Introduction and company description
Having an established and effective set of security standards and policies for a company of Toyota’s magnitude requires that a strategy useful in the determination of vulnerabilities that exist in the computer systems and within the existing security controls and policies that would be useful in controlling them.Since Toyota is an automotive sales distribution network, it requires an Enterprise system to take care of its distributions over the globe. It is the largest distribution Company in Japan as of the report carried on March 31, 2009. The company’s distribution network consisted of 290 dealers employing approximately 40,000 sales personnel. The total number of sales services in operation was more than 4,800 sales and service outlets. By then the Company owned 19 of these dealers. Also, Daihatsu’s sales distribution network consisted of 62 dealers. 5,500 were employed as sales personnel and hence operating approximately 700 sales and service outlets. The development and creation of a set of security policies guarding the operations of the company especially when it comes to computer technologies and the related data usage is of immense contribution.
Objectives and goals of the security policy.
What is the purpose or objectives of the security policies that are set to be developed by this paper? We must understand that there are benefits that are accrued from developing a set of policies that will be instrumental in the security strategy. While we are aware of the amount of data that Toyota deals with, both at the headquarters and within the regions in which its operations are active, the company must come up with a clear security strategy to ensure that information is not only safe but also in safe hands (Harrison, Ruzzo, & Ullman, 2012). Sometimes information about a company can be used by a competitor in bringing the other company down and therefore this is the reason the strategy is of more importance. Sometimes, the best thing to do is develop a hard wall before the enemies strike and this is the essence of the strategy. However, for the set up security strategy plan to hold water, we must come up with policy that will guide each area of operations. The policy will be useful in monitoring and testing compliance, conducting security risks assessments in the company and technically defined vulnerability assessments as discussed in the previous paper. The following areas will be addressed in the security policy,
- Computer systems and Internet use
- Emails and other forms of communication
- Mobile devices and related electronics
- Data security polices, i.e. integrity controls and access controls.
- Computer systems and Internet use
The use and applications of Toyota Company electronic devices and systems including the computers, the fax machines and other internet access points is designed strictly for the company business and to be used only for authorized purposes (Hill, Alvarado, & XYPRO Technology Corporation, 2004). The employees and other stakeholders of the Toyota Company are allowed to use the electronic systems briefly and occasionally for personal uses provided that the usage is appropriate and not excessive. This is only allowed during personal times for instance lunch breaks, and the use should not result in any kind of expenses or harm to Toyota Company or otherwise the policy will be violated.
The word excessive in this case will be applied when the use of the computer, email and internet interferes with the normal work functions and operations, ability for the employees to satisfactorily perform their daily duties and reduction of responsiveness in case of emergencies and related incidences. The use of internet applications should not be used in soliciting or selling products and services that are not in any way related to business conducted by Toyota Company.
Additionally, the internet use should not be used in intimidating, distracting, or harassing the co-workers or the clients or even in disrupting the activities of the workplace. The use of Toyota Company computer systems (Harrison, Ruzzo, & Ullman, 2012), the internet access and the networks is considered to be a privilege awarded by the company to the employees and can be revoked in case any inappropriate use is registered any time. This includes but not limited to the following: deletion or erasing, destroying or even concealing Toyota Company files or relevant data, misrepresentation by oneself or even the company, use of abusive language to the customers and other relevant stakeholders of the company and many other inappropriate usage.
- Emails and other forms of communication
As stated in the first policy above, the computer systems and the electronic mail made available to the employees of Toyota company at whatever capacity are properties of the company and should be used in satisfying the goals and objectives of the company only and not for personal uses such as communicating with the family or friends (Burns, Price, Nye, Scowcroft, Aspen Institute. & Aspen Strategy Group, 2012).The company allows for personal use of the emails which does not necessarily hurt the operations of the management and the company as a whole as explained above. However, in the email security policy we will be focusing on three important parts, that is, on email retention, on general email policies and on automatically forwarded email policy.
On Email Retention Policy, the company will reserve for the employees what amount of information is to be kept and for what duration. Sometimes the emails retained by the employees can be quite important to the management. Some of the emails that require compliance and attention of the management such as those touching on reputation should be released as soon as they come. The general email policy determines to ensure that there is a proper use of emails in the company (Harrison, Ruzzo, & Ullman, 2012), that emails are not used in abusing others along race, gender and sex or used in forms of harassment such as sexual harassment. On email forwarding, no emails will be automatically forwarded without the approval of the management and that the rules for automatic forwarding will be clearly set up by the management.
- Mobile devices and related electronics
Newprograms, applications, features and commands are being added to our mobile devices, in this case phones, therefore it is worthy of noting that the mobile devices have much more in common with the desktop computers in our offices and the laptops used by the CEO of the Toyota group. Any mobile device that keeps any data owned by Toyota Company whether owned by individual staff members or by Toyota must ensure there is a screen lock after the device being idle for a minute or more. Secondly (Harrison, Ruzzo, & Ullman, 2012), the employees must create a new password not provided by the voicemail service or the phone.
Further, no employee may add any information or data owned by Toyota to their personal mobile devices without the consent of the management. And lastly (Harrison, Ruzzo, & Ullman, 2012), any employee given a phone or any other mobile device owned by Toyota or given permission to add information or data from the ownership of Toyota on their mobile devices must agree to report any theft or loss of the mobile device to the management within a day, that they accept their phone information or data wiped out by the company’s network in the event of theft or loss in protecting the data in the phone.
- Data security polices, i.e. integrity controls and access controls.
One of the fundamental roles of the Toyota management board is to ensure that there is adequate security of the data and the information within their control (In O’Byrne, 2013). Access control deals with determining allowed operations of the legitimate users, meditating all attempts by the users in accessing the resource systems. All Toyota Company systems will be granted access after a very serious and vigorous authentication process. The authentication process will be used through setting passwords will be changed as constantly as the management wishes. All the staff will be required to keep their passwords as safe as possible and not to be shared by other members not employed by Toyota.
Access of the crucial documents will be under the authorization of the management and the network professionals who will make it available to the other staff members only upon request and approval by the information technology management. The management reserves the right to develop the access control list(Harrison, Ruzzo, & Ullman, 2012). The access control list is to ensure that only the allowed users can access the important data and information systems by the organization. The management will also develop integrity controls that will be applied in granting the staff access controls. Through these mechanisms the security of the company’s data will be guaranteed.
References
Burns, R. N., Price, J., Nye, J. S., Scowcroft, B., Aspen Institute. & Aspen Strategy Group (U.S.). (2012).Securing cyberspace: A new domain for national security. Washington, D.C: Aspen Institute.
In O’Byrne, S. (2013). Data security, data mining and data management: Technologies and challenges.
Harrison M. A., Ruzzo W. L., &Ullman J. D. (2012). “Protection in Operating Systems”, Communications of the ACM, Washington, D.C: Aspen Institute.
Hill, T., Alvarado, E., & XYPRO Technology Corporation. (2004). HP Nonstop server security: A practical handbook. Amsterdam: Elsevier Digital Press.