Hello,My professor reviewed the document that you sent last week and here is his comment: "this should be in the form of a memo. There are instructions that list the categories to cover. Go back and

1. Introduction

Cynthia Koula Ltd is a Company that was founded in Jan 2017 by Cynthia Koula and it deals with the development of customized websites, E-commerce portals and hybrid mobile applications for customers. Its main clientele is Small Medium Enterprises (SMEs) and the government. It uses the latest technology such as Ionic Framework, Reactive Native, Firebase, and AWS in order to come up with hybrid mobile applications. The company is located in a shopping mall which has more than 100,000 visitors a day. This reason makes the company’s location prime but it also opens doors to various risks such as equipment theft, network sniffing and intrusion among others.

Cynthia Koula Ltd has got four departments, The Human Resources, Sales, Financial, and the Information Technology / Software Development department. The following are the Company’s security policies.

1. 1. Purpose

The purpose of this security policy document is to ensure proper use of Information Technology services and to prevent the company and its users against security threats.

1. 1. Scope

This document applies to all employees in the company, even those on internship, visitors and other users such as contractors stationed in the company’s premises

1. 1. Responsibilities

The following table shows the role and responsibilities in the enforcement of the Security Policy

1. IT ASSETS POLICY
   1. Purpose

The IT Assets Policy explains how the Information Technology assets in the Company should be handled.

1. 1. Scope

This policy applies to Desktops, laptops, company tablets, mobile phones, USB sticks, printers, photocopier and other technological equipment, to applications, Operating Systems, and software, to anyone using the equipment including visitors.

1. 1. Policy Definitions

All IT assets must be used for the intended use and by authorized users.

Every user is responsible for the correct use of the equipment he/ she has been assigned

All tablets and mobile phones should only be used for responsive website development testing

Unattended desktop and laptops must be shut down

Users from outside should not be granted access to IT equipment unless they are authorized by the Information Security Officer and under supervision

The IT Technical team is responsible for the maintenance of IT assets and upgrades with an exception to Software Developers who are responsible for upgrading their own systems

IT assets must not be moved from one place to another. They should all be in locations with security access restrictions

All users handling IT assets must have prior training

Users should not eat food or use drinks near IT equipment

Laptops, tablets and mobile phones should be protected from being stolen and kept away from magnetic fields

Any damage, theft, and losses of an IT asset should be reported to the Information Security Officer immediately

Any disposal of IT assets must be done in accordance with the Company’s procedure and data ought to be backed up

1. 1. Policy Enforcement

This policy will be enforced by the Information Security Officer and the Technical team on the maintenance of IT equipment and upgrading of software and Operating Systems. Violations of this policy may result in disciplinary actions such as being told to buy your own desktop, laptop, and other IT equipment is prohibited from accessing IT equipment or also the termination of employment.

1. PASSWORD CONTROL POLICY
   1. Purpose

The password control policy defines the guidelines and use of passwords. A poorly chosen password may result in catastrophic results such as the entire company network being hacked

1. 1. Scope

The password control policy includes all employees who have been given an account and can access the company’s network. It also includes visitors and other users such as contractors who have been given a temporary access to the company’s system

1. 1. Policy Definitions

Every user must have a private identity while accessing the network

Every workstation that can be used to access the network must be password protected

Users are not allowed to share a password

A user cannot log into the system on behalf of another user

The system must lock out the user if a password is guessed three times

A password should be changed after 30 days

A password should include letters, numbers and special characters and should not be less than 8 characters long

Whenever a password is compromised, it must be changed

1. 1. Policy Enforcement

This policy will be enforced by the Information Security Officer and failure to adhere to it may lead to the user being denied access to the Company’s system and IT assets.

1. EMAIL POLICY
   1. Purpose

Email policy defines the proper and secure usage of electronic mail within the company

1. 1. Scope

Email policy applies to all employees and other users such as contractors within the company

1. 1. Policy Definitions

All assigned email addresses must be used for the interest of the company. Personal use of email addresses may be permitted as long as it doesn’t affect the users work

Usage of email addresses for doing external business, spamming, advertising and a political campaign is not allowed

Using of company’s email addresses for sending abusive, obscene and racist messages is highly discouraged and may lead to immediate termination of employment

When a person ceases working for the company, the email address has to be deactivated in accordance with the company’s procedures with immediate effect

Messages generating from the company must have the company’s logo at the top and approved signature at the bottom of the message

The attachment must be limited to a certain size in accordance to company’s attachment size limitation

All systems must have an antivirus and malware detector so as to scan incoming and outgoing messages

Company email addresses must have a strong password and the passwords must be changed every 15 days

Visitors are not allowed to access company’s email addresses for outgoing messaging

1. 1. Policy Enforcement

This policy will be enforced by the Information Security Officer and failure to adhere to it may lead to the user being denied access to the Company’s system and IT assets.

1. INTERNET POLICY
   1. Purpose

The Internet policy defines usage and access to the Internet

1. 1. Scope

Internet policy applies to all employees of Linda Ivory Ltd, visitors and other users such as contractors.

1. 1. Policy Definitions

Users cannot view; distribute the obscene or pornographic material. This may result in immediate termination of employment

Users cannot download music or videos that have no company interest during working hours

Incoming and outgoing traffic must be regulated at all times using a firewall

Users can only download software that is useful to the company

1. 1. Policy Enforcement

This policy will be enforced by the Information Security Officer and failure to adhere to it may result in termination of employment

1. ANTIVIRUS POLICY
   1. Purpose

Antivirus policy defines how system protection will be implemented within the company

1. 1. Scope

Antivirus policy applies to computers, servers, laptops, tablets and mobile phones within the company

1. 1. Policy Definitions

All computers and laptops must have an antivirus installed and updated frequently

All servers that are accessed by client workstations must have antivirus installed and updated only by the Information Security Officer

All tablets and mobile phones must have an antivirus installed and updated by the website developers and hybrid mobile developers

1. 1. Policy Enforcement

This policy will be enforced by the Information Security Officer, website developers, mobile developers and IT Technicians. The Information Technology Officer will only install and upgrade antivirus on the servers. Failure to adhere to this policy will lead to denial of IT assets and may also lead to termination of employment.