Week 11- Tactical principles in Security Planning

Business success can only be achieved when one can prove you are different than other. This is often called the competitive strategy of the organization. The accomplishment of the strategy can be measured by determining the process: tactics. Tactics helps business to understand how the goals can be accomplished. Tactics are the countermeasures which the organization will take if the certain situations arise. In order to implement the right tactics, the objectives have to be identified and principles are the identifier of the objectives.

In order to accomplish targeted objective of the organization, security strategic plan has to be strong and successfully implemented. These plans can only be successful with proper tactics and operational plan. Resource planning, time, and technology help to achieve the tactical objectives of the security strategic planning.  Observation, timeliness, and economy are the top principles of the security management as they provide insight on sufficient information, response time and balanced cost of technology with process. These principles drive the tactical implementation of the security framework. With observation principle we can collect enough information to secure the perimeter and provide strong wall against the security attack. Timeliness determines the proper communication during the incident and what kind of tactics should be implemented during any physical or logical attack. Security is one of the costlier businesses on the organization that involves the qualified manpower, technology and advance systems. Economy principle focused on balanced resource and technology along with the cost associated with it. So, these principles help in defining the effective and efficient tactics.

Work Cited:

Massachusetts Institute of Technology. (n.d.). BASIC PRINCIPLES OF INFORMATION PROTECTION. Retrieved October 06, 2015, from Web.mit.edu: http://web.mit.edu/Saltzer/www/publications/protection/Basic.html

MIT Technology Review. (2015, August 15). The 20 Most Infamous Cyberattacks of the 21st Century (Part II). Retrieved October 06, 2015, from MIT Technology Review: http://www.technologyreview.com/view/540791/the-20-most-infamous-cyberattacks-of-the-21st-century-part-ii/

Week 10- Why Security as part of SDLC?

Traditional software development believes security as Band-Aid or add-on features after the programming is completed. Modern day product development does incorporate security as part of the SDLC phases. In any business without the secure product, business cannot run as it creates much more risk and the loss in return of investment (ROI). So, incorporating security as part of software development life-cycle will help in identifying all associated risk to the product, potential integration challenges, framework necessary for the product or re-usability of the existing framework, and predetermines the work necessary for the parallel security integration with the software development and testing. Involvement of security team in each phases, Analysis to production support will lower any rework, cost associated to it and the maintenance will be easy and cost effective.

Most of the software development approached the risk based solution, meaning the risks are identified during the planning phase along with the stakeholders and the delivery team. Once we clearly identify the problem that we are trying to solve and the risk associated, it much easier to develop, integrate, test and deliver the validated and verified software application to the client. Hence, identifying the risk and system vulnerabilities at the early phase requires a proper system security planning process and it can be done in the early phases of the planning and requirement gathering process (Kissel, et al., 2008). Due to the market competition and the fast software delivery approach most of the organizations are surging to agile framework and it is much easier to integrate the security as part of the spring cycle rather than lengthy waterfall process. Security requirements can be captured as technical user stories along with the functional stories and it will be much easier and thorough testing in this methodology. In addition, the pair programming has grate essence in developing and testing the product security and function at the same time which will leverage the software quality and the delivery in the agile sprint cycle. Most important including security in SDLC requires lot of meetings, minutes, decisions and documentation that are helpful during the line at the time of production support and training vs integrating the security as an ad-hoc feature late in the game without proper documentation and alignment.

So what does it mean to include security in SDLC for different teams involved? For a stakeholder it means safe and successful product and how it can be achieved through integration, meaning stakeholder’s involvement in pre analysis and during the development phases is equally important and intact to communicate whether the standards are met or not. For the project managers, Chief Information Security Officer (CISO) it is the process of working together to identify the organizational vision, set the industry and organizational standards, provide strategies and program for secure and sound software and maintain the cost effective program. For Core development delivery team, it is all about understanding the problem that we are trying to solve and approaches to deliver the right product in right way. This involves the sound requirement gathering and deliver to the team so that they can understand both functional and security aspect of it. This can be done using the process modeling tools and techniques and map the functional requirement with the security integration. This will help the development team to develop and unite test as one product rather than separate entity. For testing it means testing the integrated application end to end than letting it go without any security features. Bugs identified for any security holes can be fixed and promoted to the production that has testing approval and stamp is much easier to handle within the SDLC than later. For implementation, training and production support integration security within SDLC means proper, process, less work, good documentation and quick fix and support.

In Conclusion, building security as part of every phases of the SDLC will be beneficial to the users and the organization.

References

Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., & Gulick, J. (2008, October). Security Considerations in the System Development Life Cycle. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

Week-9: Security policy implementation techniques

Implementing the new or updated policies in the companies can be hectic and troublesome as the outcomes cannot be predicted easily. Due to the failure in implementation plans, lack of involvement of responsible stakeholders, employees lack of understanding might be some of the causes of the failure. This week I am going to talk about the ways we can better implement the security policies in the organization:

Better Communication: 

Communicating the new policies to the employees is very important for the company. So these can be done using different techniques:

• Email communication (use features like “read” response back) 

• Town hall meeting for all current employees

• New hire orientation for all the new employees

• Awareness campaign and training sessions

• Involve executive directors for departmental visits and group conversation 

Involvement of Key stakeholders:

Involvement of the human resources and executive management can led to the smooth implementation of the security plans as these stakeholders are authoritative . HR and managers plays important role in implementing the new policies. One can have them involved in policy framework implementation plan  during every phase; review and approvals, publishing, awareness and training. Having their input makes the new policies more insightful and detailed as the new policies have to be in complying with some HR policies. Executives can play the roles of the gatekeeper as sometimes it is easier to implement the new policies when executives are involved. Executives and manager can enforce the policies to their respective department by sending the circulars and emails directly and this is more effective to implement and if they do not follow, managers can take action on those scenarios. 

Incorporate Security Awareness and Fun Training:

Security awareness and training cannot be more fun by lecturing and pointing hard to comply with the employees. Rather it should be make more fun, real time demonstration, make all the participants to participate by breaking the training sessions into smaller segments, smaller group, using audio video communication, and games. Providing the refreshments (food/drinks) helps attracting more participants. Games can be more interesting and adding the prizes will certainly add more participants to the training and also from compliance perspective it is efficient.  

Release a Monthly Organization Wide Newsletter for All:

A monthly newsletter will be beneficial for reaching out to the employees. In order to make the newsletter succinct only important messages will be included based on the executive’s approval. Make the newsletter interesting by using photographs, background colors, include some security quizzes and reward the employees who answers correct (movie ticket) by lucky draw. 

 Implement Security Reminders on System Login Screens for All:

This can be implemented using group policy formations. Group the employees based on the department and send the remainders as the first login, create screen savers and display the policies on active screens.

Incorporate On-Going Security Policy Maintenance for All:

When policies are updated or new changes are made they have to be reviewed and based on the feedback needs the upgrade and changes. Employees survey, HR and executive decision, interviewing the users are some techniques that can be used for review and feedback from employees. Logs and software can be used to track the compliance of the policies and progress can be measured every quarter by creating some metrics.

Obtain Employee Questions or Feedback for Policy Board:

For better auditing third party vendors could be employed to conduct the anonymous surveys. 

Week 8 - Increasing Mobile Cyber threats

These days there are barely some people who do not have smartphones and personal digital assistants (PDAs). These handy devices are more likable than carrying laptops as one can easily check emails, connect to social media, take photographs and communicate to the world. Also the devices are easy to carry in people’s pocket, handbags, and purses without any worries of weight and size. With lots of advantages and likelihood mobile devices are possessing growing threats to the personal data. Research shows that the number of vulnerabilities in mobile operating system (OS) increased in relative numbers since 2009 ( Ruggiero & Foote, 2011). The constant exposure to the public network, lack of security infrastructure, unnecessary apps download, Bluetooth connectivity, lack of encryption, connecting to the private network are some of the growing issues with the mobile devices and threats has been detected in growing numbers. Some of the data breaches shows following trends in mobile security vulnerabilities: 

1) Operating System and application Vulnerabilities (Crimeware): The costliest cybercrimes are caused by the faulty system and the use of the back doors and SQL injection by exploiting the weakness in the operating system, hardware, firmware, protocol, or services to access data or to access other networks.

2)Denial of Service: Another form of the system attack is Denial of the service (DoS) which is caused by the weakness in the transit node commonly called “Ping of Death” or malfunction sending data into black hole. 

3)Cyberespionage (Phishing): Phishing is a firm of the fraud in which the attacker tries to learn sensitive information such as username, password, account information by impersonating a business or person in email, IM or other form of communication. 

4)Weak Security Controls: With the growing apps and websites the security has been vulnerable and proper testing techniques has been limited enforcing the manual testing as primary testing techniques. Sometime security is treated as separate entity and through validation is not made. 

5)Acts of human error of failure: Inexperience, improper training, mistake of incorrect assumption, sending the information to the wrong recipient, not understanding the security controls, policies an standards are common accidental human error that happens every day in the work environment and it is causing the big percentage of cyber-attacks. Connecting the devices with the organization network, sharing network password and connecting the personal phones to the network are common mistakes the employee make. 

In conclusion, modern day cybercrimes have diverse motives and are carried over different business domains including mobile operating systems. These enterprise systems and data are being targeted in various ways; Crimeware, Cyberespionage, denial of services, human errors, weak security control. Since it is impacting everyone we must tackle against it by raising the awareness, patching  systems properly, creating new security innovations, using firewalls for the VPN connections and using encrypted file and email system, preventing public Wi-Fi connections.

References

Ruggiero , P., & Foote, J. (2011). Cyber Threats to Mobile Phones. (C. M. University, Producer) Retrieved February 07, 2016, from US-CERT: https://www.us-cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf

Week 7 - Risk Analysis and Management in IT Industries

For week 7 we are learning the Risk Management life-cycle, I choose to research more on the current trends of risk management in IT Industries. Risk analysis and management are very essential topics in the IT industry as risk determines the implementation approach and timelines.  A risk assessment helps organizations ensure they are compliant with regulatory mandates. With baseline risk management standards, risk analysis helps to determine the implementation of the safeguards contained in the security rule; we can say that risk analysis is one of the important processes of security management process. 

A risk analysis process includes, but is not limited to, the following activities:

1) Calculate the possibilities and impact of the potential risks to important personal health information (Risk Score Calculation).

2) Identify the appropriate security framework to address the risks identified during risk analysis

3) Document the security framework and compliance of the infrastructure

4) Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to systems and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to information.  With the secure system and environment, the organizations can achieve their business goal. All the applications that are used to communicate with the secured information needs to be protected with strong security plan. Following are some of the security rules that organizations can include to safeguard the systems and assets:

•Implement Security Management Process:  Organizations has to perform the risk analysis and implement the security measures that reduce the risks and vulnerability to organization assets and the infrastructure.

•Assign security personnel: security official who is responsible for developing and implementing organizational security policies and procedures has to be assigned.

•Information Access Management: Secured measures have to be implemented in order to safeguard the accessibility of the information. Policies and standards helps in maintaining the access management to the employees, external partners and other sectors. 

•Workforce Training and Management: Organizations must train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.

•Evaluation: A periodic assessment of how well security policies and procedures meet the requirements of the Security Rule has to be evaluated and necessary updates have to be documented.

• Facility Access and Control. Authorized access has to be maintained to access the physical facilities.

•Workstation and Device Security: Organization must implement policies and procedures to specify proper use of and access to workstations and electronic media. Enterprise also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.

•Access Control: Organization must implement technical policies and procedures that allow only authorized persons to access electronic protected health information. Access to the software and system has to be the role based access.

•Audit Controls: Organizations must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use personal information. Internal and External audit help to maintain the reliability and compliance of the organization with standard laws.

Works Cited

American Medical Association. (n.d.). Security Standards and Risk Analysis. Retrieved September 24, 2015, from http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/security-standards.page?

Cornell University Law School. (n.d.). 42 U.S. Code § 1320d–5 - General penalty for failure to comply with requirements and standards. Retrieved September 24, 2015, from Legal Information Institute: https://www.law.cornell.edu/uscode/text/42/1320d-5

Health IT.gov. (n.d.). Security Risk Assessment. Retrieved September 24, 2015, from http://www.healthit.gov/providers-professionals/security-risk-assessment-tool

Week 6- Security Risk of Using Personal Devices while travelling in public transportation

Research conducted by PublicTransportation.org concluded, "In the year 2013 Americans took 10.7 billion trips in the public transportation" proving the record high ridership. In the world, of all trips made to and from work  35% use public transportation and underdeveloped countries are at high end of using public transportation, Whether the intent is to commute to work or non work related, most of commuters use mobile devices for communication, browsing, listening music, taking photographs, playing games etc. While using these devices some way or other these devices use the public networks which are unsecured and posses high risk of security. Public transportation commuters are even accessing the company data on the unsecured and unknown networks. Unsecured data can easily be exploited by the elite hackers using the public Wi-Fi networks and use them against the company security data networks. Some travelers even use the public network for the company task while travelling and or talking to the colleague regarding important work related data posses threats in company privacy policy. 

It is equally important to protect the personal information while using these mobile devices because you never know who you are travelling with and using the cellular phones or laptops or tablets openly gives opportunity to the criminals. Openly texting, entering personally identifiable information, entering banking information, displaying work related information while  travelling in the public transportation should strictly be  considered as vulnerable. On the other hand, if  any suspicion is occurred that someone is watching your messages, works then you should confront the individual asking the intent and report the issue to concerned authority if unusual behavior is noticed. If you feel company data is shared then the action should be notified to the security team as soon as possible. 

With increasing Security risk, companies are moving towards "Bring Your Own Device (BOYD)" policies  which will force security team to conquer mobile device management in order to maintain the company data and network security. 

To conclude, using mobile device in public transportation should be strictly be monitored and using company data in public networks should strictly prohibited. If any suspicious activities are noticed, confront them to ask the privacy of the usage and if in any case company data is compromised then notify  to the IT security team as soon as possible. 

References:

http://www.worldmapper.org/posters/worldmapper_map142_ver5.pdf

http://www.publictransportation.org/news/facts/Pages/default.aspx

Week 5 :Business Internet/email use policies- Legal and ethical issues of an employer being able to monitor the computer use/emails of employees-

Since we are deep diving the security policies this week, I would like to discuss the business internet/email policies. Some organizations keep an eye on it's employee, what they are doing during and off work.Monitoring has both benefits and impact to the organization and employee. I am discussing some legan and ethical issues of an employer being able to monitor the computer use or email use of an employee.

As we all know, the Company owns the rights to all data and files in any computer, network, or other information system used in the Company. It also reserves the power of retrieving the data sent or received by the employee using the company internet access or company’s property. The company has always closed monitored in its employees and to all data and files sent or received either personal or professional. Employees must be fully aware of the discipline of the company. They must know that the electronic mail, messages which are sent or received though the company’s internet or web base application can be traced and view by the company officials at any time without any notice. There is no expectation of privacy in any information or activity conducted, sent, performed, or viewed on or with Company equipment or Internet access (www.twc.state.tx.us). It is completely clear that using of the internet at office by the employees during the working hour is totally unacceptable, however I believe that there is always a pros and cons for such kind of cases.

Employers has started to put close monitoring on their employee due to excess increase in cyber loafing and lawsuits through the new inventive technologies. At the same time both parties are clear regarding the ethical implications of constant monitoring. The company does monitoring on its employee’s action to closely monitor the work productivity and the efficacy. At the same time monitoring also helps to track the actual amount of time they spend on the work and or sitting idle.

Computer monitoring also allows the employer to keep records of the employees’ performance, and provides the information required to set the company’s performance standard and helps in the appraisal review process. Not only this it also allows the employer to keep closer look on the employees’ access to information about their own level of performance and also give an access to employees to judge their own level of performance. It also helps to create the flexibility in work location by allowing the employee to telecommute or" flex time".

On the contrary, Employer feels the pressure of working under the hostile environment and feeling of invasion in their territory. Because of the unfriendly environment the productivity of the company might not meet the company’s standard. Monitoring is intrusive and has a high potential risk for abuse in the companies’ employer (Mishra & Crampton, 1998). Since the employees can have direct access to track of each and everything they can use it against the employee. The monitored employees are also likely to have less control over their jobs, monitor work load pressures, more arguable interaction with the customers and less fairness of their work. With the major increase in stress it has also been found employee reporting the psychological and physical health issues.

Works Cited

Department of Health and Human Services. (n.d.). Security Standards: Technical Safeguards. Retrieved October 06, 2015, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

Mishra, ,. J., & Crampton, S. M. (1998). EMPLOYEE MONITORING: PRIVACY IN THE WORKPLACE? Retrieved from http://faculty.bus.olemiss.edu/breithel/final%20backup%20of%20bus620%20summer%202000%20from%20mba%20server/frankie_gulledge/employee_workplace_monitoring/employee_monitoring_privacy_in_the_workplace.htm

www.twc.state.tx.us. (n.d.). INTERNET, E-MAIL, AND COMPUTER USE POLICY. Retrieved from http://www.twc.state.tx.us/news/efte/internetpolicy.html

Potential health risks related to cellular phone technology on human health - Week 4

In the communication industry use of telephones are significant and warmly welcomed for the human use. World health Organization (WHO) reports an estimate of 6.9 Billion subscriptions of the mobile phone globally (World Health Organization , 2014). Both wired and wireless communication, the signals are transferred and received as the form of radio frequency (RF) (analog) and electromagnetic waves in the case of digital media. The electromagnetic waves are non-ionizing radiation meaning they can move the atoms in the molecule but not enough to ionize (replace or remove the electrons). High energy radiations such as X-ray or Gamma rays are seriously hazardous to the human body. The exposure level of the radio waves to the human body for the longer duration can cause heat leading to the tissue burn, skin diseases but there are no clear indications of damaging the blood cells due to the exposure. The frequencies that are used in the mobile phones ranges from 900 MHZ to 2.1 GHZ and power of 0.1 to 2 watts. These exposures to the human body vary with the wavelengths, distance, handheld vs. hands- free and length of the call (World Health Organization , 2014).

Health effects

As it is certain that the longer use of the cell phones can cause the heat to the body cells and most likely affect the soft cells in the brain as use is closer to the head. According to NIH only biological effect of radiofrequency energy is heating and there has been no factual evidence on the brain tumors or cancers. On the other hand the study from World Health Organization Regional Office for Europe’s Health Evidence Network (HEN) on the impact on developing head and brain tumors (benign and malignant) concluded the evidence did not support the hypothesis but an increase in the risk of acoustic neuroma after 10 years or more of mobile phone use (World Health Organization and Health Evidence Network (HEN), 2006). Exposure to the radiation can cause short-term and long-term effect to the human body.

Short term effect

Brain performs all the electrical activity of the human body and the nerves transfer these signals to different parts including the skin. The radiation generated by the cell phones can cause heat to the human body, most likely to the skin in the ear and head section. This can increase the temperature to the exposed part of the human body affecting the electrical activity of the human body. People tend to keep the cell phones near to the heart and this can cause the heating in the exposed part and affect the neural functions related to the heart. The studies from health organizations does not suggest any evidence of the health effects due to the exposure to the radio frequency but practically increase the temperature of the tissue exposed (World Health Organization , 2014).The other side of the cell phone use hazard is battery explosion which is causing the serious burnt to the human body and sometimes leads to the human death.

Long term effect

The longer exposure to the radio frequency can cause human health effects most possibly to the lowest level of effect of the high radiation waves. Again the length of exposure to the radiation will depict the effect to the human body. The Interphone study report from World Health organization in 2010 concluded a median lifetime cumulative call time was around half an hour each day and this trend is slowly decreasing due to the technology of hands free and texting in use that prevents from bringing the cell phones closer to the brain cells. Most discussion in the world at present day is brain tumors and damage in the blood cells. People using the cell phones closer to the brain for longer time might expose to the radiation and slowly these radiations can damage the blood cells and also cause some damage in the temporal organ of the human body. Effect on the brain cells, stem cells, skins leads to the rupture in the DNA that will stop the cells growth leading to the blood barrier to the human body. People keeping the cell phones close to the reproductive organs can cause the damage in count of sperm cells leading to the infertility. The exploratory study conducted by Weston A. Price Foundation (WAPF) on ten human bodies to cell phone radiation stressor illustrate substantial changes in the blood from short-term cell phone radiation exposure in nine out of ten human subjects (Weston A. Price Foundation , 2015). So several studies have been conducted by various health organizations to verify the possibility of brain cancer due to the exposure to the cell phone radiation for longer time but there has not been any definitive study that proves the theory. The research result depends on the various measuring factors such as duration of use, participant’s health condition, age, frequency of the radiation and many more which is always volatile and results cannot be replicated. In other hand the cell phone use in the children are increasing day by day and radiation might affect the brain cells but still researches conducted by US, Spain, Denmark, Sweden, Norway, and Switzerland does not prove any cases of brain cell damage or proved cancer.

Works Cited

CTIA-THE WIRELESS ASSOCIATION. (2015). Background on CTIA’s Wireless Industry Survey . CTIA-The Wireless Association.

Weston A. Price Foundation . (2015, January 16). Does Short-term Exposure to Cell Phone Radiation Affect the Blood? Retrieved October 28, 2015, from http://www.westonaprice.org/modern-diseases/does-short-term-exposure-to-cell-phone-radiation-affect-the-blood/

World Health Organization . (2014, October). Electromagnetic fields and public health: mobile phones. Retrieved October 28, 2015, from http://www.who.int/mediacentre/factsheets/fs193/en/

World Health Organization and Health Evidence Network (HEN). (2006). What effects do mobile phones have on people’s health? Copenhagen: WHO Regional Office for Europe.

Issue Specific Security Policy (ISSP)

For my CIS-608 class, i need to draft a generic, sample Issue Specific Security Policy (ISSP)  that would be useful to any home computer user. So I have prepared a sample Issue Specific Security Policy (ISSP) for my house hold : "Security Policy Document for use of personal devices in Khadka household". Please review and provide the feed back on my work:

Statement of Policy

PURPOSE

This document establishes a policy for use of personal devices (cell phones, tablets, home computers, etc.) within the Khadka household premises to protect the sensitive information of the family members, relatives, visitors, and security of the Khadka house.

BACKGROUND

This document was developed because the use of personal devices within the Khadka household from the visitors, guest and neighbors increased during the last year which created the threat over the security of household assets. The use of the personal devices in the household network for personal communication, work related connections, gaming, television networks and use of the software created more thereat on the firewalls and injected malware in the network that created lots of downtime for the network repair during the peak hours and slowness in the browsing capacity.

SCOPE

This policy applies to all members of the Khadka family, guests, visitors and others using personal devices (Cell phones, tablets, laptops etc.) within the premise.

Failure to comply with the security requirements and policies will result in disciplinary action, legal issues and also restriction over the access of the network at any time inside the premise. Non- compliance includes willful or negligent violation of the personal devices, use of personal devices for the personal communication at family gathering, use of home network in personal devices at the dining table, use of computer software for gaming and video streaming over 2 hours continuously, negligence of the security policies that endanger the interest of Khadka family members.

Authorized access and usage of the equipment

All the users agree to comply by the household code of conduct to protect the household data. The use of the personal devices and connection to the household network should be authorized and authenticated. Access to the Khadka housed network must be:

• Authenticated and verified for visitors and guests
• Use of computer, laptops, and other devices within the household should be authorized
• Gaming station and use of TV network should be authorized and monitored
• Children under age of 16 should follow the guidelines of time limit (2 hours) for use of gaming devices, use of TV networks, mobile devices, computer usage
• Restricted use of the personal devices and connecting to the network during family gathering and after waking hours.
• Revoked when visitors, guests, outside family members tries to change the password and perform any infringement to the network.
• Visitors, guest and outside members should require use of guest access to connect the network.

Security Policies agreement

All the users and devices are required to comply all the existing security policies developed by Khadka hose hold and the current security policy. Some of the existing policies include:

• Information security policy for Khadka household
• Use of mobile and laptop policy
• Wireless use policy
• Remote access and device use policy
• Network/Malware/Virus policy
• Khadka family Privacy policy
• Copyright Information policy

Guests use of personal device

Personal devices including mobile devices, laptops, tablets, person computers, USB etc. are authorized to bring in the household premise but connection to the network should be authorized and monitored. These devices are prohibited to access the Khadka household’s communication, any personal information, sharing family member’s personal information to public. All guests/visitors should use guest password protected network to complete the use of the devices. Any guests/visitors required to use the personal devices for any emergency should be approved by the authorized house member.

Systems Management

Khadka house member is solely responsible for monitoring the use of external devices in the home network. Khadka household member should safeguard the software, networks and any household devices provided to the guests/visitors in any use. Khadka household is responsible for creating the guidelines of the device use in the Intranet and also publish all the lists of the approved devices, hardware, and password encrypted user accounts.

Prohibited Uses

Guests/visitors/neighbors are prohibited from adding any software, personal passwords, network password and household data in the personal devices. Data includes email communication, house member’s information, financial information, household personal files, any persona bookmarks, passwords, user accounts. Capturing images and videos of the personal data are not authorized within the household premise. Paring the household devices with the personal using the Bluetooth is strictly prohibited and only permitted with authorization. Any form of personal USBs are not allowed to use in the family network, hardware and software to store Khadka family information and data.  

Violations of the policy

Failure to comply with the security requirements and policies will result in disciplinary action, legal issues and also restriction over the access of the network at any time inside the premise.

Policy Review and modification

This policy will be reviewed and modified based on the family member’s agreement at the end of every year.

Limitations of Liability

Khadka household is not responsible for any lost or stolen devices during the unauthorized use within the Khadka home premise. Any devices borrowed from the house has to be reported to the Khadka household if they are stolen or lost.