Analyzing Security Vulnerabilities And Threats In An Organization: Internet Usage Policy Guidelines

Literature Review

Analyse the Security Vulnerabilities and Threats in an Organization.

Security policies can be defined as set of rules and regulations that is obeyed by organizations in order to protect the organization from any type of harm. Every organization follows a set of policies that can be used to protect the organization from security issues.

An Internet Usage Policy can be defined as a type of control. This policy controls what the employees of an organization can access by using the internet. It also protects the users from any content that would affect the users in a wrong way.

This report outlines the Internet Usage Policy in depth. This report clearly defines the guidelines for the Internet Usage policy of organizations. It talks about the authorized and prohibited users.   This report also gives an effective guideline for usage of Internet in an organization.

Security Policy

Security policies are set of norms and regulations that are used for protecting information of an individual, community or a company (Banuri et al. 2012). This policy lays down rules that are to be obeyed by the employees of an organization. Every organization follows different security policies as per their requirements. Violation of these rules and regulations leads to penalty. The security policies are responsible for addressing the constraints on the conduct of the employees of an organization (Alam and Zhang 2012). Security is a crucial factor in the present generation of Internet. Every organization must obey it in order to protect itself from any kind of harm.

Internet Usage Policy

In this era of information and communication technology, every organization needs the access to Internet for running the business. Internet Usage Policy is a set of guidelines that restricts the access of internet for all the employees working in the organization (Bayuk et al. 2012). It makes sure that the internet is used only for the purpose of business purpose. The following services are allowed over the Internet in an organization:

• Sending files and documents for the use of business via File Transfer Protocol.
• Send or receive emails.
• Management has the control of allowing the employees to access certain services and restrict the usage of other services.

Need of Internet Usage Policy

It has been seen that the unmonitored usage of internet in an organization affects the organization in several ways:

• Productivity: Surfing different websites that are of no use to the business causes loss of productivity (Berger 2014). Employees will get involved in unprofessional activities and harm the business.
• Virus: Downloading unwanted files and documents affects the system with viruses. This will harm the system resulting in loss of important data.
• Inappropriate content: Surfing inappropriate content over the internet causes serious issues in the work environment. It hampers the ethics of the employees of a company.
• Transferring unencrypted business data causes serious insecurity to the business. If the sensitive data of a business is lost then it will harm the business in several manners (Cheng et al. 2013). The competitors can gain access to such information and outperform the company.

The above mentioned issues require an organization to use the Internet Usage Policy.

Policy

• Resource Usage: Based on the job description and role of an employee, they will be permitted to use the internet only for the purpose of business (Choyi and Vinokurov 2012). Change of unit of an employee to a non internet usage job will disallow the employee form accessing the internet.
• Allowed Usage: acceptable use of internet will include certain activities like communicating between employees for the purpose of work, downloading essential software, reviewing vendor websites, finding technical information and to carry out research.
• Personal Usage: Using the company’s internet for private use will lead to serious troubles that can even cause termination of the employee (Gouflidis, Mayridis and Hu 2014). Users should store their personal data at their own risk. All companies create an audit log that reflects the out-bound and in-bound addresses for the purpose of periodical review.
• Prohibited Usage: Dissemination, storage and acquisition of data that is illegal and inappropriate is prohibited (Ifinedo 2012). The company also prohibits the access to any kind of political related information and fraudulent activities. Employees must be access sensitive information related to the company and misuse it.
• Software License: Company adheres strictly to the license agreement that is provided by the vendor.
• Public Information Review: Directories those are publicly writeable are reviewed and also cleared every evening (Neisse, Steri and Baldini 2014). This also prevents the anonymous information exchange.
• Periodical Review: To be sure about the compliance with all policies, there is a review conducted on a monthly basis (Orr et al. 2012). Reviews are also conducted to check the effectiveness of the usage.

Criteria for Internet Usage Policy

There are certain criteria that must be maintained in order to have a successful Internet usage Policy.  The policy must be adaptable to any kind of change in the company (Knaap and Ferrante 2012). It must be flexible to meet the goals of the organizations. The policy that is adopted must always be enforceable (Ouedraogo, Bienner and Ghodous 2012). The policy should not be hidden and must help the employees to remember about their activities and also the implications if they break any rule. 

Security Policy

Steps for developing an Internet Usage Policy

Certain steps need to be followed to carry out the development process in a company. They are as follows:

• Initiation and establishment of the structure: First step should be to decide who will take the responsibility of making the rules ( Pieters, Dimkov and Pavlovic 2013).
• Research and gather all information that is needed to form such a policy.
• A draft policy must be prepared.
• The policy must be circulated before implementing it.
• Ratification is needed by the board of management.
• Next step is to implement the policy.
• Monitoring is the most important step in the process and must be done on a periodical manner.
• Evaluation of the effects of such policies must be carried out.

Benefits of the Internet Usage Policy

This policy has several advantages if they are monitored properly.  Some the benefits are as follows:

• It enables the employees to surf the Internet in a safe and secured manner.
• It makes sure that the employees are using the resources in a fair and legal manner (Safa, Von and furnell 2016).
• The intellectual properties are protected from any kind of harm.
• It also protects the privacy (Sommestad et al. 2014)

 In order to carry out this report a secondary and primary research is done. The primary research involves gaining knowledge from different experts. Data is collected by giving out questionnaires to several participants and analysis of the answers provided by the participants. The secondary research involves finding out information about several topics. The initial search was about finding about security policy and its use. Then the details about Internet Usage Policy are learned including the reasons for using such policies and the various types of Internet usage Policies (Vance and Siponen 2012). Secondary research also includes finding and setting appropriate guidelines for the effective usage of the Internet Usage Policy in an organization. Several criteria for developing a good Internet Usage Policy is also found out via the secondary research method.  The organizations needs are found out and also the government polices that are suitable for monitoring such internet usage as well as taking actions against any violation are found out. The organization must be aligned the government rules and policies with the Internet usage policy in order to protect the organization and improve its productivity. Research is also carried out to find the benefits of the Internet usage Policy in a company in details.

Guidelines for the effective usage of the Internet Usage Policy based on the findings of the literature review

The Internet Usage Policy should be applicable for all the employees working in an organization. There should be certain terms and conditions for the usage of internet in an organization (Wall, Palvia and Lowry 2013). Certain category or employees, depending on their roles and responsibilities must be exempted from certain restrictions and usage.

• Only official messages must be communicated among the employees for the purpose of the business operations.
• No personal usage should be allowed in order to enhance the productivity of the business.
• The company information must be sent to the outsiders.
• The employees must be explained about the need of such policy so that they can cooperate with the company.
• Access to any illegal data must be prohibited by the organization.
• A web monitoring software must be used to keep an eye of the activities of the users.
• If any employee is seen to violate the rules and regulations, then action must be taken against them.
• Employees shall be allowed to use the internet for downloading files that are related to the work and that agree with license of the vendor.
• The administration staffs should also follow certain rules and regulations and should not access the details about any employee in the network.
• Certain websites must be blocked by the organization in order to protect the company and its ethics.

Conclusion

This report concludes that the Internet Usage Policy is very effective for the proper functioning of a company. A code of conduct is followed by obeying this policy of using the internet. Internet usage in an organization must be restricted otherwise it hampers the productivity of the company in a severe way. It also protects the sensitive information of the company. This report gives a brief idea about the different internet usage policies like personal usage, resource usage and prohibited usage. This report also gives guidelines for the effective use of the internet usage policy in a company. This report also points out the benefits of using the internet usage policy in a company. This report also gives a brief outline on the steps and criteria for developing an internet usage policy.

References

Banuri, H., Alam, M., Khan, S., Manzoor, J., Ali, B., Khan, Y., Yaseen, M., Tahir, M.N., Ali, T., Alam, Q. and Zhang, X., 2012. An Android runtime security policy enforcement framework. Personal and Ubiquitous Computing, 16(6), pp.631-641.

Bayuk, J.L., Healey, J., Rohmeyer, P., Sachs, M.H., Schmidt, J. and Weiss, J., 2012. Cyber security policy guidebook. John Wiley & Sons.

Berger, T.U., 2014. Norms, Identity, and National Security. Security Studies: A Reader.

Cheng, L., Li, Y., Li, W., Holm, E. and Zhai, Q., 2013. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39, pp.447-459.

Choyi, V.K. and Vinokurov, D., Alcatel Lucent, 2012. System and method of network access security policy management for multimodal device. U.S. Patent 8,191,106.

Gouglidis, A., Mavridis, I. and Hu, V.C., 2014. Security policy verification for multi-domains in cloud systems. International Journal of Information Security, 13(2), pp.97-111.

Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), pp.83-95.

Knapp, K.J. and Ferrante, C.J., 2012. Policy awareness, enforcement and maintenance: Critical to information security effectiveness in organizations. Journal of Management Policy and Practice, 13(5), p.66.

Neisse, R., Steri, G. and Baldini, G., 2014, October. Enforcement of security policy rules for the internet of things. In Wireless and Mobile Computing, Networking and Communications (WiMob), 2014 IEEE 10th International Conference on (pp. 165-172). IEEE.

Orr, D.B., Ptacek, T.H. and Song, D.J., Arbor Networks, Inc., 2012. Method and system for authentication event security policy generation. U.S. Patent 8,146,160.

Ouedraogo, W.F., Biennier, F. and Ghodous, P., 2012, April. Adaptive Security Policy Model to Deploy Business Process in Cloud Infrastructure. In CLOSER (pp. 287-290).

Pieters, W., Dimkov, T. and Pavlovic, D., 2013. Security policy alignment: A formal approach. IEEE Systems Journal, 7(2), pp.275-287.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. computers & security, 56, pp.70-82.

Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.

Vance, A. and Siponen, M.T., 2012. IS security policy violations: a rational choice perspective. Journal of Organizational and End User Computing (JOEUC), 24(1), pp.21-41.

Wall, J.D., Palvia, P. and Lowry, P.B., 2013. Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), pp.52-79.