Create User Policy Learning Objectives and Outcomes

Create a report detailing user access policies based on research.

Explain the details of user policy creation in organizations.ScenarioYou work for a large, private health care organization that has server, mainframe, and RSA user access.

Your organization requires identification of the types of user access policies provided to its employees.Sean, your manager, just came into your office at 6:00 p.m. on Friday and asks you to write a report detailing these user access policies. He needs you to research a generic template and use that as a starting point from which to move forward. He wants you to complete this task over the weekend as he has just been given a boatload of tasks in the management meeting which ended a few minutes ago. He is counting on you to take some of the load off his shoulders. The report is due to senior management next week.

Assignment Requirements Look for existing policy templates and examples from organizations of similar type.

Write a report detailing these user access policies based on your research, and place them into a table with an introduction explaining the following: who, what, when, why. Be sure to add a conclusion with a rationale for your selection.

Reference your research so Sean may add or refine this report before submission to senior management.

Answer:

User Access Policy, (Ruskwig, 1996-2015)

Purpose: This User Access Policy is to maintain an acceptable level of security in the protection of RSA Health Care data and information systems from unauthorized access. This policy will define the rules that are necessary to achieve protection and to ensure a secure and reliable operation of RSA Health Care information systems.

Policy:

1. A user account (a username and a password) for each (Rivest, Shamir and Adleman) user, with appropriate privilege level, is created on the domain controller/authentication server; only these user accounts can be used to log into any of the computers that are members of the domain.
2. Each individual employee of company is also assigned an email account.
3. IT manager assigns a unique user name to each individual using the following convention: Firstnameandlastname or Firstnameandlastnamefirstcharacter or SameAsEmailAccount@RSAHealthCare.com
4. The IT manager shall create all computer user accounts.
5. Identity is verified as part of our employment and hiring process. For each employee, the affected user account(s) will be deactivated (or, at a minimum, passwords changed) once employment with company has been terminated.
6. Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights.
7. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
8. Affected Individuals: This policy affects all employees of this RSA HealthCare and all contractors, consultants, temporary employees and business partners.
9. Employees who deliberately violate this policy will be subject disciplinary action up to and including termination.
10. Affected Systems: This policy applies to all computer and communication systems owned or operated by RSA HealthCare.
11. This policy applies to all platforms (operating systems) and all application systems.                                                
12. Entity Authentication: Any User (remote or internal), accessing RSA HealthCare networks and systems, must be authenticated. The level of authentication must be appropriate to the data classification and transport medium. Entity authentication includes but is not limited to: Automatic logoff, a unique user identifier and at least one of the following:

• Password
• Personal identification number
• Telephone call back response

IT Infrastructure Policy, (Info-Tech Research Group 1997-2015)

Purpose: The purpose of this policy is to allow information systems to be provided a better level of security achievable through configuration control, by delivering enhanced security capabilities. To achieve this goal is to be able to effectively control potential threats to possible vulnerabilities that cannot be mitigated by the capabilities innate in the RSA Healthcare’s information system which may lead to compromising the company’s information systems security.

Scope: This IT Infrastructure Policy is applicable to all deployed security systems in order to protect the RSA Healthcare’s physical and information property, which includes:

1. Every perimeter protection platforms like the firewalls
2. Every malware protection platforms like the anti-virus, anti-spyware, etc.
3. Every intrusion detection/protection platforms
4. Every data protection platforms like encryption or content filters
5. Every dedicated security systems

Policy:

1. The boundary protection systems (firewalls) will protect boundary network access points.
2. The protection of boundary network access points will also be by monitoring and/or with the use of intrusion prevention. This will monitor events, detect attacks, and provide identification of unauthorized information system use. Configuration of this system would be monitoring the inbound as well as the outbound communications.
3. Malware protection will be used for all information systems. The malware protection will perform at these levels: network boundary, e-mail, all other communication systems and on all workstations, servers and other endpoint in the infrastructure.
4. All information systems as well as the boundary network access points will be protected by the data protections platforms that are monitoring, controlling and restricting the flow of data in and out of the systems, as well as from the into and out of the network.

Procedures: Configure appropriately and perform maintenance of the information security infrastructure.

1. Firewalls to be configured to block, by default and to allow some exception regarding both the inbound and outbound traffic.

Inbound rule. Block all access from outside except responses to requests from the LAN side.

Outbound rule. Allow all access from the LAN side to the outside.

NOTE: IT Manager will configure any other inbound and outbound firewall rules as needed.

2. Updating anti-malware automatically, on a regular basis or whenever there are any updates from the manufacturer.
3. Configure intrusion detection/prevention systems to monitor all inbound and outbound traffic and scanning for irregular traffic signatures and patterns.
4. Configure data protection mechanisms to monitor and restrict the streaming of sensitive or confidential data with the usage of these mechanisms:

• Configure content filtering systems to restrict the inbound flow of data.
• Configure data leakage prevention systems to restrict the outbound flow of data.
• Configure data encryption to be used on all portable devices, back-up devices and all or any data storage devices that has sensitive or confidential information that resides in them.

Non-Compliance: Any violation to these policies or procedures will be considered a security breach, therefore will be dealt with accordingly depending on the nature of the violation.

1. A written reprimand will be given with a minor breach
2. Suspension will be given to those who have incurred multiple breaches or a major breach.
3. Termination will result to any major breaches.