The Information Security Plan

 

Information Security Plan
This information security plan defines Amazon’s safeguards to ensure the confidentiality, integrity and availability of all information systems resources and data under the control of the company. The plan is divided into data classification, assessment of potential risks and security policies and procedures.
Data Classification
Amazon’s data assets are classified into three: confidential, private, and public.
1. Confidential data: Company-related information is classified as confidential if access by unauthorized parties could cause a substantial loss for the company (Western Kentucky University, 2020). This includes information that can affect Amazon’s brand, especially what is not public knowledge. Examples of Amazon’s confidential information include critical agreements and contacts, budgetary and intellectual properties and personal information of the company’s employees. Access to confidential information must be approved by the information owner.
2. Private data: Amazon’s data is classified as private if access is only permitted to authorized Amazon personnel. According to (Infosecinstitute, 2020), extreme care and precaution is required before and during usage, storage and transmittal. It is a violation to show or transfer private data to unauthorized parties. Examples of Amazon’s private information include employees’ salaries and non-sensitive personal information.
3. Public data: Information can only be classified as public if it has been quality controlled and approved by authorized personnel within Amazon for publication. Example of pubic data are those that have been legally printed in the internet.

Assessment of Potential Risks
The company acknowledges its resources faces both internal and external threats. The risks include, but not limited to:
• Cyber threats such as malware and worm attacks, network penetration, and denial of service
• Unauthorized access to information or resources
• Unauthorized modification or transfer of data
• Attacks against company reputation
• Hardware and Software misuse
• Accidental deletion of data or information
• Hardware failure and software glitches
• Natural factors such as power outage and Fire
The company recognizes that this may not be a complete list because of the changing technology. The IT security team is expected to regularly monitor advisory groups such as the Educause Security Institute and SANS for the identification of new risks (University of South Florida, 2020). Whereas the company believes the current safeguards provide security and confidentiality for its data and resources, it cannot guarantee absolute security due to evolving threats.
Security Policies and Reactive Emergency Plans
Access to information via the company’s IT Infrastructure is only limited to those who have valid business accessing them (University of South Florida, 2020). Each employee is provided with a user account, which is automatically placed into either one of the three levels of access. These levels include: levels one, two and three. Level one access has unlimited access to all data and systems of the company, level two can access everything else apart from confidential data, whereas level three has access to all internal data that are neither confidential nor private.
All data will incrementally be backed up safely and securely. In addition, all software and hardware systems must regularly be subjected to necessary security requirements as defined by the ITS Unit. In addition, employees are encouraged to memorize and keep safe their login credentials and to report suspicious activities.
The company has developed written detailed plans and procedures to detect actual or attempted attacks, and a well thought out response plan. The company will develop an education curriculum that aims at creating awareness of data security threats; all employees will be subjected to the curriculum.

 

The post The Information Security Plan first appeared on COMPLIANT PAPERS.