Information Security
Information security includes company
policies, standards and solutions that should be incorporated in the
design of business processes and information flows to ensure access to
data is authorized. These company
policies and directives should also be followed by systems to ensure
that data cannot be inadvertently altered and is reliable.
Personnel Security
The
following personnel security components exist at KHA:
Operational Security: Risk
Assessment
Guiding Principle
The results of a risk assessment are only
the beginning of an ongoing process aimed at reducing the possibility
of, or degree to which, systems will be adversely affected by a security
event. KHA will continually update its assessments as components are
changed, and applications replaced.
Periodic reassessments are done to maintain
an accurate picture of the enterprise’s security posture. As results are
reported, changes in policy are made to better address the weak points
in the existing security program.
Systems’ Role in Risk Mitigation and Assessment
Systems incorporate in their design the
risk mitigation they decide to implement. The controls that a system
selects should address specific, identified vulnerabilities, or specific
identified threat-sources, thereby reducing the overall threat it faces.
The beginning of the system life cycle is the best time to address
security to ensure cost effective, interoperable solutions.
Systems should choose
controls or security goals after evaluating risks (risk-adjusted goals.
Costs affect goals and sources of costs are:
-
Capital costs
-
Hardware and software
purchases
-
Reduced operational
effectiveness, if system performance or functionality may be reduced
for increased security
-
Costs of implementing
additional policies and procedures
-
Costs of hiring additional
personnel to implement proposed policies, procedures, or services
-
Training costs
A system should adjust
security controls using the following guidelines:
-
If control would reduce
risk more than needed, then see if a less expensive alternative exists
-
If control would cost more
than the risk reduction provided, then find something else
-
If control does not reduce
risk enough, then look for more controls or a different control
-
If control provides enough
risk reduction and is cost-effective, then use it
Physical Security
The following are physical
security measures in place at KHA:
-
The KHA
IT servers will be
in the Data Center, a secure building that is equipped to protect them
from natural threats such as floods, earthquakes, and electrical
storms, and environmental threats such as long-term power failure,
pollution, chemicals, liquid leakage. The Data Center has voltage
regulating transformers, uninterruptible power supplies, and on-site
power generators.
-
Only employees who are US
persons can enter the Data Center. Please refer to the HR System for a
definition of a US Person
Network Security
The following are network
security measures:
-
Network
Security is a vital component of every area of security, whether it be
information, operational, physical or personnel security. KHA
systems are contained within the KHA intranet. KHA
intranet is protected from the Internet by use of a Firewall. The
Firewall has the DNS server, Mail and HTTP content-scanning servers
(for protection against viruses or malicious ActiveX controls, and for
scanning of keywords, addition of disclaimers, etc), Reverse-proxy
servers and WAP gateways.
The
diagram below shows KHA’s Firewall: |