Académique Documents
Professionnel Documents
Culture Documents
Byoungcheol Jeong
Rohit Kumar
John Carlo Malto
Kamal Rathnayake
Introduction:
The company’s security posture is in critical state and we need to develop a security plan to address all
the basic concerns. We shall take a look at all the aspects of the organization and apply security
concepts to ensure that the company can at least have a reliable security system. We will also develop
an information security blueprint that the company can use for its current and future security planning
and implementation.
Content:
Strategic:
It is important to develop various security policies for the company, as there are no current policies.
Encryption Policy
When storing data and information of sensitive data, they should store in an encrypted format. When
transfer data through the channels the information should be encrypted and use the certificate to
ensure the integrity and non repudiation.
Account Policy
Account policy needs to be seriously implemented in order to properly manage user accounts, which
includes their passwords and their level of access. Specific rules need to be applied in terms of account
management and account creation and deletion.
Password Policy
The password of the user s should be confidential and they should not share with anyone inside or
outside. Password should have a specific length and expiry period.
SDLC Policy
The system should be divided by production system, test system, development system.
Backup Policy
Data back up is able to recover every lost data when an incident or system fault happens.
SETA Policy
Once the policies are in place, we now have to develop a culture of security awareness for every
employee of the company. It cannot be emphasized enough that security is everyone’s responsibility.
This is why the company must have Security Education, Training and Awareness Programs in place. SETA
must be done regularly and delivered through multiple channels.
Tactical:
Access Control Tactical
If there’s any requirement there should be a provision to grant access user wise. To achieve that there
should be a access control mechanism which can grant program level access to roles and users. Separate
Subsidiary users have to have separate roles and the users of one subsidiary should not grant other
subsidiary access.
Encryption Tactical
As standards for encryption every users and functions should have SHA2048 encryption for the sensitive
data.
Access control and passwords will be managed safely and more efficiently.
Password Tactical
Standards of Passwords- By referring ISO password framework the password length should have at
least 8 character lengths and it should include at least one upper case, one lowercase, one digit and one
special characters
SDLC Tactical
Developers, tester, users have to have different ID depend on the separated systems.
No one can’t use real data for testing. They should use scrambled data for testing.
The database for internal network and database for internet should be separated.
Operational:
Access Control Policy
After creating accounts for users, functions of the system need to grant access to the users. At the
beginning the users should not grant any access. Administrator of Database should grant whatever the
access needed with the approval of the higher management.
Encryption Policy
Application should develop cater the encryption method SHA2048. The database should allow to store
encrypted data without any modification and it allowed to retrieve when needed.
SDLC Policy
Testers can test only in test system and they can use scrambled data for sensitive data.
- Every table should have backup interval depend on the impact of business risks.
- All table should be backed up at every night furthermore, important table should be backed up more
frequently,
Short-Term
o Good for 0-4 months
o Must be monitored regularly
o Includes Logging activity and also patching of systems
Mid-Term
o Good for 4-8 months
o Includes implementing of SETA program
Long-Term
o Review of policies and procedures
o Regular vulnerability scanning
o Review of Risk Exposure due to new assets and activities
A short regular quiz will be part of their performance evaluation with regards to information security to
ensure that the employees take this very seriously.
- Before users access table, they have to authorization of table first through approve of permission.
- All users have various privileges depend on the table they have authorization to access.
Conclusion:
There are many security problems in this company, with regards to security policy and access control,
along with integrity controls. We identified vulnerabilities to mitigate the impact of risk and manage
risks. We have developed strategical, tactical and operational plans to develop the information security
blueprint of the company.