor and record access attempts.
24. Where user’s access rights and privileges are not documented, information security may be compromised.