Let's start a new assignment project together, Get Exclusive Free Assistance Now!

Need Help? Call Us :

Place Order

This Is An Information Security Consulting Assignment

Mar 13,23

Question:

Background:

This is an INFORMATION SECURITY CONSULTING assignment. So, assign a tutor who is really good at this subject as this is a really important assignment. The word count is 4000 words. Also, I want a plagiarism report along with the solution.

You will be given a case scenario about a fictional company. You will be required to submit a COMPREHENSIVE CONSULTING PROPOSAL to the company that addresses their needs and concerns.

The proposal should have the following sections (maximum of 9 pages not including title page, references and appendices. Each section must start on a new page):

  1. Title page
  2. Executive summary (maximum of 1 page)
  3. Information security risk management
  4. Information security strategy
  5. Information security policy
  6. Information security education, training and awareness (SETA)
  7. References

Further:

Sections 3, 4, 5 and 6 must be divided into two sub-sections:

  • Case analysis (The problem)
  • Potential consulting services.(A solution from a consultant perspective)

Please do not engage in cost-estimation of any kind, and you can assume that you have access to personnel with the skills required to carry out the proposed services.

Use do not need academic references to support your arguments. However, all references you do use should be formatted in Harvard style.

How does the organization want to protect its primary asset should be the main perspective while drafting the solution. How is it going to deal with the risk of knowledge, that somebody will steal their capability. If you think that their capability can be protected by the IT team by simply putting more controls on the corporate IT Structure and completely ignore the rest of the organization, that is a mistake. Think from every perspective while drafting the answer.

The answer should not be general at all, they should be linked to the case and then explaining the same i.e. substantiate where the answer is coming from, in

terms of theories and principles.

The main answers have to be derived from the case scenario provided only. Just for some additional info i.e. for digging deeper into a problem for a particular answer, I have linked the other 2 documents which are the policies along with the case scenario. Please make sure all the guidelines are followed.

IT Incident Response Plan

This Incident Response Plan is documented to provide a well-defined, organized approach for handling any potential threat to computers and data, as well as taking appropriate action when the source of the intrusion or incident at a third party is traced back to the TextileTech private network. This Incident Response Plan identifies and describes the roles and responsibilities of the Incident Response Team. The Incident Response Team is responsible for putting the plan into action.

Incident Response Team

The Incident Response Team is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications.

The Incident Response Team’s mission is to prevent a serious loss of profits, client confidence or information assets by providing an immediate, effective and skilful response to any unexpected event involving computer information systems, networks or databases.

The Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The Incident Response Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The IT Manager will coordinate these investigations.

Incident Response Team Members

IT Manager

Network Administrator Systems Administrator Help Desk Officer Legal Counsel

Incident Response Team Notification

For ease of reporting, and to ensure a timely response 24 hours a day, seven days a week, the IT Department Help Desk will act as the central point of contact for reporting any incidents.

All computer security incidents reported to Help Desk must be reported to the IT Manager. A preliminary analysis of the incident will take place by the IT Manager that will determine whether Incident Response Team activation is appropriate.

Types of Incidents

There are many types of computer incidents that may require Incident Response Team activation. Some examples include:

  • Breach of personal information
  • Denial of service/Distributed denial of service
  • Excessive port scans
  • Firewall breach
  • Virus outbreak

Breach of Personal Information — Overview

This Incident Response Plan outlines steps our organization will take upon discovery of unauthorized access to personal information on an individual that could result in harm or inconvenience to the individual such as fraud or identity theft. The individual could be either a client or employee of TextileTech

Personal information is information that is, or can be, about or related to an identifiable individual.

It includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Most information the firm collects about an individual is likely to be considered personal information if it can be attributed to an individual.

Personal information is defined as an individual’s first name or first initial and last name, in combination with any of the following data:

  • Driver’s license number or Identification Card number
  • Financial account number, credit or debit card number
  • Home address or e-mail address
  • Medical or health information

Definitions of a Security Breach

A security breach is defined as unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information maintained by TextileTech. Good faith acquisition of personal information by an employee or agent of our company for business purposes is not a breach, provided that the personal information is not used or subject to further unauthorized disclosure.

Employee Responsibilities

All firm employees must report any suspected or confirmed breach of personal information on individuals to the IT Department immediately upon discovery. This includes notification received from any third-party service providers or other business partners with whom the organization shares personal information on individuals.

The employee reporting the suspected breach will assist in acquiring information, preserving evidence and providing additional assistance as deemed necessary by the IT Manager or other Incident Response Team members throughout the investigation.

Classification / Identification of a Potential Incident

All reports of a potential incident shall be classified as a high/medium/low risk to facilitate the actions to take. Criticality: High

Definition: Incidents that have a monumental impact on the firm’s business or service to clients. Example: Unauthorized system access.

Criticality: Medium

Definition: Incidents that has a significant or has the potential to have a monumental impact on the firm’s business or service to its clients.

Example: Password cracking attempt.

Criticality: Low

Definitions: Incidents that has the potential to have a significant or monumental impact on the firm’s business or service to its clients.

Example: Firewall scanning.

2

Response

Once a potential incident has been reported, the appropriate member of the IT Department should be notified for response. Members of the IT Department will be responsible for performing the initial investigation to determine if an incident has occurred. The following checklist identifies steps that can be used to facilitate in classifying the incident, if one in fact has occurred:

  • Collection and review of log files
  • Review of installed or running privileged programs
  • Inspection for system file tampering
  • Sniffer or Network Monitoring Programs reports
  • Detection of unauthorized services installed on systems
  • Evidence of password file changes
  • Review system and network configurations
  • Detection for unusual files
  • Examination other hosts

Note: In responding to a reported incident, it may be good prudence to shut down any or all systems for the stopping of an attack in real time and/or the preservation of any potential forensic evidence.

Recovery

The main purpose of this Incident Response Program is to ensure an efficient recovery through the eradication of security vulnerabilities and the restoration of repaired systems. Recovery includes the ensuring the attacker’s point of penetration and any associated vulnerabilities have been eliminated and all system operations have been restored.

Periodic Testing & Remediation

It is the responsibility of the IT Department to test and review the Incident Response Plan quarterly. When testing is done, each system should be scanned for the open vulnerability before remediation and then scanned again after the remediation to verify that the vulnerability has been eliminated.

Incident Response Plan Example

This document discusses the steps taken during an incident response plan.

  • Anyone who discovers the incident will contact the IT Help Desk. The Help Desk will log:
  1. Name of caller or source of incident alert (software notifications).
  2. Time of first
  3. Nature of the incident.
  4. What system(s) or persons were involved?
  5. Location of equipment or persons
  6. How incident was
  • The IT staff member who received the call will refer to their contact list for Incident Response Team to be contacted. The IT Help Desk will contact those designated on the list. The IT Help Desk will contact the IT Manager using both email and phone messages. The IT Help Desk will log the information received. The IT Help Desk could possibly add the following information to the report:
  1. Is the equipment affected business critical?
  2. What is the severity of the potential impact?
  3. Name of systems being targeted, along with operating system, IP address, and3

location.

  1. IP address or any other information about the origins of the
  • Contacted members of the response team will meet or discuss the situation over the telephone and determine a response
  1. Is the incident real or perceived?
  2. Is the incident still in progress?
  3. What data or property is threatened and how critical is it?
  4. What is the impact on the business should the attack succeed? Minimal, serious, or critical?
  5. What system or systems are targeted, where are they located physically and on the network?
  6. Is the incident inside the trusted network?
  7. Is the response urgent?
  8. Can the incident be quickly contained?
  9. Will the response alert the attacker and do we care?
  10. What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
  • An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:
  1. High – Incidents that have a monumental impact on the firm’s business or service to clients.
  2. Medium – Incidents that has a significant or has the potential to have a monumental impact on the firm’s business or service to its
  3. Low – Incidents that has the potential to have a significant or monumental impact on the firm’s business or service to its
  • Member of the IT Department will use investigative techniques, including reviewing of system logs, looking for gaps in logs, reviewing intrusion detection or firewall logs and interviewing witnesses to determine how the incident was caused. Only authorized personnel should be performing interview or examining IT systems. A chain of custody must be established and all potential evidence preserved and secured for turnover to proper
  • Incident Response Team will recommend changes to prevent the occurrence from happening again or spreading to other systems.
  • The IT Department will restore the affected system(s) to the pre-incident state and assess potential
  • Post-mortem review of response and update policies – take preventive steps so the incident doesn’t happen
    1. Would an additional policy have prevented the incident?
    2. Was a procedure or policy was not followed which allowed the incident? What could be changed to ensure that the procedure or policy is followed in the future?
  1. Was the incident response appropriate? How could it be improved?
  2. Was every appropriate party informed in a timely manner?
  3. Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
  4. Have changes been made to prevent another incident? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, ?
  5. Should any security policies be updated?
  6. What lessons have been learned from this experience?

Company Policies

Information Security Policy

TEXTILETECH-61.00

DOCUMENT ID: TEXTILETECH-­‐61.00 Issue 1 Internal Use Only Page 1 of 20

Contents

Introduction

1.1 Commitment

The management of TEXTILETECH is committed to communicate, implement and enforce the following objectives for information security:

▌ Compliance with the TEXTILETECH Group information security policies and standards including:-

  • TEXTILETECH Group Management Policy (GMP) – Information Security Management.
  • TEXTILETECH Global Network Security Rules (GNSR), published on the

TEXTILETECHGroup Intranet.

▌ Compliance with Government legislation and regulations including those related to: the privacy of personal information; the protection of company information and financial records; the protection of critical IT Infrastructure and data from theft, tampering or misuse; the protection of copyright and intellectual property rights.

▌ Compliance with industry-standards for Information Security Management Systems and IT Security Controls when this is a critical business and/or customer requirement and is approved by the Executive Management Team. For example:

  • ISO/IEC 27001:2013 – Information Security Management

▌ Preserving the confidentiality, integrity and availability of customer-owned or customer-specific data, especially when this has been entrusted to TEXTILETECH for safeguarding as part of a contract or agreement.

▌ Preventing harm to the TEXTILETECH and ARCTICFIBER brands and reputation by taking all reasonable measures to identify, assess and mitigate any serious risks that might cause loss, damage or leakage of sensitive company information.

▌ Developing “good-practice” business-processes related to information security management that are efficient, effective and integrated with normal operational procedures.

1.2 Risk Management and benefits

This company-level policy is designed to mitigate the risk of:

▌ Prosecution or penalty for breach of government legislation or regulation.

▌ Financial penalty or sanction for:

  • breach of industry regulation
  • non-performance related to contract terms and conditions
  • breach of Intellectual Property Rights (IPR) or Copyright

▌ Damage to company reputation or brand due to a media-publicised security- breach.

▌ Loss of:

  • business opportunities due to a media-publicised security-breach
  • productivity (disruption of business-operations) due to a major security incident
  • competitive-advantage or future-revenues due to leakage of sensitive information
  • future-revenues due to theft or leakage of company intellectual property (IP)
  • business viability due to a catastrophic and unexpected disaster-event

1.3 Scope

This policy applies to all executives and employees of TEXTILETECH as well as all contractors, consultants, temporaries, trainees, visitors and any other third parties working for the Company while accessing the Company’s Information Assets.

Company Policies Information Security Policy

Requirements for Information Security

TEXTILETECH’s Information Security Policy is designed to protect the confidentiality, integrity and availability of company information, including proprietary information and information entrusted to the company for safeguarding by customers, business partners or suppliers.

To achieve this goal the company has implemented a defence-in-depth strategy organised into 12 control objectives.

  1. Manage information security at all levels of the organisation, as an effective business process, in accordance with business requirements, relevant laws and
  2. Maintain effective controls to prevent information leakage or unauthorised tampering of company information at all stages of the information-lifecycle (creation, editing, distribution, storage, archive, and disposal) regardless of media-type.
  3. Maintain an effective security program (policies, procedures, guidelines, education and training) to ensure that all employees, contractors and service-providers are aware of typical workplace security threats or vulnerabilities and their security-related roles and
  4. Maintain secure network architecture to protect classified company information during transmission and
  5. Restrict physical access to secure areas and critical information systems. Ensure that critical information systems are protected from environmental hazards, disruption of ancillary services and are located in an approved IT Facility.
  6. Ensure that all IT endpoints and portable “Smart Devices” are adequately configured

(hardened); effectively controlled by Corporate IT; and stored company data is, at all times, forcibly encrypted.

  1. Develop and maintain secure information systems and business
  2. Apply strong logical-access controls to information systems and IT
  3. Detect, classify, record and promptly respond to all security
  4. Track, monitor and record all access to classified company information. Detect and prevent unauthorised use of the company’s IT
  5. Regularly monitor, review, audit and improve the security
  6. Ensure that business-critical data and information systems are accessible, as required, to support business operations and that all critical information assets are recoverable as part of an agreed disaster-recovery

Associated with each control objective is a set of requirements that together form the TEXTILETECH Information Security Policy.

The requirements are derived from the Group Management Policies (GMP) that apply to the TEXTILETECH Group as a whole, including all subsidiaries.

The Information Security Policy is supported by a set of company-level documents that describe the “systems and processes” in place to achieve the above security objectives. These documents are published on the Intranet.

Control Objective: Manage information security, at all levels of the organisation as an effective business process, in accordance with business requirements, relevant laws and regulations.

▌ All managers are responsible to ensure that the security measures outlined in this policy are implemented effectively within their business-unit and must actively support the activities and objectives of the Information Security Management business process.

▌ Senior managers and IT Asset Owners are responsible to ensure that there are sufficient resources to implement and operate the security controls effectively and that these resources are trained, qualified, skilled, and competent to perform their required tasks.

▌ The Chief Information Security Officer (CISO) has overall responsibility to sponsor and support a company-level Information Security Management System (ISMS) that is aligned with this security policy and achieves the business objectives outlined in section 1.1.

▌ The CISO is responsible to ensure that company-level security policies are developed and to monitor and review the performance of the Information Security Management Systems.

▌ The CISO is responsible to designate the company-level role of Information Security Manager with roles and responsibilities defined, as a minimum, by TEXTILETECH Group.

▌ Each Director must designate a “security representative” who will actively participate in an “Information Security Steering Committee (ISSC)” and assist to achieve the company security objectives.

▌ The Information Security Manager (ISM) is responsible to co-ordinate the activities of the ISSC and to provide the security related reports, metrics, KPI’s to each ISSC meeting.

▌ The objective of the Information Security Management process is to ensure that the company level ISMS is implemented, operated, monitored and improved efficiently and effectively. Also, that all major risks related to information security are identified, assessed, analysed and reported to the responsible Director for either mitigation or acceptance.

Control Objective: Protect classified company information at all stages of the asset-lifecycle (creation, sharing, distribution, storage, archival, and disposal) regardless of media-type

▌ Employees who have a job-requirement to collect, handle, store, dispose and disclose the personal information of customers or other employees must apply the strict measures described in the security policies & procedures below and comply at all times, with the relevant laws and Government guidelines.

▌ Company information must be classified in terms of its value, sensitivity and criticality to the organisation.

▌ Company information that is not valuable, sensitive or critical has no business impact if it is lost, damaged, stolen, altered or disclosed and does not need to be classified or controlled.

▌ Classified company information must be assigned an owner and labelled appropriately to ensure that it is handled, shared, distributed, edited, stored and disposed of securely.

▌ Classified company information must be encrypted when it is taken, stored or used outside the company. This general principle applies irrespective of the transmission-medium or physical storage device.

▌ It is prohibited to store classified company information on any personal- owned equipment unless the equipment meets the Corporate IT policy for an approved BYOD device.

▌ Classified company information that is no longer sensitive or critical must be de-classified and all labelling removed.

▌ De-classified or non-classified company information that no longer serves any useful purpose and there is no regulatory requirement for it to be archived must be disposed of or permanently destroyed by an approved method(s).

Control Objective: Maintain security policies, procedures, guidelines and training programs to ensure that all employees, contractors and third parties are aware of their security roles and responsibilities

▌ Managers are responsible to communicate and explain the security policy to Staff either individually or as part of regular team meetings, operational reviews etc.

TEXTILETECH employees will receive general Security Awareness Training as part of the “Staff Induction Program” when they join the company. The employee is required to read, agree and sign that they will comply with the security policy and associated security controls.

TEXTILETECH employees will receive annual Security Awareness Training specific to their workplace or job-responsibilities. This training may be delivered using an e-learning platform or as part of team-meetings. In all cases, the employee is required to read, agree and sign that they will comply with any workplace-specific or job-related security controls.

▌ Information about the Security Policy and related controls that is useful and relevant to all Staff will be promptly published and announced to Staff. The announcements will be made using e-mail, the Intranet, social-media tools or by posters pinned to “Staff Noticeboards” in high-visibility areas.

▌ Positions that have specific roles and responsibilities related to information security will have these requirements documented in the relevant Position Description (PD) and any new assignee to this position or role will need to read, agree and sign the PD.

▌ Positions that require administrator-level access to classified information will be identified and all candidates for these positions shall be subject to security- screening as part of the employee recruitment process.

▌ Rules for the acceptable use of IT Systems and the Internet shall be defined and communicated to all Staff as part of the Security Awareness Program. Any activities that would abuse or damage the IT Infrastructure or any high-risk activities that are strictly prohibited shall also be defined and communicated to all Staff periodically.

▌ Employees are required to comply with the Information Security Policy at all times. The company will exercise the right to monitor and audit the activities of employees and to retain logs of these activities in the event that a forensic investigation of a serious breach is needed

Control Objective: Maintain secure network architecture to protect classified company information during transmission and storage

▌ A strict “need-to-access” principle will be applied to all requests for access to network services.

▌ Information systems that are directly accessible from the Internet will be installed in an isolated and controlled network segment (DMZ). All devices installed in the DMZ must comply with the TEXTILETECH Global Network Security Rules (GNSR) including:

  • Operating Systems must be hardened to prevent known-vulnerabilities and close any unused services or
  • Automatic OS and AV patch-management will be
  • Strict Change Control procedures will be
  • Regular AV scans will be performed (minimum is two per annum).
  • All access to these systems will be logged and reviewed.
  • All system log files will be collected, filtered, analysed and

▌ All communications and connections from the Internet to the internal network or DMZ must be logged and filtered by an IPS. The log files from the IPS must be securely stored to support a forensic investigation/audit if needed.

▌ Any Development/Test environment must be firewall-isolated from the internal network.

▌ Critical information systems must be connected to an isolated and controlled network segment that is designed to restrict access to only those users who have a legitimate business-need to access these systems. All access to these systems and network will be logged and reviewed.

▌ Employees must not connect any personal-owned device to the company’s internal network without obtaining prior approval from Corporate IT.

▌ IT endpoints that do not comply with the SOE (Endpoint) policy will be quarantined and prevented from connecting to network services until the non- compliance is resolved.

▌ The utilisation of network resources will be monitored and a formal Capacity Plan will guide investment in network upgrades to ensure that projected demand for network capacity is planned and budgeted in advance.

Control Objective: Restrict physical access to secure areas and critical information systems. Ensure that critical information systems

are protected from environmental hazards, disruption of ancillary services and are located in an appropriate Facility

▌ Entry/Exit to any company premises must be controlled and managed. All access must be logged (date and time stamped). Access logs must be securely archived.

▌ The site perimeter must be protected to ensure access is restricted to controlled entry/exit points.

▌ All office areas must be lockable with access controlled by key or EACS (preferred).

▌ Staff who work in office areas and store or handle classified company information must be provided with access to a lockable cabinet and secure document-disposal bins or shredder.

▌ Areas that are accessible by the public or authorised visitors must be monitored and controlled at all times. Visitors must be escorted while they are on-site and are not permitted to enter secure areas without permission or supervision. Public areas include visitor reception, meeting rooms, showrooms, boardrooms, loading bays, courier pickups etc.

▌ Every site must have a purpose-built IT Facility for safe and secure siting of IT Equipment and information assets.

▌ Access to the IT Facility or office areas must require “single factor authentication (SFA)” based on an employee-ID card (EACS) or key (with log- book).

▌ Classified company information and critical information systems must be located in the IT Facility.

▌ Sites that store critical customer-data; highly sensitive company information; and business-critical information systems must have a purpose-built, secure Data Centre.

▌ Access to the Data Centre must require “two factor authentication (TFA)” based on an employee-ID card (EACS) and a biometric scan (e.g. fingerprint, retina etc.).

▌ The IT Facility Manager is responsible to maintain the environmental conditions and utilities for the facility and to ensure this equipment is monitored and controlled.

Control Objective: Ensure that all IT endpoints and portable “Smart Devices” are appropriately configured, adequately hardened and are controlled by Corporate IT

▌ All IT endpoints (fileservers, PC’s, Laptops and Hybrid Laptop/Tablets) must be controlled and hardened by Corporate IT (CIT). Endpoint configuration must comply with the SOE (Endpoint) standard published by CIT. This includes automatic installation of:-

  • All SOE software and
  • All OS security-patches, as soon as these are released by the OS
  • SOE Anti-Virus (AV) product, including regular and automatic installation of new AV signature-files.

▌ IT endpoints that do not comply with the SOE (Endpoint) standard are considered to be

“uncontrolled” and must be quarantined from the live environment.

▌ It is prohibited to connect a personal-owned IT endpoint to the live environment other than via the Remote Access (VPN) service provided by CIT.

▌ Any IT endpoint that is used off-site must have data-encryption software installed by CIT.

▌ All fileservers connected to the live environment must be registered, reviewed and approved by CIT, to ensure the device is appropriately hardened and complies with the SOE (Fileserver) standard.

▌ It is permitted to use a personal-owned (BYOD) Smart Device for mobile- working provided the Brand/Model is approved for business-use by CIT. Refer to CIT “white-list” of approved Smart Phones/Tablets.

▌ It is prohibited to install “unauthorised software” on any IT endpoint that connects to the live environment. This applies to BYOD and company-owned assets. Examples are:

  • Illegal, unlicensed or inappropriate
  • Material protected by copyright, trademark or
  • Illegal or offensive
  • Software that is specifically prohibited or “black-listed” by the

Control Objective: Develop and maintain secure information systems and business applications

▌ The security requirements for new information systems will be documented in the system design specification.

▌ The security requirements will consider the need to protect the confidentiality, availability and integrity of any company information that is stored or processed on the information system.

▌ The security requirements will consider the sensitivity of any information that needs to be shared with end-users or a third party; transmitted across networks; or archived; and will determine whether data-encryption controls are specified.

▌ Data validation of inputs and outputs will be designed and tested as part of the User Acceptance Testing (UAT) plans.

▌ The implementation of any new information system will strictly adhere to the formal Change Control process and will include a security risk assessment procedure.

▌ Access to Test Data will be controlled and the Test Data itself will be carefully selected and protected to ensure that it does not expose staff personal information or cause any leakage of classified company information.

▌ Access to source code will be strictly controlled and strong version-control of source code will be enforced by the Change Control process to ensure that only tested and authorised versions are released to the live environment.

▌ Development and testing of new information systems will be restricted to a Dev/Test environment that is firewall-isolated from the live environment. The rollout of a new information system from the Dev/Test environment to the live environment will be strictly controlled by the Change Control process.

Control Objective: Apply strong logical-access controls to information systems and IT Networks

▌ Access (Administrator, User or Guest) to IT systems, applications and networks must be controlled. Users must be uniquely identifiable and the user-identity must be authenticated before access-rights are granted.

▌ It is strictly prohibited for two or more employees to share a common or generic User-ID.

▌ The minimum requirement is “single factor authentication (SFA)” based on a User-ID and password.

▌ Access to the company’s internal network from a public network will require “two factor authentication (TFA)” based on a User-ID, token and password.

▌ All information systems, applications and networks must adopt the TEXTILETECH Group Password Policy for creating, resetting and managing user passwords. It is strictly prohibited for employees to be authenticated on the basis of a simple and/or static password. Complex, dynamic passwords (changed periodically) are required on all information systems that store and handle classified information.

▌ The user registration and de-registration process must be controlled for the entire life-cycle of the account.

▌ The de-registration process will be triggered whenever an employee terminates their employment (e.g. resignation, retirement, redundancy) or is transferred to a new role and access to an information asset is no longer a job-requirement.

▌ Access-rights to classified information must adhere to the “need-to-access” principle.

▌ Asset Owners will establish a formal procedure to review all access-control lists periodically (minimum period is yearly) and obsolete or unused accounts will be disabled or deleted.

▌ Default or temporary passwords will expire after the first session and the user will then be required to set a new password for subsequent sessions.

▌ Access to any IT Endpoint connected to the internal network will be automatically terminated after a period of “non-use”. This is outlined in the “clear screen policy”.

▌ The use of default or generic passwords to access and administer network devices is not permitted.

Control Objective: Detect, classify, record and promptly respond to all security incidents

▌ All security incidents must be reported to the IT Help Desk by phone or e-mail.

▌ All employees are responsible to report any security event or abnormal operations to the IT Help Desk so that these can be recorded and investigated.

▌ Any observed security threat that attempts to damage company information assets, or exploit a known-vulnerability or weak control must be reported as a security incident.

▌ All security incidents will be logged, classified and assigned to the appropriate workgroup for investigation, diagnosis and resolution.

▌ Major security incidents will be notified to the Information Security Manager and will follow the “major incident reporting” procedure that is provided by TEXTILETECH Corporation.

▌ All major security incidents will trigger the “Major Incident Review” procedure so that the root-cause(s) of the incident is diagnosed and a permanent solution is proposed. The solution (corrective or preventative action) will be recorded in the CPAR system and tracked until implemented and tested.

▌ Major security incidents will trigger the “Security Risk Assessment” procedure to ensure that the assessment inputs (business-impact; likelihood of attack; effectiveness of controls) are rated appropriately and the output (residual- risk rating) is accurate.

▌ Repeated or serious breaches of the Information Security Policy will be subject to a formal disciplinary process. Illegal activities will be referred to the appropriate authorities for investigation and the company may take measures to quarantine assets and preserve evidence.

▌ Records of information security incidents, including patterns, statistics and trends will be collected periodically as input to the activities of the Information Security Committee.

Control Objective: Track, monitor and record all access to classified company information

▌ Audit logs that record user activities, exceptions and information security events will be collected and securely archived for a minimum period of 1 year.

▌ Procedures that describe how the use of information systems and IT Facilities will be monitored will be produced and the data collected will be reviewed regularly, at least quarterly.

▌ Automated tools will be provided to collect, filter, analyse and report security events. Access to these tools will be controlled and restricted. The log information will be protected against loss, damage or tampering.

▌ All system administrator and system operator activities will be logged.

▌ Unexpected or abnormal system operations will be logged, analysed and if necessary, referred to the incident management process for diagnosis and resolution.

Control Objective: Regularly monitor, review, audit and improve the security controls

▌ The Information Security management process will define the objectives, metrics and target performance levels of all controls that are in-scope of the ISMS.

▌ The effectiveness of all controls will be measurable; the method for measuring control effectiveness will be defined; the control performance will be measured and compared to the target performance level; the results of control monitoring will be reported periodically to the ISC.

▌ The ISMS methods, procedures and records will be independently audited regularly; the minimum period is 1 year.

▌ The security controls will be independently audited regularly; the minimum period is 1 year.

▌ The results of control effectiveness measurements, ISMS audits, and security control audits will be promptly reported to the ISC along with recommended opportunities for improvement.

▌ The ISC will prioritise; approve; and allocate resources and funds to implement the improvement-actions so that the effectiveness of the ISMS and controls meet the target performance levels.

Control Objective: Ensure that business-critical data and information systems are accessible, as required, to support business operations and that all critical information assets are recoverable as part of an agreed disaster-recovery plan

▌ The business continuity management system (BCMS) will ensure that all business continuity plans include the requirement to protect the confidentiality, availability and integrity of any classified company information that needs to be recovered and restored as part of a major disaster-event.

▌ The BCMS will assess the risk that the disruption of a business process may have a negative consequence for information security and where appropriate, will ensure that the BCP mitigates this risk and securely protects classified company information from harm.

▌ The BCMS will develop plans and procedures to ensure that critical business information is accessible, as required, to meet the needs of business operations.

▌ The BCMS will develop plans and procedures to ensure that critical information assets are recoverable, following a major disaster-event, and that an agreed level of service can be restored within an agreed minimum time scale.

▌ A single BCMS framework will be maintained to ensure that all BCP plans are consistent and include information security requirements.

▌ The BCMS will ensure that all plans, procedures, methods and tools, that support data recovery and restoration following a major disaster-event, are tested and updated periodically. The minimum period is 1 year.

Delegations

3.1 Governance and Support

3.1.1 Chief Executive Officer

▌ The CEO has overall accountability for the endorsement, sponsorship and support of the company-level Information Security Management process

▌ The CEO shall delegate and appoint relevant organisational functions in the company with authority and responsibility for compilation of policies

3.1.2 Chief Information Security Officer

The Chief Information Security Officer (CISO),

▌ has delegated authority and overall responsibility for the company-level Information Security Management process

▌ shall ensure sponsorship and support of company-level Information Security Management System which is aligned the business objectives

3.2 Implementation

  • Directors and General Managers

▌ Communicate this policy to all employees

▌ Ensure that this policy is implemented throughout the organisation

▌ Encourage a culture of security-awareness and compliance with the policy

▌ Provide adequate resources to design, implement, maintain, monitor and improve the security controls

3.2.2 All Staff

▌ Ensure that all actions and activities are performed in accordance with this policy.

▌ If any circumstance requires an employee to breach this security policy so that they may fulfil the requirements of their job/contract, then the inconsistency should be reported to their line manager.

Document Information

Amendment History

Review and Approval

Role Name & Position Title Digital Signature
Author

Approver

Chief Information Security Officer

Chief Executive Officer

Reference Material

Copyright © 2018 TEXTILETECH Pty Ltd: Do not copy, distribute or modify in any form or manner without prior written consent of TEXTILETECH.

Classification: The information contained herein is classed as “Internal Use Only”

Version Control: The document is maintained and published on the TEXTILETECH intranet for reference. Printed copies are uncontrolled

Textile Tech Case Scenario

TextileTech (TexT) invents fabric with unique characteristics that has never been seen before. The firm has disrupted the textile and clothing industry by engineering innovative clothing that is better suited to today’s global climate. Their flagship product, ArcticFiber, is an insulating synthetic fleece made from recycled plastics that is lightweight, warm and soft while being very affordable. TexT is in the process of engineering ArcticFiberGamma – an advanced insulating material for military use. The new fabric will have active insulation that has superior capability in regulating core body temperatures in extreme weather. ArcticFiberGamma will have superior breathability and warmth, will be easy to dry and maintain, and will be extremely lightweight thereby making any derived clothing highly compressible – an important characteristic for the military.

TexT continues to innovate in this industry leading to new and sophisticated textile fibres that are wind resistant, water resistant, heat insulating, and moisture regulating. TexT’s competitive advantage lies in its highly complex and sophisticated processes used to transform recycled plastic bottles into synthetic fibres, engineer particular properties into the fibres as previously mentioned, and weave the fibres into a range of different fabrics. These processes are supported by sophisticated manufacturing systems operated by engineering teams that have specialised knowledge and experience, customized and unique high-tech tools and techniques, and digital stores of sensitive R&D information that contain valuable experiment and test data, previous designs of technologies and processes, strategy and planning documents as well as feasibility reports.

TexT has invested significantly in the digital transformation of its manufacturing production capability and reaped the benefits of increases of productivity (17-20%) and quality (15-20%). Aging industrial systems have been replaced by more sophisticated ‘smart manufacturing’ technologies that enable integration with IoTs, a bridge to the digital domain. TexT’s vision for its future manufacturing capability is the complete transformation of its supply chains into a smart network of connected intelligent and autonomous objects that communicate and interact with each other in real time. TexT’s corporate information infrastructure is physically distributed amongst the 15 key facilities that house its major operations. The firm has 20 to 30 networked servers (file, print, database, web, proxy and domain servers) and a few hundred desktop machines connected to the core network via Ethernet and/or wifi channels.

TexT’s intention to compete for lucrative military contracts around the world to supply army personnel with combat uniforms has significantly increased the risk that a competitor possibly backed by a nation-state will seek to replicate its capability by acquiring its trade secrets, test data, tools and techniques. Therefore, the firm has decided to undertake a full and comprehensive information security management review to assess the adequacy of the existing information security strategy given the strong likelihood of industrial espionage.

TexT is located in the state of Arizona (USA) where it occupies 50 acres of warehouses, factories and 15 key ‘facilities’ that house major operations. One of these is a three-storey building dedicated to corporate functions (business, IT, HR, executive management etc.). TextT does not have a dedicated information security unit. However, it does have an IT operations team (TexT-IT) that is responsible for the maintenance of the IT infrastructure. TexT-IT has a core five-person team lead by Sarah – an IT manager with over 20 years of experience managing systems and networks of which the last 10 have been at TexT. Sarah functions as the firm’s CIO. She reports directly to Melissa, the CEO of TextT. Sarah’s team of four are Andrew (network administrator), Dilip (systems administrator), and Brian (responsible for writing policies, training employees, and Nadia (helpdesk). In addition to the core IT team, there are IT Facility Managers responsible for each of the 15 main buildings or facilities on the premises of TexT.

IT Portfolios Primary Duties / Description Assignment
IT Manager Ultimately responsible for IT management across

TexT and liaising with other C-suite executives

Sarah
Network Administrator Responsible for designing network architectures, implementing them across TexT information infrastructure and configuring all network devices, evaluating network performance, securing network access, monitoring network

security activity, etc.

Andrew
Systems Administrator Responsible for effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software

and related infrastructure

Dilip
Managerial aspects of IT Responsible for all non-technical IT duties including drafting policy, procedures and

conducting training

Brian

TexT-IT’s prime directive is to maximize uptime for TexT’s information infrastructure and support the business’ expanding needs for more IT resources. This includes procuring and integrating new technologies and applications and designing and implementing new IT services. From a security perspective, the team ensures compliance with the relevant industry standards (e.g. ISO 27xxx), manages the security policy (see security policy document), conducts basic IT security risk assessments, and trains users to keep good passwords and install software previously screened / endorsed by TexT-IT. Cyber-attacks on the corporate infrastructure have increased in frequency. The IT team responds to at least two breaches of the digital perimeter every month. Sarah personally leads all major incident response (see TexT-IT’s incident response policy). Depending on the nature and scope of the incident, she will recruit members of the Text-IT team but will also seek the assistance of business operations personnel. Andrew and Dilip are involved in responding to almost all incidents. When the incident is resolved, Brian focuses on revising the policy and risk documentation. Brian then conducts any necessary training with Nadia to ensure the right advice is being given by the Helpdesk.

TexT-IT believes in preventative security and therefore relies heavily on its digital perimeter which is maintained by firewalls and backed up with an intrusion detection system. Most of Text-IT’s workforce stays on the premises of the organization. However, Sarah is particularly concerned by the proliferation of shadow IT – these are the large number of unauthorized devices that exist outside the corporate infrastructure and pose a significant security risk to the firm. They include personal devices such as mobile phones and tablets, applications and even servers used on TexT premises that are not registered with the IT department. Sarah is aware of the digital transformation program of TexT’s manufacturing capability. However, she does not consider the security portfolio to extend to the firm’s manufacturing facilities nor has the firm included the IT operations unit at any stage of the transformation process.

Answer:

Introduction

Assignment

Computer Science

Consultaion Report

Consultation project report

TEXTILE SERVICES PVT LTD

Proposed By:

Rajat Chawla

EXECUTIVE SUMMARY

This is a Cosultation report of Textile services pvt ltd. Company. This company is an unique company which produces Artic fibre for military purposes by recycling on Plastic Bottles thus reducing the harmful effects of Plastic on environment. Due to its uniquess of making Artic Fiber, this company has a great name in the market and hence is always on the eyes of competitors.

This company is on high security risk as the intruders may hack the confidential data which may lead to its decrease in market capital thus indulging in lossess. The report highlights all the issues related with security. Security Risk Management is carried out and in the solution network diagram is provided which will reduce the security risk to a great extent.

Apart from risk management, security strategic plan is also discussed along with the roadmap. The roadmap used is top down roadmap in pyramidal form. The main aim of developing roadmap was to attract more and more skilled network engineers to work with the highly reputed Company i.e Textile Services Pvt ltd.

The security policy is also been discussed in detail keeping in mind about the famous ransomware WannaCry attack. At last information about SETA i.e Security Education and training awareness is discussed along with Sample 4 weeks SETA program. This report in short highlights all the problem along with the solutions in Textile Services Pvt ltd.

This report contains all the information in detail regarding the security risk management, Strategic management, Security Policy and SETA. At the end appendices is attached which contains Network Diagram and Roadmap Diagram. All the discussions are carried out in detail along with the solutions.

INFORMATION SECURITY RISK MANAGEMENT (Elizabeth J& O’Neil.( June 2008)

Information Security risk management is a method which deals with finding the risks associated with the products or assets of a particular enterterprise, so that the three main factors i.e Integrity, Confidentiality and Authenticity of the particular organization is maintained.

To carry out information security risk management is not a big deal. To carry out risk management, first the entire security system is monitored very precisely, to find out if any risks exists. After indentification of risks, detailed discussion is carried out to find out the solutions, which can eliminate or reduce the risk to a great extent.

Let us find out the risks associated with our Textile Services Pvt ltd Company by first disussing the case analysis i.e problem and then suggesting various solutions for it.

Case Analysis:

The above company named Textile services pvt ltd is an textile company which deals with making unique product named Artic Fiber. Artic Fiber is a synthetic product which is made from recycled plastics. This product makes the use of Artic Fiber Gamma, which serves as an insulating material by protecting from severe conditions, like extreme whether, extreme winds etc, hence the product made by this company is in huge demand especially in military sectors.

The Textile services pvt ltd is definitely making unique fiber, but it is also taking the care of environmental, as it makes fiber by recycling plastic bottles. Due to these reasons, this company has a huge brand and the product developed by this company has a high demand , which have resulted in making huge and huge profits.

All these reasons have given headache to the competitors of the above company. Ofcourse due to heavy demand in the market, the company has invested a lot in digital perimeter which has resulted in the development of IT infrastructure. The main aim of the company is to maximize the profits, by digitalizing its supply chain network, so that everything could be carried out in real time.

Due to the heavy demand of the company’s product in military services, there is high risk of theft of techniques, trade values, test data and the tools and techniques which Textile Services Pvt ltd company make use of by the other companies who are dealing with the same textile business, so that the company’s competitor can replicate themselves and make the same product like the textile services pvt ltd, so that even competitors can make profits and increase their brand name.

If this happens, there will be serious loss to the company and even the company could be shut down. The digital perimeter of the above company is managed by firewall, and intrusion detection system. No doubt the most of the workforce lies inside the premisis, but there is always a risks of unauthorized access to the company. If the intruder is successful in gaining the access, then the integrity of the company may be harmed seriously. The confidential data may be get hacked. So, there is a need to find out various solutions regarding the above problem. The suggested solutions ae discussed below.

Solutions:

Definitely if the company is making use of IT infrastructure, then it would have using wireless techniques too. So, we have to find out solutions by making the wireless system very strong, which could prevent the company from unauthorized access. This is possible by developing a secure network structure.

The network structure should be developed in such a way that it makes 100 percent efforts to prevent the unauthorized access. This can be possible by:

  • Maintaining the strong Wifi Password with the help of WAP 2 or WAP 3, which are best Wifi Access Protectors, which make use strong encryption techniques for paasword protection.(Stallings W)
  • By making use of Layered Security Approcah, in which MAC filter can be used, due to which only the employees of the company will be allowed to gain access and other users will be blocked. (Richardson, C(June 2006).
  • One of the best method in Protection against Unauthorised Access is by Assigning Static IP addresses to the devices of the company, due to which only the company’s devices will be allowed to gain access to the network and other devices will be blocked thus maintaining the level of security. .(Stallings W)
  • By using Wifi Access point in place of Router, as the use of Wifi Access point in place of router, does not allow the intruder to gain access to the company’s premisis even if the physical address of the wifi device is known to him.
Layered Security Approah

The network diagram for the above architecture is shown below:

Wifi Access Point
Static IP allocation to devices present in the company.

Fig: Network Diagram

The above network diagram(Ms visio) reduces the security risk to great extent. The diagram contains all the necessary components which will be useful in reducing the security risk to a great extent. In the network diagram it is clearly shown that

  • Static IP address allocation is done, due to which only the devices present inside the company will have access to the Internet while Unauthorised devices will be blocked.
  • Use of firewall along with modem indicates the presence of layered security approach along with use of MAC protocol. Due to this the security level of the company gets increased.
  • It can be seen that Wifi Access point is used instead of Wifi Router, which reduces the security risks again to a great extent.

If this infrastructure is followed, intruder will find difficulty in gaining access inside the corporate premises. Even if the Wifi Password is known to the user, but the use of Layered Security Approach technique will not allow the intruder to gain access to the internet. Through this way CIA i.e Confidentiality, Integrity and Authenticity of the company gets protected.

INFORMATION SECURITY STRATEGY (Richardson, C(June 2006).

Information Security Strategy means the information regarding the objectives, goals, marketing, mission and vision of a particular company contained in a roadmap (facebook.com). Information security Strategy basically deals with developing certain plans through which the security of the company is protected. Obviously everyone wants to invest in secure environment, so if the Strategy is developed to make the system or network more and more secure, then there will be increase in profit and ultimately the main objective of the company i.e Customer Satisfaction is achieved.

Let us discuss about, how the strategic Plan can be made by doing case Analysis of the above company and then finding out the possible solutions regarding this.

Case Analysis:

The textile services pvt ltd is a company with huge brand name. The main goal of the company is to maximize its profit in the market to increase its market value and capital. The security concern is an important factor which has to be taken for analysis purposes. The textile services pvt ltd has its digital perimeter defined by Firewalls and Intrusion detection services. Due to this reason there is a need to develop a security strategic plan which will focus on all the aspects of the milestones which are to be achieved by the textile services pvt ltd.

Apart from these, in the textile services pvt ltd, there are also employees from non technical field who are unaware about how to deal with things related with technical field.

The people belong to the field of technical will definitely be able to give precise solutions concerning security issues of the Company.

The current situation of the textile services pvt ltd has

Less Employees from technical field.

Security system is not well defined.

Solutions:

This problem can be solved by improving the current situations of the company. This is possible by hiring people having great skills specially in the MS visio software. The people with great networking knowledge could be hired. The Strategic roadmap following top down approach((Richardson, C(June 2006). of Pyramid form is shown below:

Skills:

Microsoft Visio,

Software testing

Desired Qualifications:

Bachelors or Masters degree in Networking with CCNA certification course

 

Vision : To deliver world class textile fibers which will be beneficial to all.
Mission: To Provide opportunities to network engineers with high skills of knowledge to work with us, so that they empower their knowledge upon us.
Core Values required: Honesty, Punctuality, Focus, Democratic, highly ethical.

Fig: Top Down Strategic Roadmap

So, this strategic roadmap will definitely attract people. Obviously the brand name of Textile Services pvt ltd is very huge, If the strategic roadmap will be created in this manner, then definitely network engineers will be willing to work with the company due to its creation of unique product i.e Artic fiber. If more and more skilled people will be hired, then the chances of risks to security will be reduced.

So basically this is the strategy to attract high skilled people from all over the world, and once the people with high skills are hired, then they will work for the company as a Security Expert and ultimately the main Goal of the Company which is to protect its Confedentiaty, Integrity and Authenticity will be served. The top down level method of implementing Strategic roadmap is selected due to its simplicity. This model is easy to implement. The main advantage of using this model is that it could be easily implemented by the non technical people also working in the company.

INFORMATION SECURITY POLICY (Barman. S (2nd Nov, 2001)

Information Security is an outlined document containing all the information in a prescribed format regarding the policies which the employees of the particular organization should follow for its smooth functioning. It defines the set of rules or quidelines which are to be followed by the employees of the company.

Basically Security Policy is documented in a precise format, which is to be understood by low level skilled people too in the company. Security Policy is a detailed document focusing on the various steps which are to be carried out by each and every employee working in the organization((Barman. S (2nd Nov, 2001). By following the guidelines written in security policy, the company actually sets up the prevention methods against various security threats which could lead to severe hazardous situations.

Let us discuss about Security policy related to Textile pvt ltd company in detail along with the case analysis and then writing a detailed Security Policy document.

Case Analysis:

The textile services pvt ltd, has invested a lot for making its digital connection stronger and stronger. The main aim of textile services pvt ltd is to improve its supply chain network so that everything could be possible in real time. There is always a risk of security that the confidential data can be hacked by intruder of the competitor company, who could replicate the product Artic fiber, which is unique made by the Textile Services Pvt ltd.

If the tools and techniques used by the textile services private ltd are hacked, then there would be huge loss to the company. It would even loose its brand name and title of uniqueness. Definitely its market value will go down and competition will increase. Apart from these the three main keys i.e Confidentiality, Authenticity and Integrity of the Company will be lost.

One main reason to implement Security policy is that with the guidelines defined in the security policies, employees will follow them whole heartedly and strict implementation of the policy will reduce the security risk to a great extent. There are also people from non technical field working in the company, so this easy security policy will prove beneficial even to them. They just have to follow the guidelines strictly documented in the security policy which will be off great help to the organization in maintaining its Confidentiality, Integrity and Authenticity.

Solution:

Every organization has a well defined Security policy. Now according to the latest research there is one ransomeware type of malware named WannaCry worm which is a serious threat to organization. This malware have led to serious issues in the past. The Textile Services pvt ltd is following all the necessary guidelines related to security issues, but its brand name is very big, so intruders could possibly make use of this type of malware attack to get access towards confidential and private data.( www.kaspersky.com)

If the Confidential or private data is lost then there would be serious Security issues.

Nowdays Attackers are becoming smart day by day and they are making use of latest Security threat i.e Ransomeware WannaCry attack .Ransomware WannaCry attack is a very famous attack which infects the files by encrypting them so that authorized users are not able to access the file and then the intruder demands some ramsomeware payment in bitcon amount for decrypting the files .

If .the user does the payment, then the entire operating system gets corrupted, this may lead to degradation of all the confidential files kept on the operating system. If the file gets corrupted, then all the neighbouring computers also gets corrupted, this will lead to a serious security attack,

So, a security policy is written keeping all the points in mind. This security policy is simple and is easily understandable. The instructions of the security policies are so simple that even the people belonging to non technical field can easily follow and implement them. This security policy, if implemented seriously, will reduce the risk of security threat to a great extend. The well defined security policy suiting on Textile Services Pvt ltd is shown below:

Security Policy:

  • Purpose

The purpose of this policy is to set up certain basic guidelines for updation of windows operating security system on regular basis, so as to remain protected against the famous wannacry ransomeware attack(Threat_Modelling). Proper Implementation of this policy will reduce the chances off getting infected through ransomeware by nearly 98% in future.

  • Scope

The scope of this policy is to include all the personnel who are dealing with windows microsoft operating system, as this operating system may contain various important documents of a company which needs to be kept protected against infection. This is necessary for smooth functioning of the company, as the files stored on the operating system may contain very confidential data.

  • Policy

3.1General

  • Back up of data on PC’s should be done on regular basis.
  • Extensions of the hidden file should not be hided.
  • All the emails containing Exe’s files should be filtered regularly that too without any delay.
  • Immediate disabling of files contained AppData or LocalAppData folders should be carried out.
  • Cryptolocker Prevention kit (Threat_Modeling )can be used for disabling the files which are contained in folders named AppData or LocalAppData.
  • Disabling of Remote Desktop Protocol should be done.
  • Software should be done in regular basis.
  • Norton Antivirus should be installed in every PC and updation of the antivirus should be done on regular basis.

3.3 WannaCry Ransomware (kaspersky.com)

WannaCry Ransomeware is a very serious security attack which uses a worm as a software to infect the files stored on the PC system by encrypting them in such a way that the authorised user is unable to get access to these files again and then this ransomeware demands a payment to be paid in bitcon account for decrypting the files back.

3.2 Guidelines for protection against WannaCry

  • All the network systems should be kept updated by installing Windows Security Update for MS17010.
  • SMB, version 1 of the windows system should be disabled.
  • www[.] domain should not be blocked.
  • If the system is already inefected, it is advisable to not to pay ransom payment.
  • Norton Antivirus and Symentic Endpoint Protection should be used as they had already blocked the vulnerabilities which were used by WannaCry for exploitation purposes(Threat_Modeling)
  • Any malicious email should not be opened as it may contain a ransomware.
  • To get fully protected from WannaCry ransomeware, the various technologies like IPS Network Based Protection, SONAR behaviour detection technology, Advanced Machine Learning, Intelligent Threat Cloud should be used along with Norton and Symentic Endpoint Protection.
  • Compliance
  • For strict implementation of the above policy there will be audit performance that too on regular basis.
  • InfoSec will manage the manage the audits as per the audits policy to find any discrepencies in the implementation of above policy.
  • Efforts will be made for the audits so that the operation is successful.

5.0Enforcement

The Security policy should be enforced strictly by each and every person working as a employee in the company, failing to which strict legal actions will be taken against the employee.

6.0 Review

For reviewing the above policy email review method can be used. Email review method is the easiest way which can be used for reviewing purposes as it provides effective platform for review by sending emails which will actually gives us the clear picture of whether the policy is being followed or not.

So by documenting the security Policy in the above manner will prevent the attacks which could take place due to the unethical deeds of competitor.

The policy is written keeping in mind about WnnaCry ransomeware attack because this is a recent cyber attack and the hackers of today’s generation are making use of this technique more and more.

INFORMATION SECURITY EDUCATION TRAINING AND AWARENESS (SETA) (Ping Y, Kontogiannis, K.,& Lau, T.C.(September 2003)

Information Security Eduation Training and Awareness also known as SETA is basically an awareness program given to employees of an organization regarding the serious issues related to Security. Detailed Discussions on Security threats such as Pishing, Hacking. Malware , Ransomeware etc are done in this SETA Program/

SETA program creates the awareness about the various security threats which are taking place in the world. Prevention is better than cure. If people gets aware about the various types of security threats taking place, then they alert about cyber crimes(Stallings W) which would lead to reduction of cyber crimes.

Let us discuss about SETA for Textile Services pvt ltd along with case analysis highlighting why SETA program is necessary and then lets make a sample SETA program for the above company.

Case Analysis:

Textile Services pvt ltd is a company which makes unique product having its high demand in military services. The security breaches of this company is high. There are many people who are unaware of the latest security threats which are taking place. So, Awareness Program regarding the security issue is very essential.

The digital Perimeter of the Textile Services Pvt Ltd mainly contains Firewalls and Intrusion Detection System. People may not be aware of how to deal with firewalls and intrusion detection system.

This SETA program will prove beneficial as the people working in the organization will get awareness about the security threats and will work accordingly. In Textile Services Private ltd the main problem is regarding unauthorized access of data. This may be happening because of unawareness of people regarding the various Security issues.

Another Main problem in the company is that there may be some people who are desperately uninterested in implementing the security policies due to lack of awareness. All these issues will be ruled out by carrying Security Education Training and Awareness Program (SETA).

Solution:

The SETA(Ping Y, Kontogiannis, K.,& Lau, T.C.(September 2003)

plan for this company should be developed keeping in mind about the digital perimeter used by the company, i.e Firewall and Intrusion Detection System. As explained in risk management topic, one of the method to reduce security risk is use of WAP 2 or WAP 3 as they protect against unauthorized access to great extend.

So, by keeping in mind all the situations discussed in Security Risk Management, Strategy Management and the according to the security policy discussed, the employees should be given training about:

  • Phishing
  • WAP 2/ WAP 3
  • MAC Protocol
  • Firewalls
  • Routers
  • Software Patching
  • Famous Ransomeware WannaCry Attack.

To keep the SETA program interesting, examinations of the employees can be taken and on successful completion of the SETA training employees can be rewarded. This technique will keep the people engaged and they will be more enthusiastic regarding participation in SETA program.

One another way through which SETA program can be carried out in this company by making the SETA course compulsory to get promoted for higher skills.

The sample 4 weeks of SETA program will can be developed for Textile Services Pvt ltd is shown below:

SETA PROGRAM (Weeks 4):

Week 1 : Training regarding use of firewalls, Phishing and Intrusion detection system.

Week 2: Detailed Workshop on Phishing Attacks and how to overcome them.

Week 3: Training Regarding Ransomeware Malware Attacks mainly focusing on

WannaCry Attack.

Week 4: Assessment Week where the knowledge of employees will be tested about what

they have gained in the workshop.

Note:

  • This SETA program is Compulsory to attend by the each employee and failing to which strict action will be taken against that particular employee.
  • 75% attendance is compulsory
  • Cetificate of Completion will be awarded to each employee on successful completion of the program only if the employee scores more than 40% marks in the assessment.
  • Employees scoring less than 40% marks will have to reappear for the SETA program.
  • SETA certification course is compulsory to get promoted to higher scale.

So, by implementing SETA program in this manner will definitely attract the employees and the disinterested employees will also get involved in active participation in this program which will create awareness among the employees and due to the awareness employees working in the company especially those who belong to the non technical field will also engage indirectly in maintain the security of the company.

Conclusion

This assignment was based on writing Project Consultancy Report. Case of Fictitious textile company was given. According to the case it was asked to perform Security Risk Management, Security Strategic Management. It was also asked to write about Security Policy and discuss about SETA. All the points are highlighted in this assignment.

References

Barman. S (2nd Nov, 2001),” Writing Information Security Policies,” Paper Back Import

https://www.facebook.com/corevalues

https://www.kaspersky.com/resource-center/threats/ransomware-wannacry

Richardson, C(June 2006). Untangling enterprise Java. Queue. Volume 4, Issue 5 Component Technologies. Pages:36 – 44. 2006. ISSN: 1542-7730

Elizabeth J& O’Neil.( June 2008) Object/relational mapping 2008: hibernate and the entity data model (edm). SIGMOD ’08: Proceedings of the 2008 ACM SIGMOD international conference on Management of data.

Object-relational impedance mismatch http://en.wikipedia.org/wiki/Object-Relational_impedance_mismatch

Ping Y, Kontogiannis, K.,& Lau, T.C.(September 2003) Transforming legacy Web applications to the MVC architecture. Software Technology and Engineering Practice, 2003. Eleventh Annual International Workshop Page(s):133 – 142

Stallings W “Cryptography and Network Security7th Edition ISBN-13: 978-0134444284

Threat_Modeling, http://www.pentest-standard.org/index.php/

APPENDICES

Appendex A

RISK MANAGEMENT(Stallings W)

Reviewing Risks
Record Making Procedure
Decision Making Process
Identification of Possible Threats

Basic Block Diagram of Risk Management:

Assessment of Risks

 

Fig: Block Diagram of Risk Management

Explanation:

  • Identification of Possible Threats: This Step of Risk Analysis basically deals with the threats that can cause damage to our Organisation. The various threats like virusus, attacks, worms can take place, which may cause harm to the software
  • Decision Making Process: This step is basically related to deciding in who will get more harmed i.e the people working in organistion or the customer to whom the end product is to supplied.
  • Assessment of Risks: This step is very useful as it deals with the assessment of risks i.e Accessing which risk is more harmful, which risk is less harmful or which risk is not harmful at all. Basically this step deals with deciding the level of risks i.e More harmful, less harmful or not harmful.
  • Record Making Procedure: This step basically deals with making the records of all the risks that are analysed i.e why these risks have occurred and reviewing these risks for future use and in this step corrective action is taken place to eliminate the risks.
  • Reviewing Risks: This step basically deals with reviewing the risk assessment procedure, so that in our case customers can safely browse enforce in business organisation.

Appendex B

BODY OF KNOWLEDGE GRAPHICAL MODEL: (facebook.com)

Basically body of Knowledge Graphical Model indicates the complete information regarding the vision, mission, core values etc about a specific company in a visualised and attractive format

The below image shows the simple picture of body of knowledge graphical model, which can be drawn for any company.

Company ‘s Logo

Giving a short description of a company

Core Values
Mission

Statement

Code of

conduct

Current Situations
Skills required
Qualifications

 

0 responses on "This Is An Information Security Consulting Assignment"

Leave a Message

Your email address will not be published. Required fields are marked *