The company’s major information security threats include:
Software that is written poorly could inadvertently allow malicious code to attack data or a program without anyone’s knowledge.
Improperly configured systems could allow third parties to access the internal system, such as a company’s e-mail server.
Computer viruses and worms can destroy data and/or cause computers to become infected; the infection can spread throughout the entire network.
External breaches. Hackers, crackers, and script kiddies perpetrate external breaches to gain unauthorized access to the company’s computer system.
Internal breaches. Internal breaches can be made by any one who has authorized access to the company’s system, such as disgruntled employees.
Employees will be thoroughly educated on the company’s security awareness training plan. The security awareness training plan will include:
Passwords must meet the following criteria:
8 characters long
Capital and lowercase letters
Special characters such as !@# (optional, but recommended)
Passwords must be changed every 60 days. Passwords cannot have been any of the last 13 passwords used.
Help desk and IT must ask for the employee’s full name, social security number, and workplace location before resetting a password. Help desk should speak to the employee’s supervisor before confirming a user name.
Data retention requirements for the following types of records:
E-mails and voice mails should be kept on the system for a short period of time – 15-30 days – and automatically erased.
E-mails with tax implications should be retained for a period of six years in the event of an IRS audit.
Databases should be retained for a period of six years since they contain tax information.
Word processing files should be retained for a short period of time after the final draft has been accepted. Important final documents should be retained for extended periods of...