Introduction

    This page contains more information about the five components of security at DMC:

              Information Security

              Personnel Security

              Operational Security

              Physical Security

              Network Security

Information Security

  To be defined later

Personnel Security

The following personnel security components exist at DMC: 

• Security Education

• Virus Protection

• Personnel and Information Controls

  • Procedural Controls

  • Audit logs

  • Identification

  • Account passwords

  • Authentication

  • Low trust entities

Operational Security

Risk Assessment

Guiding Principle

The results of a risk assessment are only the beginning of an ongoing process aimed at reducing the possibility of, or degree to which, systems will be adversely affected by a security event.  DMC will continually update its assessments as components are changed, and applications replaced.

Periodic reassessments are done to maintain an accurate picture of the enterprise’s security posture. As results are reported, changes in policy are made to better address the weak points in the existing security program.

Systems’ Role in Risk Mitigation and Assessment

Systems incorporate in their design the risk mitigation they decide to implement. The controls that a system selects should address specific, identified vulnerabilities, or specific identified threat-sources, thereby reducing the overall threat it faces. The beginning of the system life cycle is the best time to address security to ensure cost effective, interoperable solutions.

Systems should choose controls or security goals after evaluating risks (risk-adjusted goals. Costs affect goals and sources of costs are:

·        Capital costs

·        Hardware and software purchases

·        Reduced operational effectiveness, if system performance or functionality may be reduced for increased security

·        Costs of implementing additional policies and procedures

·        Costs of hiring additional personnel to implement proposed policies, procedures, or services.

·        Training costs

A system should adjust security controls using the following guidelines:

·        If control would reduce risk more than needed, then see if a less expensive alternative exists.

·        If control would cost more than the risk reduction provided, then find something else.

·        If control does not reduce risk enough, then look for more controls or a different control.

·        If control provides enough risk reduction and is cost-effective, then use it.

Physical Security

The following are physical security measures in place at DMC:

• The DMC IT servers will be in the Data Center, a secure building that is equipped to protect them from natural threats such as floods, earthquakes, and electrical storms, and environmental threats such as long-term power failure, pollution, chemicals, liquid leakage. The Data Center has voltage regulating transformers, uninterruptible power supplies, and on-site power generators.

• Only employees who are US persons can enter the Data Center. Please refer to the HR System for a definition of a US Person

Network Security

The following are network security measures:

• Network Security is a vital component of every area of security, whether it be information, operational, physical or personnel security. DMC systems are contained within the DMC intranet. DMC intranet  is protected from the Internet by use of a De-Militarized Zone (DMZ). DMZ has the DNS server, Mail and HTTP content-scanning servers (for protection against viruses or malicious ActiveX controls, and for scanning of keywords, addition of disclaimers, etc), Reverse-proxy servers and WAP gateways.

The diagram below shows DMC’s DMZ: