Group members:

Byoungcheol Jeong
Rohit Kumar
John Carlo Malto
Kamal Rathnayake

Introduction:
The company’s security posture is in critical state and we need to develop a security plan to address all
the basic concerns. We shall take a look at all the aspects of the organization and apply security
concepts to ensure that the company can at least have a reliable security system. We will also develop
an information security blueprint that the company can use for its current and future security planning
and implementation.

Content:

Strategic:
It is important to develop various security policies for the company, as there are no current policies.

Access Control Policy

Access control policy should be introduced .It should be according to the least privilege access. The role
base access control mechanism should be generating according to the functionality of the user or the
function.

Encryption Policy
When storing data and information of sensitive data, they should store in an encrypted format. When
transfer data through the channels the information should be encrypted and use the certificate to
ensure the integrity and non repudiation.

Account Policy
Account policy needs to be seriously implemented in order to properly manage user accounts, which
includes their passwords and their level of access. Specific rules need to be applied in terms of account
management and account creation and deletion.

Password Policy
The password of the user s should be confidential and they should not share with anyone inside or
outside. Password should have a specific length and expiry period.

SDLC Policy
The system should be divided by production system, test system, development system.
Backup Policy
Data back up is able to recover every lost data when an incident or system fault happens.

Disaster Recovery Policy

A DR policy needs to be in place in order to protect the assets from both human and natural disasters.
The policy must ensure the proper continuance of business operations in times of disaster.

Risk Management Policy / Strategy

Since the company is just starting an information security strategy, we need to first conduct a risk
assessment of the company to determine the company’s exposure. In order to protect the assets of the
company, we must be able to manage the existing risks.

SETA Policy
Once the policies are in place, we now have to develop a culture of security awareness for every
employee of the company. It cannot be emphasized enough that security is everyone’s responsibility.
This is why the company must have Security Education, Training and Awareness Programs in place. SETA
must be done regularly and delivered through multiple channels.

Data Handling and Storage Policy

The online application from internet can’t access directly to internal database.

Tactical:
Access Control Tactical
If there’s any requirement there should be a provision to grant access user wise. To achieve that there
should be a access control mechanism which can grant program level access to roles and users. Separate
Subsidiary users have to have separate roles and the users of one subsidiary should not grant other
subsidiary access.

Encryption Tactical
As standards for encryption every users and functions should have SHA2048 encryption for the sensitive
data.

Account Policy Tactical Plan

System administrator will be trained with new policies and procedures in account management.

Servers will be updated to handle multiple user accounts and roles.

Access control and passwords will be managed safely and more efficiently.

Password Tactical
Standards of Passwords- By referring ISO password framework the password length should have at
least 8 character lengths and it should include at least one upper case, one lowercase, one digit and one
special characters
SDLC Tactical

Developers, tester, users have to have different ID depend on the separated systems.

No one can’t use real data for testing. They should use scrambled data for testing.

Backup Tactical Plan

Interval of data backup should be different depend on the impact of business.

Disaster Recovery Tactical Plan

Identify Recovery Point Objective (RPO) and Recovery Time Objective (RTO). We must also setup off site
recovery systems in case of disaster on site.

Risk Management Tactical Plan

 Risk Identification
o We must identify and classify assets
o Take a look at existing threats and prioritize accordingly
 Risk Assessment
o Look for existing vulnerabilities between assets and threats
o Identify asset exposure
 Risk Control
o Select the proper strategy for the existing exposure
o Rationalize and implement the risk controls to minimize risk

SETA Tactical Plan

SETA can be most effective with the use of different mediums. Posters, keychains, emails, newsletters,
etc. will be used to ensure the message gets across. Regular SETA training will be done every 4 months
to refresh the concepts and to further instill. SETA will also be done for new hires.

Data Handling and Storage Tactical

The database for internal network and database for internet should be separated.

Operational:
Access Control Policy
After creating accounts for users, functions of the system need to grant access to the users. At the
beginning the users should not grant any access. Administrator of Database should grant whatever the
access needed with the approval of the higher management.
Encryption Policy
Application should develop cater the encryption method SHA2048. The database should allow to store
encrypted data without any modification and it allowed to retrieve when needed.

Account Policy Operational Plan

Regular review and monitoring of accounts and their level of access. As employees get promoted or
change in departments, their level of access will need to be adjusted as well.

Password Operational Plan

Administrators must crate the password to expire in 90 days and user should allow entering the
password in 3 attempts and if not success the user account should be locked out.

SDLC Policy

Developers can’t access test system, production system.

Testers can test only in test system and they can use scrambled data for sensitive data.

Scrambling of sensitive Data should be conducted regularly.

Backup Operational Plan

- Every table should have backup interval depend on the impact of business risks.

- Online backup solution should be working all day to backup data

- All table should be backed up at every night furthermore, important table should be backed up more
frequently,

Disaster Recovery Operational Plan

Make use of high availability systems which includes Private Clouds and even Hybrid Cloud Systems.

Risk Management Operational Plan

Activities and Specific Methods need to be organized in three categories:

 Short-Term
o Good for 0-4 months
o Must be monitored regularly
o Includes Logging activity and also patching of systems
 Mid-Term
o Good for 4-8 months
o Includes implementing of SETA program
  Long-Term
o Review of policies and procedures
o Regular vulnerability scanning
o Review of Risk Exposure due to new assets and activities

SETA Operational Plan

Posters will be placed in common areas to highlight policies and procedures. This includes information
regarding Password security, locking their workstations, and many others that are deemed important.

A short regular quiz will be part of their performance evaluation with regards to information security to
ensure that the employees take this very seriously.

Data Handling and Storage Operational

- Employees can only internet computer when they use internet.

- Before users access table, they have to authorization of table first through approve of permission.

- All users have various privileges depend on the table they have authorization to access.

Conclusion:
There are many security problems in this company, with regards to security policy and access control,
along with integrity controls. We identified vulnerabilities to mitigate the impact of risk and manage
risks. We have developed strategical, tactical and operational plans to develop the information security
blueprint of the company.