Hello,My professor reviewed the document that you sent last week and here is his comment: "this should be in the form of a memo. There are instructions that list the categories to cover. Go back and
Cynthia Koula Ltd
SECURITY POLICY Cynthia Koula Ltd
Date: 29th April 2018
Table of Contents
SECURITY POLICY 0
Cynthia Koula Ltd 0
Date: 29th April 2018 0
Table of Contents 0
1.Introduction 2
1.1.Purpose 3
1.2.Scope 3
1.3.Responsibilities 3
2.IT ASSETS POLICY 4
2.1.Purpose 4
2.2. Scope 4
2.3.Policy Definitions 4
2.4.Policy Enforcement 5
3.PASSWORD CONTROL POLICY 5
3.1. Purpose 5
3.2.Scope 5
3.3.Policy Definitions 5
3.4.Policy Enforcement 5
4.EMAIL POLICY 6
4.1.Purpose 6
4.2. Scope 6
4.3. Policy Definitions 6
4.4.Policy Enforcement 6
5.INTERNET POLICY 7
5.1.Purpose 7
5.2. Scope 7
5.3. Policy Definitions 7
5.4.Policy Enforcement 7
6.ANTIVIRUS POLICY 7
6.1.Purpose 7
6.2.Scope 7
6.3.Policy Definitions 7
6.4.Policy Enforcement 8
- Introduction
Cynthia Koula Ltd is a Company that was founded in Jan 2017 by Cynthia Koula and it deals with the development of customized websites, E-commerce portals and hybrid mobile applications for customers. Its main clientele is Small Medium Enterprises (SMEs) and the government. It uses the latest technology such as Ionic Framework, Reactive Native, Firebase, and AWS in order to come up with hybrid mobile applications. The company is located in a shopping mall which has more than 100,000 visitors a day. This reason makes the company’s location prime but it also opens doors to various risks such as equipment theft, network sniffing and intrusion among others.
Cynthia Koula Ltd has got four departments, The Human Resources, Sales, Financial, and the Information Technology / Software Development department. The following are the Company’s security policies.
- Purpose
The purpose of this security policy document is to ensure proper use of Information Technology services and to prevent the company and its users against security threats.
- Scope
This document applies to all employees in the company, even those on internship, visitors and other users such as contractors stationed in the company’s premises
- Responsibilities
The following table shows the role and responsibilities in the enforcement of the Security Policy
Roles | Responsibilities |
Information Security Officer | Ensures antivirus installation and upgrading of antivirus in servers Ensures implementation of security policy document Ensures backup and recovery of data |
Website developers and mobile developers | Ensure upgrading of antivirus in their own workstations, tablets and mobile phones |
IT Technicians | Facilitate in disposing of IT equipment Maintenance of IT equipment and upgrading of software and Operating System |
Users | Follow security policies Report any security breach to the relevant authority |
- IT ASSETS POLICY
- Purpose
The IT Assets Policy explains how the Information Technology assets in the Company should be handled.
- Scope
This policy applies to Desktops, laptops, company tablets, mobile phones, USB sticks, printers, photocopier and other technological equipment, to applications, Operating Systems, and software, to anyone using the equipment including visitors.
- Policy Definitions
All IT assets must be used for the intended use and by authorized users.
Every user is responsible for the correct use of the equipment he/ she has been assigned
All tablets and mobile phones should only be used for responsive website development testing
Unattended desktop and laptops must be shut down
Users from outside should not be granted access to IT equipment unless they are authorized by the Information Security Officer and under supervision
The IT Technical team is responsible for the maintenance of IT assets and upgrades with an exception to Software Developers who are responsible for upgrading their own systems
IT assets must not be moved from one place to another. They should all be in locations with security access restrictions
All users handling IT assets must have prior training
Users should not eat food or use drinks near IT equipment
Laptops, tablets and mobile phones should be protected from being stolen and kept away from magnetic fields
Any damage, theft, and losses of an IT asset should be reported to the Information Security Officer immediately
Any disposal of IT assets must be done in accordance with the Company’s procedure and data ought to be backed up
- Policy Enforcement
This policy will be enforced by the Information Security Officer and the Technical team on the maintenance of IT equipment and upgrading of software and Operating Systems. Violations of this policy may result in disciplinary actions such as being told to buy your own desktop, laptop, and other IT equipment is prohibited from accessing IT equipment or also the termination of employment.
- PASSWORD CONTROL POLICY
- Purpose
The password control policy defines the guidelines and use of passwords. A poorly chosen password may result in catastrophic results such as the entire company network being hacked
- Scope
The password control policy includes all employees who have been given an account and can access the company’s network. It also includes visitors and other users such as contractors who have been given a temporary access to the company’s system
- Policy Definitions
Every user must have a private identity while accessing the network
Every workstation that can be used to access the network must be password protected
Users are not allowed to share a password
A user cannot log into the system on behalf of another user
The system must lock out the user if a password is guessed three times
A password should be changed after 30 days
A password should include letters, numbers and special characters and should not be less than 8 characters long
Whenever a password is compromised, it must be changed
- Policy Enforcement
This policy will be enforced by the Information Security Officer and failure to adhere to it may lead to the user being denied access to the Company’s system and IT assets.
- EMAIL POLICY
- Purpose
Email policy defines the proper and secure usage of electronic mail within the company
- Scope
Email policy applies to all employees and other users such as contractors within the company
- Policy Definitions
All assigned email addresses must be used for the interest of the company. Personal use of email addresses may be permitted as long as it doesn’t affect the users work
Usage of email addresses for doing external business, spamming, advertising and a political campaign is not allowed
Using of company’s email addresses for sending abusive, obscene and racist messages is highly discouraged and may lead to immediate termination of employment
When a person ceases working for the company, the email address has to be deactivated in accordance with the company’s procedures with immediate effect
Messages generating from the company must have the company’s logo at the top and approved signature at the bottom of the message
The attachment must be limited to a certain size in accordance to company’s attachment size limitation
All systems must have an antivirus and malware detector so as to scan incoming and outgoing messages
Company email addresses must have a strong password and the passwords must be changed every 15 days
Visitors are not allowed to access company’s email addresses for outgoing messaging
- Policy Enforcement
This policy will be enforced by the Information Security Officer and failure to adhere to it may lead to the user being denied access to the Company’s system and IT assets.
- INTERNET POLICY
- Purpose
The Internet policy defines usage and access to the Internet
- Scope
Internet policy applies to all employees of Linda Ivory Ltd, visitors and other users such as contractors.
- Policy Definitions
Users cannot view; distribute the obscene or pornographic material. This may result in immediate termination of employment
Users cannot download music or videos that have no company interest during working hours
Incoming and outgoing traffic must be regulated at all times using a firewall
Users can only download software that is useful to the company
- Policy Enforcement
This policy will be enforced by the Information Security Officer and failure to adhere to it may result in termination of employment
- ANTIVIRUS POLICY
- Purpose
Antivirus policy defines how system protection will be implemented within the company
- Scope
Antivirus policy applies to computers, servers, laptops, tablets and mobile phones within the company
- Policy Definitions
All computers and laptops must have an antivirus installed and updated frequently
All servers that are accessed by client workstations must have antivirus installed and updated only by the Information Security Officer
All tablets and mobile phones must have an antivirus installed and updated by the website developers and hybrid mobile developers
- Policy Enforcement
This policy will be enforced by the Information Security Officer, website developers, mobile developers and IT Technicians. The Information Technology Officer will only install and upgrade antivirus on the servers. Failure to adhere to this policy will lead to denial of IT assets and may also lead to termination of employment.
8