Good day, I have been brought before you today as a security consultant for your company dealing with

the software development and deployment that will take place. We will need to go over what security controls will be implemented in the system and application development and why they are important. This proposal will finish up with the importance of information security awareness training and how it can and will protect your company resources. To begin well will perform a preliminary risk assessment; this will help us develop an initial description of the basic security needs of your system. This will include the needs to protect the integrity, availability, and confidentiality of the system information. The preliminary risk assessment should define the threat environment in which the system will operate and the potential vulnerabilities. Next we will perform a formal risk assessment which will identify threats to and vulnerabilities in the information system. This will also cover potential dangers and harm that can occur with the loss of confidentiality, integrity, or availability with your companys assets and operations as well as cover the security controls that will be needed to protect said assets. The formal risk assessments purpose is to build on the initial risk assessment we will perform, but will be more detailed and contain much more specifics. The risk assessment will bring together the important data about the protection of your information systems and bring about a great security plan for them. The next step is to create and security plan for the events before, during, and after a security event has occurred. The purpose of this is to provide a description of the information system as well as provide a reference to key documents that contain your companys information security program, the configuration management plan, the contingency plan, incident response plan, and security awareness and training plan.

Keeping an inventory of Authorized and Unauthorized software will allow your company to make sure your systems are not vulnerable to any software that is not allowed which may miss security updates leaving vulnerability in your system that a potential hacker may gain access to. By deploying a software inventory tool throughout your network you can get a quick inventory of software found on work stations and by configuring it to find unauthorized software you can remove these as a threat. Also you will want to consider configuring the authorized software found on laptops, workstations, and servers. Software that comes from manufacturers are preconfigured which have vulnerabilities that can easily be found by potential hackers that attempt to attack your systems, this is kind of like not changing the locks on your home that the previous owner installed. Application software security is one of the number one targets to criminal organizations. Application software may not check the size of the user input, may fail to sanitize the users input by failing to notice potential malicious character sequences, or fail to see variable that can lead to remote threats. Attackers can inject specific exploits, including buffer overflows, SQL injection attacks, cross-site scripting, cross site request forgery, and click-jacking of code to gain control over vulnerable machines. To prevent this you must consider a test of the internally developed and third party applications for any security flaws. Setting up firewalls for web based applications is a must as this will block a wide variety of attacks. A check for errors with the applications code or vulnerabilities can be performed by your information security team to prevent these applications as a threat.

One of the biggest threats to an company or business is the human element. That is right, your own employees, end users, and even Ex-employees can provide a major threat without even knowing that they have created one. This section will cover why Information security awareness is not only important but should be known by everyone within your company from the mail room employee to the CEO of the company. Social engineering is a common threat as this exploits the good nature or fear of your staff. Social engineering allows for an attacker to gain information by tricking individuals gaining vital information that should be on a need to know basis. By properly training your staff of this exploit social engineering can be prevented causing the accidental leak of information to be stopped before it happens. Security policies should be set forward so that employees will know now to protect their information such as login and password information that they as individual will only need to know. By setting up a simple password policy that requires users to set up complex passwords or change them at a certain interval, this keeps unauthorized access by someone who intercepted a password. Training exercises should be considered where employees will be briefed on new security policies followed by tests to consider if an employee knows the material, perhaps a social engineering audit where a specialist will contact an employee to attempt to gather information from the employee through the means of social engineering.

References SANS institute (2012) 20 critical Security Controls retrieved august 26, 2012 from http://www.sans.org/critical-security-controls/ Radack S(N.D.) SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE retrieved august 26, 2012 from http://www.itl.nist.gov/lab/bulletns/bltndec03.htm