ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Case Study in IT Security Management - Part 5: Implementation, Maintenance, and Conclusion

Updated on December 28, 2011

Published: November 30, 2011

Maintenance Plan

Maintenance should be part of any ongoing IT initiative. The Pace Heating Security Management Program includes this Maintenance Plan to help ensure the relevance of security related solutions throughout the remaining life of the organization.

Policies and Procedures

Security management and controls for Pace Heating have, as stated earlier, been somewhat lax in the past. Therefore, the development of policies and procedures is called for. The necessary policies and procedures to protect the information assets of Pace Heating are as follows:

  • Acceptable Use Policy
  • Strong Password Policy
  • VPN Security Policy (relevant to contractors with VPN access)
  • Employee No-Compete Policy
  • Protection of Confidential Information Policy
  • Physical Security Procedures
  • Incident Response Procedures
  • Vendor Remote Access Procedures

User awareness training is especially needed for the entire organization. Employees are likely to resist any implemented changes, especially in regard to access controls, so training is necessary to increase awareness and aid user understanding and acceptance of the new policies. The areas to be covered by the awareness training include general security awareness, password policies, acceptable use, and physical controls.

Standards and Guidelines

Standards help to ensure consistency across Web sites and applications’ (U.S. Department of Health and Human Services, n.d.). Standards have been implemented in the realm of the Shaffer Software application but are widely non-existent across the organization. A Standard Operating Procedure should be developed and applied to security related issues. Standard forms should be developed and used in the areas of incident reporting, user account creation, and change-management.

Guidelines provide suggestions for making decisions and would be relevant in the areas of employee’ Internet access. Employees are permitted to casually surf the web on occasion but should receive guidance to the types of content that are appropriate to retrieve from the office setting. These usage guidelines should specifically list content that should be avoided.

Change Management

Change management to the infrastructure or applications that support Pace Heating will be conducted in the following manner:

  • A change request log will be established by the Office Manager to track all changes.
  • All change requests submitted via change request form will be assessed to determine possible alternatives and costs.
  • Change requests will be reviewed and approved by the Company President.
  • The change request log will be updated to reflect current status of change requests.
  • Approved Changes will be implemented and the changes documented.

Vendors who access the information assets of Pace Heating should also be held accountable for complying with change management and control procedures. Past incidents of software vendors changing production applications with no prior approval or authorization must not reoccur.

Life-cycles

The equipment and software that support the mission of Pace Heating and Air Conditioning are affected by varying life-cycles. Hardware life-cycles vary from five to ten years while the life-cycle of the main application employed by Pugh is much shorter. The effect of life-cycles on the maintenance plan deals with upgrades and change control.

The most critical portion of life-cycle management for this organization will be to enforce the change control policies and procedures on Shaffer Software, an organization that has demonstrated a position of indifference where the security procedures of clients are concerned.

Implementation Plan

Developing policies, procedures, standards, and guidelines is a worthy endeavor but employees must be made aware of the changes and how those changes affect their jobs. Employees must also agree to the terms of the newly created requirements and this is where implementation comes in. According to Heathfield (2009) the simplest method to implement policies and procedures is to gather the organization together as a group, present the planned changes, distribute the documents, and obtain employee sign-off on each of the changes.

This implementation plan would be effective for each of the proposed sections of this maintenance plan. After the initial plans have been implemented, the new documents would be contained in the policies and procedures manual for the organization and this manual would then be referenced for recurring training and employee orientations.

Conclusion

Pace Heating and Air Conditioning, Inc. has been successfully providing HVAC services to customers in Eastern Ohio since 1939. The organization operates in an environment of mutual trust between the employees and the organization. This environment of trust, however, has led to a relatively lax security posture and the organization should put in place some more stringent controls in practicing due diligence and due care best practices. Specifically, the lack of physical and access controls should be addressed.

Losses from major catastrophes have been somewhat mitigated by dispersing the fleet and implementing a BDR solution to protect the data. However, arrangements should be made to temporarily conduct business elsewhere in the event that the facility was destroyed.

Pace Heating should also review the organizations insurance policies and fill in the gaps between what is covered and what should be covered. Although insurance is not a disaster recovery method, maintaining the proper amount of insurance would help recover some of the losses.

While trust may be a good thing to some extent, Pace Heating has placed no restrictions on how employees may use technology and information assets while at work. Some of this trust must be redirected and some security controls put in place. The need is demonstrated for both physical and technical controls to protect the organization.

Implementing the incident handling and reporting sections of this plan would be a good first step in moving toward a more secure environment. User awareness training and the enforcement of physical and technical controls would cap a program to provide a layered security approach for Pace Heating and Air Conditioning.

Lax security controls and procedures have led to a situation that places Pace Heating in a serious breach of not providing due diligence and due care toward complying with various legal and regulatory requirements. Recent legislation mandates that certain controls be in place to protect private information and the organization is not complying with those laws and regulations.

An outside audit of the gab between Pace’s existing controls and those controls necessary for compliance is called for. The organization should then enforce the controls recommended as a result of such an audit.

As a well defined and developed program, the Pace Heating Security Management Program includes a maintenance plan to maintain the relevance of the program throughout the life-cycle of the organization. One undeniable constant for any organization is change and the maintenance plan helps ensure that the security program remains relevant in the face of ongoing changes.

Review the Case Study

References

Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.

Heathfiled, S., M. (2009). How to develop a policy; write, implement, and integrate the policy.

About.com: Human Resources. Retrieved December 5, 2009 from http://humanresources.about.com/od/policiesandsamples1/a/how_to_policy_2.htm

International Information Systems Security Certification Consortium, Inc., (2009). (ISC)2 code of ethics. Available from http://www.isc2.org/ethics/default.aspx

Moteff, J. (2004). Computer security: A summary of selected federal laws, executive orders, and presidential directives. Congressional Research Service. Available from http://www.fas.org/irp/crs/RL32357.pdf

Shafer’s Service Systems (2009). Integrated solutions for managing your service/contracting business. Available from http://www.shafers.com

Slater, D. (2009). Business continuity. CSO. Retrieved November 12, 2009 from http://www.csoonline.com

U.S. Department of Health and Human Services (n.d.). HHS web strategies, guidelines & guidance. Retrieved December 6, 2009 from http://www.hhs.gov/web/policies/standards/index.html

Zenith Infotech, Ltd. (2009). Business continuity for the SMB. Available from http://www.zenithinfotech.com/bdr_sol.asp

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)