Security System Monitoring, Patch Management, Update Policies

A. System Security Monitoring Policy

1. Overview/Justification
   A regular security monitoring program is fundamental to managing risks in an organization,
   potentially averting any harmful risks like malware attacks, phishing, recording keystrokes,
   password theft or guessing, distribute denial of service (DDoS) attacks, and stealing of vital
   company data, including financial information. Security monitoring usually occurs on both
   logical and physical elements in multiple information system areas. Having a comprehensive
   security monitoring framework confirms that appropriate controls and mechanisms are
   present to secure applications and systems and that they are working effectively and not
   being bypassed by hackers or unauthorized internal personnel.
2. Purpose
   This security monitoring policy’s purpose is to guarantee that information technology and
   resource security controls are present, effective, and not bypassed by unauthorized
   individuals. Implementing this security monitoring protocol can present one benefit to the
   organization: early identification of breaches, security vulnerabilities, or wrongdoing.
   Essentially, early identification can assist in minimizing impact or preventing breaches or
   vulnerability before harm is done. Other potential benefits include service level monitoring,
   audit compliance, capacity planning, limiting liability, and measuring performance.
3. Scope & Exceptions
   This policy applies to the IT personnel tasked with guaranteeing the security of the
   organization’s computing resources, including their installation and operation. The policy
   will cover assessment of current IT infrastructure, replacement of outdated hardware models,

3
installation and configuration of new hardware parts, migration of existing data and apps to
the new infrastructure, implementation of a robust disaster recover and backup system,
implementation of a network security system, configuration of user controls, development of
a comprehensive training program, and post-implementation maintenance and support.

The following three items are exempted from the policy’s scope: recruitment of additional
contractors or state to support the use of the infrastructure, changes to business practices and
processes outside the scope, and replacement or medication of existing software systems and
apps outside the infrastructure’s scope.

4. Policy
   4.1. Automated tools will be deployed to obtain notifications of potential
   vulnerabilities, data breaches, or wrongdoing in real time. Whenever possible,
   establishing a security baseline will be done with the automated tools used to report
   exceptions. These tools will be used to track:
   4.11. Operating system security apparatus;
   4.12. LAN traffic, device inventory, and protocols;
   4.13. Electronic mail traffic; and
   4.14. Internet traffic.
   4.2. The following files will be cross examined for potential signs of vulnerability,
   breach, or wrongdoing at an interval determine by risk:
   4.2.1. System error logs;
   4.2.2. Network scanning logs;
   4.2.3. User account logs;

4

4.2.4. Firewalls logs;
4.2.5. Automated intrusion detection (AID) system logs;
4.2.6. Application logs;
4.2.7. Help desk trouble tickets;
4.2.8. Data recovery and backup logs; and
4.2.9. Fax and network printer logs.
4.3. The checks below will also be performed every six months by authorized or
assigned personnel:
4.3.1. Software and operating system licenses;
4.3.2. Unauthorized modem use;
4.3.3. Unsecure device sharing;
4.3.4. Unauthorized personal web services;
4.3.5. Unauthorized network devices; and
4.3.6. Password strength
4.4. All security concerns identified during system review or assessment will be
classified and mitigated based on three OWASP risk levels. Remediation validation
testing must be performed to validate mitigation/fix strategies for identified issues of
medium and high-risk levels. identified security vulnerabilities. The risk levels
include:
4.4.1. High – All high-risk issues must be mitigated or fixed immediately or
other mitigation approaches must be deployed to restrict exposure before
deployment. Systems or apps with high-risk issues must be removed or denied
release.

5
4.4.2. Medium – Medium risk concerns must be reviewed to establish what is
needed to address and scheduled accordingly. Apps or systems with medium
risk concerns must be removed or denied release based on their count or if
allowing multiple issues can increase the risk. Issues must be addressed or
fixed in a point/patch release unless other mitigation approaches can
potentially limit exposure.
4.4.3. Low – Low-risk issues must be reviewed to establish what is needed to
address them and scheduled accordingly.

4.5. Security concerns, vulnerabilities, and breaches identified will be immediately
forwarded to the ISO (Information Security Officer) for investigation and follow up.
4.6. Displinary action
Violation/breach of this policy would automatically result in employee termination
and fines.
4.7.

B. System Security Patch Management and Update Policy

1. Overview/Justification
2. Purpose
3. Scope
4. Policy & Exceptions

6

Recommend best practices for monitoring, updating, and patching systems.
Instructions
Write a 6–10 page paper in which you:
Establish a system security monitoring policy addressing the need for monitoring, policy scope, and
exceptions and supported by specific, credible sources.
Justify the need for monitoring.
Define the scope of the policy (the personnel, equipment, and processes to which the policy
applies).
Provide guidelines for policy exceptions, if approved by the IT and Security departments.
Establish a system security patch management and updates policy addressing the need for patch
management and updates, policy scope, and exceptions and supported by specific, credible
sources.
Justify the need for patch management and updates, aligned with ISO/IEC 27002.
Define the scope of the policy (the personnel, equipment, and processes to which the policy
applies).
Provide guidelines for policy exceptions, if approved by the IT and Security departments.