Running head: SECURITY POLICY
1
Security policy
Student’s name
Professor’s name
University affiliation
Date
2
SECURITY POLICY
Introduction
Apple is a technology giant based in California, United States of America. It is among the
leading technology firms in the world, boasting of the top of the line communication products
such as laptops, tablets, Smartphone products and music players. Apple has been growing over
the past and so far has maintained a reputable lead among a unique Smartphone brands in the
world. This success can be attributed to their iPhone Smartphones. A lot of people identify with
the company because its products are classic and give a status quo to the benefit of anyone who
flashes them in public (Linzmayer, 2004).
Need for a security policy
Apple being a big techno firm needs a lot of cyber security. This is because any leaking or
corrupting of important company data could mean a disaster to its business (Bulgurcu, Cavusoglu
& Benbasat, 2010). The policy should cover both physical and virtual security of both the
infrastructure and the technology invested. This is because most of the company’s data is either
stored at a central location or securely kept on the safer online platform called the cloud (Bulgurcu,
Cavusoglu & Benbasat, 2010; Linxmayer, 2004).
Apple Company has established its base in various international markets around the
globe. This increased size can affect the security policy because; the management has to come up
with effective security policies that can mitigate security issues in the global view. Apple has to
develop security systems to protect the privacy of their customers. Apple can protect customers
by establishing strict policies on handling data. Another security measure will be the use of
strong encryption keys which will be difficult to penetrate especially by hackers.
3
SECURITY POLICY
Unique elements that are associated with Apple Company include the usage of innovativeness
in the production of the diverse range of products and dynamic business plan. The increased
innovations might affect their security policy because there is the need of securing their products
for them to remain innovative (Hinsley & Hughes, 2002).
The fact that most other competing companies have been unable to understand how Apple
Company manages to put up so much technology, class and elegance in a single functional phone
without affecting its performance and at the same time remain effective is a marvel. The engineers
dedicate a quality amount of time to try and come up with something new with every product that
Apple Company releases into the market. Furthermore, whenever the brand is mentioned there are
unique features that come to individual’s minds. So, it would be very devastating to lose the results
of such hard work by the engineering and innovation teams through insecure storage of vital
information. The security policy should therefore be prepared to address hacking threats, and to
come up with the best ways to prevent such instances by having a strong system that would
recognize and notify if anyone tried to hack in as well as a multi-level inscription to make it harder
to penetrate the security protocols (Finedo, 2012).
Apple Company Information Security Policy
Strong encryption and strict policies will be used by Apple Company to ensure that
information is not accessed by unauthorized parties. Information will be made available to
parties with a legitimate need for access. Breach of any security policy formulated must be
reported by any party as soon as they occur.
Compliance and incident notification
It is very crucial that all employees of Apple Company should comply with the stipulated
policy. Any breach is a serious matter because it may lead to the loss of important confidential
4
SECURITY POLICY
data. Such losses may result in civil action being taken against the Company. The aftermath will
be the loss of some of its loyal customers.
Security of the facilities:
Security of the facilities includes any facility that can be directly accessed physically,
leading to loss of information for the organization. The best practice that Apple should adopt is to
understand each threat, related impacts, and their possible controls. To start with, employees as an
indispensable unit in the company can risk the processes to attack due to deliberate or accidental
errors with the probability of occurrence being high as well. Since it is highly possible, identifying
ways such as getting Apple Company’s employees to proper familiarization with the systems can
work well to control related dangers.
Apple company need to adopt a frequent change of authentication and authorization
procedures enhances security by the unwanted entry. Apple relies on facial recognition and
fingerprint detectors to get access to the facilities to prevent any tampering of the company’s
products. Some of the properties that are protected include highly sophisticated computers used to
generate software. As a continuum to the physical security aspects, criminal related threats should
be adequately assessed and gaps related to their occurrences established and fixed. Criminals are
mostly driven by malicious forces purposely to scoop organizations data. The most practical
mechanisms to control the related impacts at Apple Company include notifying law enforcement
organs and avoiding dangerous situations such as using company’s files in public or exposed areas.
Physical entry controls
The main objective for this security control is to prevent physical access, damage and
interference to the organizational information and information processing facilities. The company
will set up surveillance by employing the use of authentication systems such as a biometric scan
5
SECURITY POLICY
or a smart card to unlock the doors. Alarms systems will also be put in place to notify responsible
parties in case of any breach (Denis, 2003).
Security offices, rooms, and facilities
The main objective of this security control is to prevent unauthorized access to the physical
facilities and damage for the organizational information. Basically, it is usually expected that only
the authorized personalities should enter in the offices. Mainly, the offices, rooms, and facilities
have been designed and applied to physical security. An advantage for this security control is to
ensure that no interference with the information of the organization as it might be stolen. Most
organizations, not only Apple Company, have been designed in such a way that only individuals
who have to enter the offices have permission to do so (Farrugia et al., 2016).
Isolated delivery and loading areas
The main objective for this security control is to ensure that the organizational information
has not been directly accessed by the stakeholders. The delivery and loading areas have been
constructed in such a way that where unauthorized persons enter the premises are controlled.
Security of information systems
Workplace protection
The organizational workplace is an important factor because the valuable private
information is located here. Examples such as client’s information, sales documents are located in
the workplace. The workplace has been secured with physical and logical security of every kind
(Denis, 2003).
Network/server equipment
The network and server equipment are secured with locks. This is usually meant for
ensuring the physical security of equipment from theft. Network equipment’s such as hubs and
6
SECURITY POLICY
routers are secured to prevent tampering and access from unauthorized individuals. In this case,
only authorized persons are allowed to interfere with them. For instance, authorized employees
can access them (Medicine, 2017)
Equipment maintenance
Computers need maximum protection as they are very sensitive. The personalities
responsible for these systems should have knowledge of the equipment they are maintaining. In
the case of failure, they should have a second option of whom to contact. Routine management of
the systems is very critical for the performance of the equipment. Pear requires that the equipment
is checked for their performance capabilities and for the quality deliverance of services to the
customers (Subotić, 2016).
Security of laptops/roaming equipment
The security of laptops and roaming equipment should be kept high in the company. The
employees that have been given the access to the equipment should understand the importance of
the equipment of the company. It is mandatory for the employees to take care of the laptops and
roaming equipment. Apple makes use of username and password to protect the equipment such as
laptops. This is an important control since nobody can access information contained in the laptop
unless they know the password or username (Dubin, 2017).
Apple Company Access Control Policy
Access control policy at Apple Company comprises security techniques that are used to
regulate the entities that are allowed access to use its resources in the computing environment. The
7
SECURITY POLICY
access control policy allows authorized individuals to utilize and operate resources within the
network structure. All employees have no direct access to functional information regarding the
system unless authorized by an access control policy. In order to understand Apple Company
access control policy, there is a need to understand the main concepts involved including entity,
actions, relationships, and resources.
The two main methods of access control commonly used are physical and logical controls.
Physical control is used in the management of access to the company's premises, hardware
resources, and IT assets. On the other hand, logical control manages the interactions with its
computer systems, files, and data. According to Margaret Rose (2016), access control has the
following main functions: authorization, authentication, identification, access approval and
accountability verification. The access approval and accountability verification function involve
access through login credentials such as personal identification numbers, passwords, physical and
electronic keys or biometric identity.
Authentication
The authentication requires employees to validate their true identity. In process Pear, the
PIN number function is used to authenticate every employee as they are required to input their
PINs to gain access into computers, enter through doors, and get into other local areas.
Accessibility is further enhanced by the use of photo IDs and signature cards. This is in addition
to the use of a three-factor authentication process in gaining access to certain resources.
Discretionary access control
8
SECURITY POLICY
A discretionary access control principle outlines how accessibility to information and
control access systems can only be accessed and controlled by the owner of the particular
information. As a result of its secure features, many systems are based on the discretionary access
control principle (Benantar, 2006). At Apple Company, only the employees who are authorized
can carry out system changes through the discretionary access control system. To further ensure
total confidentiality, only the least privilege principle can grant accessibility into a system and
therefore any transactions that involve access to the company's resources are done on a need to
know basis only.
Mandatory access control
However, the strictest control level is the Mandatory Access Control. This is primarily used
by government institutions though it is also being adopted by other private organizations in
controlling access to their systems. The control system uses a hierarchical approach to controlling
access to an enforced environment for all resources and its control is based on the settings put in
place by a system administrator (Ballad et al., 2011). In using this control system, access to any
resource is however strictly monitored by an operating system administrator configured settings
and therefore making it impossible to initiate any changes on the users' credentials and access to
resources.
User Enrollment
User enrollment refers to the process where a user's control device is interconnected with
a Hosted Mobile Security. In using this feature, an employee must be enrolled as a user before
gaining access to the company’s systems. The user enrollment process of involves the system
administrator making an invitation to the user to enroll his/her device before getting an invitation
link through which to open and complete enrolling the mobile device.
9
SECURITY POLICY
Role-based controlled access
Employees who perform common roles or work in the same department may require
similar access to the system and therefore the role-based controlled access authentication can be
used for this task. Therefore, where a group or team of employees is assigned a specific task, they
can be assigned the same role-based access control. When all the roles are populated in the system's
database, the role-based rules are implemented by giving role-based privileges to each employee
scheduled to access the particular function (Benantar, 2006). Thereafter, an employee’s details are
fed into the database and updated in all the computer application systems from the Human
Resource desktop. In using this system, Apple has been able to get a companywide control process
and managed both its hardware and software IT assets effectively while still maintaining a high
level of security (Gollmann 2011).
Identification
The identification process involves verification of the identity of an entity. The process
may require the use of an identification number or document as proof of an employee’s identity.
As a result, all Apple Company employees have a small standard card that is usually used in
identifying its employees. Accessibility into its computer systems is restricted to only the
authorized personnel who have a unique identity that they use in logging into the systems for
enhanced security without compromising their systems.
Remote access
There is a risk of breaching a system's security when accessibility from remote locations is
possible due to the use of insecure networks and therefore the need for additional security features.
As a result, extra access control techniques are used to ensure maximum security by protecting the
company's LAN and users. The most common network used at Apple Company to access the
10
SECURITY POLICY
corporate networks is Virtual Private Network (VPN). The network helps by creating a safe private
channel between the end user’s network and the protected corporate network thus preventing
illegal access or modification of data. The employees use their ISP in connecting to the Internet
through the VPN as it is safer since it is hard and almost impossible to breach by intercepting
message transfers as it uses very powerful cryptography from both the senders’ and receivers’ end
(Ballad et al., 2011).
Therefore, access control policies are an integral part of organizations keen on protecting
their systems from unauthorized access in terms of security breaches. Apple Company, as a global
leader in the electronics technology, has been in the forefront in this end as a result of the growing
threats cyber security. It is for this reason therefore that a company of its size and complexity must
go for systems that are safe and secure in carrying out its business.
Conclusion
Finally, I believe this policy will work well for Apple company in curbing security threats.
It is important to understand every company’s main security goal is to keep its vital data as tightly
guarded as possible from competitors. It is also good for the physical security to be heightened
because employees may sneak out important data. This could be achieved ensuring that a loyalty
culture is encouraged whereby all employees are made to feel valued and this promotes a
responsible attitude towards company property.
The issue of authorization at Apple Company needs to be looked at too. Among the possible
external attacks, there is none more damaging than situations when the systems have loops that
can make unauthorized data access possible. Such instances include inadequate access control
policies and the effects of such an absence are suicidal to the business setup. As a safety measure,
establishing a control policy is essential and related procedures include high-tech encryption
SECURITY POLICY
11
systems among other authentication processes. Establishing a working security is also
recommended to mitigate threats related to inadequacy in employees' capacity such as entry,
human and other cataloging errors. Therefore, proper structures should be put in place at Apple
Company to ensure that such information is always safe and a rescue plan made available in case
of any data leakage (Bulgurcu, Cavusoglu & Benbasat, 2010; Linxmayer, 2004).
12
SECURITY POLICY
References
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), 523-548.
Hinsley, S. R., & Hughes, C. D. (2002). U.S. Patent No. 5,283,830. Washington, DC: U.S. Patent
and Trademark Office.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An
integration of the theory of planned behavior and the protection motivation
theory. Computers & Security, 31(1), 83-95.
Beachem, B., Boucher, P., Nault, G., Rollins, R., Wood, J. B., & Wright, M. (2016). U.S. Patent
Application No. 14/991,848.
Denis, T. (2003). An Integral Framework for Information Systems Security Management.
Computers and Security, 337-360.
Dubin, J. (2017). Laptop Security Best Practices. Retrieved from Techtarget:
http://searchcio.techtarget.com/tip/Laptop-security-best-practices
Farrugia, A. J., Robbin, J., Mitsuji, H., Despotovic, M., & Meldrum, C. (2016). U.S. Patent
Application No. 15/159,772.
Medicine, S. (2017). Information Resources and Technology. Retrieved from Stanford Medicine:
https://med.stanford.edu/irt/security/servers.html
SECURITY POLICY
13
Subotić, J. (2016). Narrative, ontological security, and foreign policy change. Foreign Policy
Analysis, 12(4), 610-627.
Ballad, B., Ballad, T., & Banks, E. K. (2011). Access control, authentication, and public key
infrastructure. Sudbury, MA: Jones & Bartlett Learning.
Benantar, M. (2006). Access control systems: Security, identity management, and trust models.
New York: Springer Science+Business Media.
Gollmann D. (2011). Computer Security. Wiley Publishing, p. 387
Margaret R. (2016). Access control. http://searchsecurity.techtarget.com/definition/accesscontrol
Petritsch, H. (2009). " Access Control Models.". ACM Press. pp. 197–206.
Purchase answer to see full
attachment