We are a 100-person strong business dedicated to the production of media, most specifically short animations, for advertising clients worldwide. Our personnel include marketing specialists, visual designers, video editors, and other creative staff.
This security plan encompasses the general and pragmatic characteristics of the security risks expected for our business and the specific actions that aim to, first and foremost, minimize such risks, and, if that's not possible, mitigate any damage should a breach in security happen.
The measures to be taken and the assigned responsibilities stated in this document apply to all the departments that make up the company. Exemptions can be given but will be only under the prerogative of the CEO under the consultation of the Chief Security Officer that will be formally assigned after the finalization of this document. Otherwise, there will be no exception to the security measures stated in this document.
Section 2. Preliminary Assessment
Each individual in the company is assigned a desktop computer with OS and systems specifications dependent on the nature of work of the personnel. The creative staff uses Apple G5 desktops with OS X installed, while the general staff are assigned Windows XP-enabled workstations. All desktops computers have email, Web, database access, and office productive software installed.
There are servers that are utilized specifically for Internet connection, file and print sharing, email, database and 3D rendering. Twenty (20) dual-core processor Xeon servers running Red hat Linux 9.0 are employed for rendering high-resolution video animations. The database and email servers are on Windows Server 2003 running Microsoft Exchange. The Internet and resource sharing servers (i.e. file and print sharing) run on Red Hat Linux 9.0.
3. Internet and Network connection
A 10 mbps connection on a SOHO firewall doubling as a DHCP server is the primary web access of the company. The firewall secures the network from outside intrusions but allows access via email, web, and secure FTP through the servers. The network is TCP/IP based and utilizes Cisco routers and switches. Guests who use laptop computers could obtain an IP from the DHCP server when needed.
4. Other Hardware Setup
Both Cisco and Hewlett-Packard Ethernet hardware are used in the setup. Server equipment is stored in one server room. Printers are installed in strategic places in the office area.
Besides the physical property and tangible products in the office, the main assets of the company are primarily:
The animation shorts which are the primary products of the company
Storyboards, drafts, and pre-production materials utilized in the creation of the final animation shorts.
Email and other database-related information that are utilized for company operations, including vendor and client communications, in-house notes, and other pertinent documents.
Records of client and supplier transactions and other financial information
Software and other virtual goods developed within the scope of the company
Access to the assets is determined on a need-to-know basis, with master access only given to the CEO and COO of the company. Departmental access are given to important data or materials that are pertinent to the direct responsibilities of the department.
Section 3. Risks and Priorities
The following risks are seen as key threats to the company ecosystem:
1. Direct Outside Intrusion (High Risk, High Priority)
Hacking, malware intrusion (e.g. viruses, worms, Trojan horses), and other malicious actions are high risk possibilities for the company given its dependence on the Internet connection. This is an expected threat given the nature of the World Wide Web and the software setup utilized for the business.
Examples: Viruses, Social Engineering, Trojan Horses via email
2. Espionage and Industrial Sabotage (High Risk, High Priority)
Given the nature of the primary products of the company, there is a possibility of theft of intellectual properties, either physical or virtual, with either network-related acts or brick-and-mortar footwork. Aside from this, sabotage could also be a possibility given the competitive nature of the field.
Example: A disgruntled employee obtaining confidential information for a rival company
3. Social and Internal Threats (Low Risk, Medium Priority)
The widespread use of online social networks has made it necessary to be vigilant of the movements of employees, especially for circumstances that increase the risk of disclosure of confidential data. There is also the possibility that employees might also unwittingly expose confidential information through physical means.
Examples: Leaving documents lying around, Posting status updates related to confidential company information
4. Accidents and Disasters (High Risk, Medium Priority)
There will always be the risk of accidents and natural disasters that could undermine the company's capacity to finish its projects.
Examples: Network crash, floods, Project Deletion
Given the risks, the following categories of priorities would be applicable to the company situation:
1. Network intrusion fortification
This includes strengthening the network against malware attacks and hacker-directed intrusions against the company servers.
2. Employee education
It is important that all employees are trained not only to be aware about the general security precautions pertinent to the company situation but also to understand non-specific roles that they could take should a breach occur. An example of a behavior important in this regard is the usage of strong passwords for logins and related precautions when downloading files from the Internet.
3. Internal security
The prevention of theft of all the assets of the company is a high priority objective for it is with these materials -- virtual or otherwise -- that the company's primary products revolve around. This also includes placing precautions against employees knowingly or unknowingly disclosing or obtaining the said materials.
4. Safeguards against disasters and accidents
Natural disasters are certainly hard to prevent given the scope of the company's resources but accidents can be guarded against and measures could be taken to lessen the extent of damages. For example, backups of critical documents or files could be done frequently and to an offsite location.
Section 4. Security Plan
Based on the assessment, the following security plan is recommended for the company:
Fortifying Against Network Intrusion
1. All Windows-based computers must have approved antivirus and antispyware programs installed.
2. All computers should be configured to obtain automatic updates. All Windows-based computers should be updated to Windows XP Professional with Service Pack 2.
3. All servers and desktops must run host-based intrusion detection software.
1. All employees should demonstrate thorough knowledge of the security precautions related to their computer usage and the general security needs of the company
2. User training will be provided for employees for matters that will cover:
a. The basics of online security
b. The basics of workstation security
c. Password basics including how to create strong keys
d. Computer security
e. Hacking and malware threats (e.g. phishing, Trojans)
f. Security routines (virus prevention, purging of files)
g. Secure Internet browsing
h. Secure email and file downloads
i. Social engineering or how hackers obtain data without even using software tools
j. Company policies related with all security protocols.
k. Company policies that specific to curbing noncompliance (i.e. consequences of not following security protocol)
l. Key roles in the security plan
1. All email must be made secure so it cannot be inadvertently sent to the wrong party or intercepted.
2. Clients may use the secure FTP server to send and receive multimedia files but shouldn't have access to files that are not related to them.
3. Password aging -- the forced replacement of passwords after a given time period -- should be implemented for all desktops and servers.
4. Configure desktops to force user logouts on the event that the workstation becomes idle for more than 5 minutes.
5. Personal printers should be assigned to people who mostly hold confidential or critical documents to prevent the opportunity for theft, disclosure, or espionage.