A policy is a well-laid document that serves to explain confidentiality, integrity, and availability of information on an integrated electronic system as used by a company. This necessitates the input of advanced skills from a person trained in the field of information technology.
As the company grows, the number of clients as well as the number of employees increases. More importantly, the earlier versions of the security management system are now rendered less effective by the new technology. It is therefore highly commendable that the company’s information security policy is scrutinized and the relevant review was undertaken to update it, to maximize the classified information. This paper is a recommendation that may help in ensuring that the company’s data is well protected.
An integrated security policy reduces insecurity and provides a clear set of organization directions that ensures services are promptly disseminated to the clients. With proper review, the company can meet the current regulatory requirements and standards as stipulated by the law. Primarily, there is an urgent need to set the general computer user access policy. Access to the company’s computer online services should be restricted in terms of compliance with the enlisted terms and conditions. One of the terms and conditions is that one should not share the user ID and anybody without an account should not be allowed to access the online services. Sharing of accounts should be deemed as a serious violation of the policy and is prosecutable. All new users shall be required to follow a detailed procedure to open an account. To ensure that individual privacy, personal health information, financial information, and credit details are safeguarded, the company should undertake a security policy. To this effect, the company should set up a password policy whereby every person accessing the online services should possess a password and a user ID (Vacca, 2009, p. 132).
However, with advanced technology, there is a well-organized chain of cartels that hack into the accounts of people and engage in data manipulation for financial gain. Therefore, there is a need to use strong passwords that cannot be easily cracked. The most fundamental aspect in ensuring password strength is password length, which should not be less than eight characters, mixing of both digits and letters in a password. The user should be prohibited from using dictionary words as passwords. Use of case-sensitive letters, which involves combinations of both upper and lower case letters, and utilization of special characters, such as # and* among others, between digits or letters should also be encouraged.
The password should never be written down but if one must inscribe it, the material on which it is written should be kept in a very safe place, otherwise, the best thing is normally memorizing it rather than writing it down. In addition, one should always log off after using the computer. Even with these measures in place, one might still ask what could happen if someone accidentally loses the password. The policy to this effect should provide a guide that allows the user to reset his password. To prevent imposters from resetting the password, the user should provide an email address where the new password is to be sent after resetting it (Dhillon, 2001, p. 204).
Since the company accepts credit cards for premium payment, then it is a target for hackers. Therefore it would be very important for the company to comply with payment card industry data security standards (PCI DSS) to protect cardholders. For example, the company should limit access to cardholder data only to employees assigned to that task by authorization of the manager. Moreover, there would be a need to install powerful firewall software to ensure that our computer systems are not vulnerable to hackers. In addition, it would be advisable that the company does not keep the data of cardholders unless it is very necessary. These measures will ensure that information on a credit card is safeguarded. Also to ensure that the company protects the health information of the clients it is important to comply with the health insurance portability and accountability act (HIPAA) as well as the Gramm leach- Bliley Act (GLBA) as stipulated by the law. For instance, when emailing patient information, it would be necessary to encrypt the mail. The company could also install software that features an internal messaging system. This feature will only send a message to the client that he or she has received an email, who will, in turn, log into the system to access it. This will ensure that the information only remains in the protected area of the software package (Vacca, 2009, p. 167).
This recommendation may, if adopted, safeguard the client’s information as well as the classified information of the company’s staff. Moreover, the company will have complied with the regulatory requirements as stipulated by the United States department of health and human services.
References
Dhillon, G. (2001). Information security management: Global challenges in the new millennium. Hershey, PA: Idea Group Publishing.
Vacca, J. R. (2009). Computer and information security handbook. Burlington, MA: Morgan Kaufmann Publishers.