ABC Co. Memo: Establishing a formal Computer Security Policy

Scenario:

ABC company is a small but growing manufacturing company with revenues of approximately $25 million. Until now, the company has had a single headquarters and production facility in a Midwestern city, but it is building a separate sales office on the east coast which will open in a few months.

You are the Manager of IT at ABC, and you have been responsible for operating a basic set of computer applications in the Midwest office: order entry and fulfillment, financial and accounting systems, e-mail, and general office automation (word processing, etc.) You have been maintaining a Local Area Network connecting the office desktop computers to each other and to the applications running on the company servers, but there has been no access to these systems from outside the office.

You have been told by senior management that when the new sales office opens, the east coast staff must be able to enter new orders directly into the home office system using their desktop computers. They also need access to customer records and order status information. Furthermore, management wants to implement a new company website for customers to place orders online and to view their ordering history, current order status, and financial statement information without calling customer service.

You realize there are huge security implications implied by these changes. You have been uneasy in the past because the company has lacked a comprehensive computer security policy. Furthermore, most employees have not really understood all the security issues in the old "internal" computing environment. The new configuration with its networked offices and Internet-accessible elements will require more security awareness than ever. You see this as your opportunity, and imperative, to move the company to accept a formal corporate security standard. In the weeks ahead, you will begin to educate both management and system users regarding the components, necessity, and use of security standards for all of the new technologies that will be used, as well as for the current technology they have been using. In the end, you will develop all of this together into a complete corporate security program proposal.

Details: As the Manager of IT at ABC Manufacturing, you are approached by the CEO and the VP of HR with a very serious concern. Apparently a unidentified disgruntled employee, in an effort to embarrass the company and its senior managers, has gained access to the company payroll records and sent an anonymous email to many staff members publicizing the salary of every employee at Director level or above. This has caused widespread disruption and a demand for corrective action.

You realize that this incident highlights just one of many possible security risks in the company (which has never established a formal security policy), and you suggest to the two senior executives that it would be appropriate to take an overall look at the company's computer security status. The CEO agrees, and asks you to put together a 2-4 page memo defining the topic areas that should be covered in such a review. Your memo should identify the major subject areas included in the scope of the term "computer security" and its meaning within the Information Technology field. Make sure any citations are in APA format.

Please show all references: