Designing Security Plan for Innovations IT company Assessment 2 Answer
Security Plan and Training Program
This assignment is about to design a security plan for the Innovations IT company. The company is a consulting agency dealing with IT technologies based solutions. The company is not using any security measured or any security plan in several area such as cyber-attacks, recovery from disaster, response to an incident or any password security policy. Although they are not deploying a rigid security, their employees also un-aware about the work place security that they need to be followed to secure their personal or organisational information. We need to identify the possible security threats inside the organisation and prepare a plan to mitigate those associated risks that may exist in the current environment and help in future also. To do this, we are researching to identify business threats, prepare a protective guide lines and a training program for the employees.
The Innovation IT is a leading organisation working as a consulting agency, which dealing with the IT technology based solutions. the company situated at the dominant business region of the city. They are currently having a total number of 1500 of employees. A security team is appointed there to administer the security of information from all types of vulnerabilities such as accidental or deliberated threats. And we are appointed as a head of the IT team and responsible of safe guarding company’s information. As they are continuously monitoring company’s information security environment, they found so many loop holes in the security of the information. At most of the key places, no proper security is used. That vulnerable areas are – recovery from disaster, continuity of business, response to disaster and several attacks with social engineering. Their employees are also not enough aware, personally or professionally, about the risk or threats associated with their information and data. They do no having any password policy, not used on key assets like servers, systems etc. And whether some where passwords are used, that are configured with poor password security. These are some issues identified by the security team that need to be remediate on urgent basis. All the technical equipment or systems used there, need to be configured to maintain an effective database system and management of documents with high level of security. These systems are configured, maintained and monitored by the IT team. The security team is now working to identify the possible threats exist within the security of the company. Based on the identified threats, an analysis is done to find a detailed possible security measures to remediate from those identified threats.
The security team of the company identify and analyse several key areas and some company assets where the implementation of security is essential. The key areas identified by the team that has security vulnerabilities are described here –
- No response to an incident – An incident response planning is critical part for security of our business. Our company is not having an incident response plan at place. This plan is used to identify and test some measures that are helpful in identifying breach in security from either internal or external threats. Based on the identified threat, several security measures are prepared that helps in mitigating those risks. Using an effective incident response plan help in limiting damage when an incident may occur.
- No disaster recovery measures used – Our organisation is not using a disaster recovery plan. A disaster can be arising any time and any where in our business also. This disaster may include natural or human generated disaster. For example – flood, hurricane, earthquakes, power failure, chemical threats, a cyber-attack, physical damage of assets etc. (Techadvisory.org. 2020)
- No proper business continuity plan – The organisation is not having a business continuity plan at place. This plan is a type of pre-planning against a possible incident or threat that can be faced by our business. This include identifying a threat or vulnerability and analyse its impact over the business. An effective business continuity plan ensure that our business will able to provide the ground level of services even in the case of a disaster and help maintain our business reputation and revenue (Baker, A., 2020).
- No proper password security policy – The organisation is not having any password security policy. Not using a password or using a weaker password can lead our data and information to so many security vulnerabilities. An attacker from the external network easily enter into our company network and can steal, destroy or harm confidential business data or user information. This information may include employee’s personal data, account details, secret business details, passwords and many more. If someone steal this information, we can become a target of identity theft (Martinelli, K. and Martinelli, K., 2020).
- Un-aware employees from security risks – The employees working in a organisation is a valuable assets for the organisation. And most of the key security inside the business is maintained by the employee itself. If the employee is not aware about the security and threats related to it, everything is always at risk even if we use are using enough security measures.
- Major area of attack – Based on the above identified vulnerabilities associated with our organisation, we are now able to identify the major areas of attack on our business (Georgetown University Online. 2020). As an IT organisation, here are the details of several attack area –
- Natural or human made disaster can be arise any time on business that can affect our day to day working if not effective response plan is being used.
- Using weak password in today’s technological world, will lead to a serious cyber-attack that may take our whole business down by damaging valuable assets or basic organisational architecture.
- There could be an attack related to social media. This type of attack is done over a large group of web sites or targeted computer systems and infect those systems at once.
- Most of the business today started using mobile devices that are highly prone to malware attacks.
- When our network is not properly secured with effective security (protocol, authentication or authorization) techniques, any third party attack can be done on the weak and unprotected network.
Security counter measures
In this section, we will discuss the possible techniques to effectively eliminate the identified threat within the organisation. In this way, our primary target is to prepare a password security policy. Then we move towards another measure like preparing disaster recovery plan, incident response plan, business continuity plan and training of employees. Details of the preventive measures are here –
- Disaster recovery plan – a disaster recovery plan is essential to mitigate and recover from physical, human generated or natural disaster arise in a business. To create a disaster recovery plan, we first need to identify the key valuable assets for our business. This may include all the hardware or software, network, other physical equipment etc. Prepare a list of the assets and identify the linked risks and a possible level of tolerance. Prepare a list of very important assets that include the essential items that are needed to resume out business. Build a team which can response and take responsibility at the time of the disaster. Prepare a communication plan to share information regarding to the incident (Schiff, J., 2020).
- Incident response plan – this plan is needed at the time of an incident or difficult situation may arise. It is very important in term of dealing with the securing our data or other day to day security incidents. This planning has six steps. In first step, we identify and document the possible security incident. Then identify the threat to the security and its containment, short or long. Based on the identifications, prepare a restoration guide lines to resume all the system to their working state (Inside Out Security. 2020).
- Business continuity plan – a business continuity plan is needed to resume our business after a disaster, cyber-attack or any other type of bad incident. It is a process that is carried out with the disaster recovery and incident response planning. That ensure the availability of several basic resources that are needed to resume our business after a disaster.
- Password security policy – password security policy is a part of authentication and authorization facility within organisation. All the user or employees should use strong passwords with their system. All the core business components and devices are protected with the strong password and also by physical means, in a restricted or locked area. A minimum password length is set with password complexity (Martins, F., 2020).
- Hardening network – hardening organisational network can help us in keeping safe our organisational assets. It involving education to employee to use proper security, use of authentication, securing network with password, encryption, securing systems with strong password and maintaining regular update of system with security patches and other required updates (Network Computing. 2020).
Employees are the core for any organisation and most of the breaches are initiated by them in an unsecure environment. To over come from these issues, a proper training is provided to the employees to make them aware about the security vulnerabilities or threats. They need to provide training to introduce them with the importance of using string passwords with their system, complexity to be used while creating password, length of password etc. All these aspects are also described in the password policy document that is circulate with them. All employees are aware about the access of organisation resources including their access right and permission of access.
A security plan is developed to keep the organisation safe from the cyber security attacks. Lake of an effective security in business will take our business at risk and make an easy target for cyber-attacks. A security policy is a group of rules that are derived by identifying and analysing security threats in an organisation. It ensures a company to securely communicate with the external world and keeping their data and other assets safe (Security, R., 2020). Here are the steps to be taken to prepare a security plan –
- Identification and testing – as the first step, we need to identify all the security related risks aligned with our organisational assets. This may include outdated systems, weak passwords, lack of security patches or weaker security in network. Testing is done to find out that we are not using any outdated applications, end of support devices etc. All these things can minimize the identified risk to some extent.
- Elimination of risk – once all the associated threats are identified, we can address all the risks. A list of risks is prepared with their elimination tactics by using risk assessment. That helps in analysing risk and their mitigation practices.
- Training – only making policies and analysing risk is not sufficient, an adequate amount of training is provided to the employees to make them introduce about the risks and take enough security precaution at work place and accessing company resources.
- Regular patching – the security team is tasked to check for security released or nay other updates released by the hardware, software or operating system vendors. All the systems are regularly updated with the current security patches and update.
In this assessment task, we are identifying all the risks hold by our organisation, according to the case study. A well structured security plan is prepared that describe all the risks, threats and type of attacks that can be done against a weaker system. This security plan includes incident response plan, disaster recovery plan, business continuity plan, password security plan. Based on the identified risks, counter measures are developed in terms of several policies and planning. Details and advantages of training provided to the employees is discussed further. At the end, we develop a security policy that is used to safe-guard our organisation from the identified threats and help in continuing our business after a disaster may occur.