A Software Engineer designs, develop, tests, and evaluates the software and the systems that allow computers to execute their applications. Take on the role of Software Engineer for the organization i

Introduction

This is a security threats, attacks, and vulnerability assessment paper for an organization known as JJ People. JJ People is an organization that deals with software development, website development and mobile application development. JJ People only uses Java programming language to design its software.

Java is a computer programming language. It enables programmers to write computer instructions using English-based commands instead of having to write in numeric codes. Java is known as a high-level language because it can be read and written easily by humans.

JJ People IT designs its desktop applications using Java Standard Edition (Java SE), its websites using Java Enterprise Edition (Java EE) and its mobile applications using Android, which entirely depends on Java. JJ People is an international organization that was established in Canada in 2002. Its headquarters is in London, United Kingdom. JJ People has several assets, which include computers that are used to program, website hosting servers where they host their client’s websites, database servers where they put their client’s data, cloud computing services for the database and network infrastructure that supports all these.

Assessment scope of JJ People

Hardware

Computers

Network fiber optic and cables

Routers, switches, gateways, modems, wireless access points, proxy servers and firewalls

Web servers

Database servers, mail servers, application server, and telnet server

Mobiles and tablets for testing website responsiveness

Software

Operating system

Utilities (antivirus etc.)

Commercial applications such as word processing, photo editing etc.

Database management system and all other software

System model

A Software Engineer designs, develop, tests, and evaluates the software and the systems that allow computers to execute their applications. Take on the role of Software Engineer for the organization i 1

From the diagram we can see that we have routers, switches, computers, laptops, servers, and there is also a firewall that is not included.

Router – this is a networking device that forwards packets between networks

Switch – a network device that connects devices together in a network

Server – a computer or computer program that manages access to a centralized resource in a network

Firewall – a software or hardware put on the network that prevents forbidden communication as depicted by the network policy

Existing countermeasures

Before we look at the countermeasures used by JJ People organization, let us first define a couple of terms. They include: countermeasures, vulnerability and threats.

Countermeasures are seen as control. Control as an action, device, procedure, or technique that removes or reduces vulnerability. A vulnerability is a weakness in the system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm. A threat to a computing system is a something that has the potential to cause loss or harm.

JJ People used the C.I.A triad also known as security triad to ensure that they protect their devices and software from threats. The C.I.A stands for confidentiality, integrity and availability. Confidentiality is the ability of a system to ensure that an asset is viewed only by authorized parties. Integrity is ensuring that an asset is modified only by authorized parties. Availability is the ability to ensure that an asset can be used by any authorized parties.

JJ People has in place security policies that are adhered to and touch on various areas including

Network devices and infrastructure

The network devices such as routers and switches will be accessed by network administrators.

Passwords of network devices such as routers and switches will be changed every fortnight and it should be a strong password that includes letters, numbers and special characters.

The network administrator should ensure that the password is encrypted.

The network devices such as routers should lock a user out of the network when he / she tries to access the network by providing two attempts of invalid passwords.

The network devices such as routers and switches should be accessed through the use of Secure Shell (SSH) protocol which is a protocol that facilitates strong authentication and secure connection.

Servers

Servers should be physically located in an access-controlled environment.

Servers should be up to date with the latest security patches.

Servers should only be accessed by system administrators.

Access to services on the server should be logged.

Servers should be accessed over the network through a Secure Shell (SSH) protocol.

Daily incremental back up and weekly full back up will be done on servers.

Users accessing the database server will be given limited access as possible in terms of rights and privileges.

Antivirus policy

All computers and mobile devices including servers should be installed with an antivirus by system administrators.

Antivirus software should be up to data at all times.

Always scan devices attached to computers such as flash drives before using them.

Never download files from unknown or suspicious sources.

Threat agents and possible attacks

Threat agent can be seen as an individual or group or anything that can bring about a threat.

A user can save the wrong data thus compromising the integrity of the data.
A java programmer in our case who writes code that performs indefinite loop taking a lot of computer memory and therefore bringing about memory leaks rendering the computer unusable.
Software that does not have latest security patches opening the computer to various attacks such as virus attacks.
A person can try and guess the network passwords through trial and error causing brute force attack.
A person can overwhelm the web server with traffic so that it can crash and therefore leading to denial of services attack.
An attacker can attach a worm to an email attachment and when unsuspecting user downloads the attachment, the worm starts infecting his / her system as it penetrates through the network leading to worm attacks.
Malware attacks – a user can set up a website that has kits to find vulnerabilities in a system and when a user visits the site a malware is forced into their system.
An attacker can inject malicious code into a website so as to access the server through cross site scripting attack.
An attacker can enter SQL commands on a website so as to manipulate the data in the database server thus resulting in SQL injection attack.
An attacker can write a code to look at opened ports on a system through the network and exploit that vulnerability leading to scan attacks.
A disgruntled employee can steal company information or leak sensitive information to competitors leading to insider attack.
An employee can decide to steal a laptop or mobile devices leading to physical attack.
An attacker can send emails or set up a website whereby they ask users to enter their bank details and other details leading to theft of identity and user confidential details. This type of attack is known as phishing attack.
A group of elite team of hackers can target users so as to steal their information over a specific period of time using several techniques such phishing etc. This type of attack is known as advanced persistent threat.
Malvertising attack – this is whereby an attacker uses the online advertising to inject malware into a user’s system when they click on the infected advert.

Exploitable vulnerabilities

The types of vulnerabilities that can be exploited by an attacker include

Insufficient testing of the Java programmed software.
Lack of proper design while coming up with the Java software.
Lack of implementing strong passwords to the system and having passwords such as “admin”.
Lack of having antivirus that are up to date.
Inadequate recruiting process of personnel.
Unprotected communication lines
Insecure network architecture
Lack of closing unused ports.

Penetration testing

This document will deal with penetration testing of a website application developed by JJ People Limited. The website application has been developed using the Java Enterprise Edition (JavaEE) and the database used is MySQL database due to its popularity in website applications and E-commerce. The website application is known as Niko. In this penetration testing we will look at the pre-planning, the timeline required, the location of the testing, the countries where the tests will take place, the technologies used to conduct the penetration testing among other things. Let us start by defining penetration testing.

Penetration testing (or pentesting) simulates real attacks to assess the risk associated with potential security breaches. During a pentest, the testers not only discover vulnerabilities that could be used by attackers but also exploit vulnerabilities, where possible, to assess what attackers might gain after a successful exploitation.

Penetration testing scope

The penetration testing will test various areas of the system. The areas will include:

Passwords attacks

Client-side attacks

Social engineering

Web application attacks such as SQL injection

Wireless attacks

Stack-based buffer overflow

Pentest Pre-planning

The penetration testing of the website application will take 3 weeks and every test will have its own phase, for example passwords attack will be phase one and stack-based buffer overflow will be phase six.

The Niko website application was developed at the headquarter office in London and it will be hosted in the headquarters’ servers. This implies that the testing will happen at the JJ People Limited headquarters’ office in London.

The website application penetration testing team will involve two senior full-stack website developers, who will test the website application attacks such as cross site scripting attacks, two systems administrators who will test password attacks, two network administrators who will test wireless and network attacks, two database administrators who will test database attacks such as SQL-injection attacks, and two senior java programmers who will test stack-based overflow and other Java related problems.

The client’s agreed that since the testing of a website application is a technical endeavor, client’s personnel that were aware of the testing were from technical departments and they include: one senior full-stack website developer, one senior Java programmer, one systems administrator, one network administrator, one senior database administrator and the Chief Information Security Officer (CISO).

The penetration testing team will be provided with various resources such as access to the server and the database server as long as it has been approved by the senior systems administrator, computers, and network access as long as it has been approved by the senior network administrator. The penetration team will also have access to the entire code and the database code.

Tools used

The penetration testing team will use various technologies such as virtual machine known as VMware and Kali Linux. According to Kali.org website, Kali Linux is a “Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing”. We will also use other technologies such as:

Hyperion

We will use the hyperion encryption program to bypass the antivirus software

Veil-Evasion

Veil-Evasion is a tool that generates payload executables you can use to bypass common antivirus solutions.

Ettercap

Ettercap is a tool that is used to perform man-in-the-middle attacks.

We will use nslookup which is a tool that turns a domain name from the human-readable URL to an IP address. We will use Whois tool so as to know the information of a person who registered a certain domain. We will use Maltego technology which is a data-mining tool that has been designed to visualize open source intelligence gathering. We will use the nmap tool for port scanning. We will also use ghost-phisher which is a wireless and Ethernet security auditing and attack software. We will use nikto tool which is a web server scanner which scans the server for potentially dangerous files among others. We will use sqlmap which detects SQL injection in a database server. We will also use several other tools such as proxyStrike, jboss-autopwn, FunkLoad etc.

Test boundaries

What is tested?

The penetration testing has got six phases: passwords attacks (testing how an attacker can access the system e.g. using weak passwords), client-side attacks (testing whether an attacker can inject malicious code using techniques such as cross-site scripting), website application attacks such as SQL injection, network and wireless attacks, social engineering attacks and stack-based buffer overflow.

Social engineering testing

A social engineering test uses techniques by professional ethical hackers to trick a customer’s staff into revealing sensitive information or perform the actions that create security holes for a hacker to access the network.

We will test the on-site and off-site social engineering penetration testing.

Physical security testing

A physical penetration test sets out to uncover weaknesses in your physical security before bad potential unauthorized persons enter. We will test the physical security from internal boundaries i.e. from within the organization such as an unauthorized employee trying to access the server and from external boundaries i.e. an unauthorized employee trying to access the organization building.

Restrictions on penetration testing

Limitation of time

Penetration testing takes a shorter time to conduct whereas an attacker can have a week, month or even a year to plan his / her attack.

Limitation of scope

Organizations do not test everything because they have limited their scope of testing thus leaving areas that might be vulnerable and can be a perfect place for an attacker to attack.

Limitation of known exploits

Testers only test the system from areas that they only know such as cross-site scripting; SQL injection etc. leaving out areas that they don’t know which an attacker can find vulnerability and exploit.

The type of corporate policies that affect our test include password policies, network policies etc.

Pentest Execution planning

Reconnaissance

We gathered information about our target such as IP address, web server, network topology, underlying database used, mail servers etc.

Scanning

Here we interacted with the target system with an aim of identifying vulnerabilities. We persistently sent malicious code in input text boxes and HTTP requests. We also used scanning tools to see opened ports etc. and record all these response.

Gaining access

We identified vulnerability and that was by implanting malicious code to the system while sending the HTTP request.

Maintaining access

We maintained access by tricking the system that it is using a secure connection by injecting a malicious code when a request is sent, the server views as if it is sending request on a secure connection (HTTPS).

Penetration Testing analysis and report planning

All other aspects of the website application and the system are secure but it is easier to get into the system by putting a malicious code while sending an HTTP request.

Introduction

This paper is a recommendation to management of the organization about security standards, policies, and procedures which should be implemented in the organization JJ People. JJ People is an organization that deals in software development. The organization specializes in programming software with one particular programming language, Java and anything related to Java such as spring framework which makes it easy to create java enterprise applications etc.

Importance of security plans, policies, and procedures

A company’s security policy is the central repository where intangibles such as corporate philosophy, mission, statements, culture, attitude to risk and other difficult to define parameters can finally be made into enforceable, measurable action statements, procedures and ways of working.

Policies are important because they address pertinent issues, such as what constitutes acceptable behavior by employees.

Procedures are clearly defining a sequence of steps to be followed in a consistent manner, such as how the organization will respond to any policy violations.

Data Privacy Policies and Procedures

Purpose

The purpose of the data privacy policy is to protect the information of an individual from being accessed by another person without their consent

Scope

The data privacy policy applies to employees, vendors, service providers, and clients whose data is stored in the organizations’ servers.

Responsibilities

This policy is enforced by Compliance Management of the organization

Policy

JJ People respect the privacy of its employees, clients, vendors and sees the need for appropriate protection and management of personal information. JJ People is guided by the following guidelines while processing personal information

Notice

JJ People provides clear notice on the purpose of why the information is being collected

Choice

JJ People gives users a choice on whether to opt out of further processing of their information etc.

Accountability for the processing of the personal information

Data integrity

JJ People will only process information to the particular purpose that it was intended.

Compliance

Any person who does not comply with this policy will be subjected to disciplinary action, termination of employment or even legal action.

Data Isolation Policies and Procedures

Purpose

This policy deals with the isolation of data from unauthorized users

Scope

This policy applies to data that is stored in the database server of the organization

Responsibilities

The database administrators are responsible for enforcing this policy

Policy

Data should be saved in the database and needs to be protected from unauthorized users

Standards

Users should be provided rights and privileges in accessing the data, the ones with lower privileges should access minimal data.

The data should be encrypted so as not to be read while being transferred over the network

The data should be password protected

Non-Disclosure Agreement (NDA) Policies and Procedures

Purpose

The Non-disclosure agreement policy explains how employees should treat organization confidential information. Employees will view, receive and work with organization data and this may be information that gives the organization a competitive edge.

Scope

The Non-disclosure agreement policy applies to all employees including contractors who work at the organization premises and are authorized to access organization information.

Responsibilities

This policy will be enforced by senior management of the organization

Compliance

Failure to adhere to this policy will lead to disciplinary action, and/ or termination of employment or even legal action.

Policy

Not all employees can access confidential information

There will be various levels in place for accessing confidential information

Information such as unpublished financial information, data of customers, patents, markets and pricing information is considered confidential information

Standards

Confidential information should be shredded when it’s not in use

Confidential information should always be locked away

Only share confidential information with fellow employees when it is necessary and authorized

Confidential information should be kept inside organization premises

Intellectual Property (IP) Policies and Procedures

Purpose

The purpose of the Intellectual Property (IP) is to come up with a structure for the ownership, reporting, and commercialization of Intellectual Property.

Scope

This policy applies to all employees of the organization

Policy

The organization encourages creative work, research and learning and the Intellectual Property created out of this research is recognized as a valuable asset to the organization

The organization recognizes that any commercialization of Intellectual Property created by an employee, the employee is entitled to an equitable share to any financial returns provided by this commercialization.

Standards

The organization will own any Intellectual Property invented or created by an employee during employment

The organization will not claim ownership of any Intellectual Property created by an employee outside the course of employment if the employee did not use organization resources to come up with such Intellectual Property

Password Policies and Procedures

Purpose

The password policies and procedures define the guidelines and use of passwords in place. A poorly formed password may bring great damage to the organization such as denial of services due to the network being hacked.

Scope

The password policies and procedures will include all employees who have been issued an account and can access the company’s network using this account. It also includes visitors and contractors who have been given temporary access to the organization’s system.

Policies

Every user of the system must have a private identity when accessing the organization’s network

Users should not share their passwords

The system should have a mechanism of locking out the user if a password fails after two attempts

The user should change the password every fortnight

All workstations and devices that access the network such as routers, switches, and mobile devices should be password protected

A password should include letters, numbers and special characters and should not be less than ten characters long

Policy enforcement

This policy will be enforced by the Chief Information Security Officer (CISO) and failure to adhere to it will lead to an individual being denied access to company’s system and IT assets.

Acceptable Use of Organizational Assets and Data Policies and Procedures

Purpose

The acceptable use of organizational assets and data policy explains how the organizational assets should be handled

Scope

This policy applies to all organizational assets such as desktops, laptops, mobile devices, servers, network equipment, operating system, software, furniture, stationery etc.

Responsibilities

This policy will be enforced by Chief Security Officer (CSO) of the organization.

Policy

All IT assets must be used for the intended use and by authorized users

Every employee is responsible for the correct use of asset he / she has been assigned

All users handling IT assets must have prior training

Any disposal of assets must be done in accordance with the organizations’ procedure

All data needs to be backed up daily in an incremental fashion

Full back up of data will be done every fortnight

Employee Policies and Procedures (Separation of Duties/Training)

Purpose

The employee policy shows how the employees are meant to conduct themselves

Scope

The employee policy applies to all employees of the organization

Responsibilities

The employee policy will be enforced by the human resource management

Compliance

Failure to adhere to this policy will result to disciplinary action. It may also result to termination of employment and / or criminal charges.

Policy

The employees are expected to conduct themselves in an ethical manner within the organization premises or when representing the organization.

Standards

Employee shall abide by applicable laws, regulations and all standards

Employee shall meet the stipulated individual performance

Employee shall maintain the confidentiality of the organization’s information

Risk Response Policies and Procedures

Purpose

The purpose of this policy is to manage risks that arise from threats to confidentiality, integrity, and availability of organization’s data.

Scope

This policy applies to the information system and the electronic data that is created, stored and transmitted over the network by JJ People

Policy

All information systems must be assessed for risk that may result to threats to confidentiality, integrity, and availability of data.

Risks identified by a risk assessment needs to be mitigated

Every information system must have a security plan that is prepared using input from risk, security and vulnerability assessments

Responsibilities

The Information Security Administrators (ISA) need to ensure that their business units conduct risk assessments

Chief Information Security Officer is responsible for assessing and mitigating risks

Compliance (Regulatory, Advisory, Informative)

Purpose

The purpose of compliance policy and procedures is to have an effective governance of the organization while adhering to policy and procedures and the law.

Scope

The compliance policy applies to all employees and clients of the organization

Policy

The organization is committed to complying with all relevant legislation and obligations.

The organization has its headquarters in Europe and thus it is mandated to comply with Europe’s General Data Protection (GDRP)

The organization compliance management identifies compliance obligations and assesses them

Standards

Behaviors that encourages and support compliance is encouraged

Training is done by the compliance management on compliance obligations

Incident Response Policies and Procedures

Purpose

The purpose of the incident response and policies and procedures is to define IT roles and responsibilities that deals with investigation of computer security and data breaches

Scope

This policy applies to information system of the organization

Policy

The Computer Security Incident Response Team (CSIRT) has the mandate to detect and investigate security breaches

The CSIRT oversee the recovery, containment and remediation of the security incident detected

Responsibilities

This policy will be enforced by the Computer Security Incident Response Team (CSIRT).

Standards

Do not power off or log off the affected IT asset

The affected IT asset should be labeled so that other users do not touch it

Ensure the affected IT asset is not connected to the network

Document on how the incident was detected, actions taken, type of data affected, and lessons learnt.

Auditing Policies and Procedures

Purpose

Auditing policy ensures that organization’s performance is assessed while using several policies, standards, metrics, or regulations. The audit may include, looking at the organizations’ governance, IT controls etc.

Scope

The auditing policy applies to organization business units, assets, governance of the organization and security at large

Responsibilities

Internal and external auditors are responsible for conducting audits

Policy

Various audits need to be performed and they include

Compliant audits
Environmental audits
Information technology audits
Operational audits
Performance audits

Environmental/Physical Policies and Procedures

Policy

Information processing facilities that are critical to the organization’s day to day running will be put in a secure area that is defined by security perimeter and access controls. The control will enable access to authorized people.

Responsibilities

This policy will be enforced by the senior management of the company

Scope

This policy applies to all business units and contractors working at the organization’s premises and need access to the information processing facilities.

Compliance

Failure to comply with these policies may result to disciplinary action or even termination of employment

Standards

The company has put in place the following standards to enforce this policy.

Company will always have CCTV installed and in place

Offices that are not in use should be under lock and key

Server room will always have heat sensors installed and in place

Users will always access the business premises and rooms using an electronic identification badge

Administrative Policies and Procedures

Policy

The administrative policies and procedures provide a set of rules by which and organization is governed.

Responsibilities

The administrative policy will be enforced by the senior management of the organization

Scope

The policy applies to employment of personnel, vacation time, sick leave, dress code, firing and promotion of personnel

Compliance

Failure to adhere to this policy may lead to disciplinary action or even termination of employment

Standards

New employee shall pass through a probationary period of six (6) months

If the performance of the employee is not satisfactory during the probation period, the employee contract shall be terminated at any time

If an employee completes the probationary period, he / she will be given a confirmation letter within a duration not exceeding two months after the probation period.

Salary of an employee shall be adjusted as deemed necessary by the organization upon considering the following criteria:

Performance of the employee
Educational background
Work experience
Work intensity

Regular working hours will be determined based on the conditions of the work and will not exceed 40 hours a week

Working hours will be 8.00 A.M to 5.00 P.M and a break of one hour will be observed between 12 P.M and 2 P.M.

Public holidays shall be observed by all employees of the organization and will be in line with the Country where the organization is located.

Public holidays shall be holidays with pay

Employees who have completed their probation period are eligible for sick leave and should inform his/her supervisor within 24 hours of the same day.

Configuration Policies and Procedures

Purpose

The configuration policy is to protect the organization data and information systems by ensuring consistent configuration of devices across

Scope

This policy applies to all information systems which include bot not limited to, routers, firewall, switches, servers, printers, desktop, laptops etc.

Responsibilities

The network and systems administrators are the ones to enforce this policy

Policy

The organizations’ systems that process and transmits data must be configured in accordance to appropriate standards and in the right manner

Before being deployed into production, a system must meet applicable standards.

Risk Mitigation Introduction

This is a security risk mitigation document for JJ People Limited. This document will cover various areas such as security policies and controls, password policies, administrator roles and responsibilities, authentic strategy, intrusion detection and monitoring strategy, virus detection strategies and protection, auditing policies and procedures, education plan, risk response, change management, acceptable use of organization assets and data, employee policies, incident response and incident response process.

Security policies and controls

Purpose

The purpose of this policy is to ensure adequate level of security in protecting JJ People Limited data and Information Systems from unauthorized access.

Scope

This policy affects all the employees of the organization, contractors, consultants and temporary employees.

The policy also applies to computer and communication systems owned or operated by JJ People and it also applies to all application systems of the organization.

Policy

Any user accessing the organization network and systems must be authenticated. The authentication will include biometric identification, password, and personal identification number.

All workstations used for organization activities must use an access control system approved by the organization. They will have password-enabled screensavers with a time-out-after-no activity feature.

Users are expected to log out of a workstation after they are done with what they are doing. Users will be held responsible for any activity after they have signed on a workstation

Workstations that are inactive will be reset after a period of time of inactivity (typically 30 minutes).

Access control will be applied to all computer systems

System access will not be granted to any user without appropriate approval. User access will immediately be revoked if the individual has been terminated or the contract has expired.

Users will be granted access on a need to know basis. That is, users will be granted the minimal privileges so as to perform their jobs.

Users of the company’s system will need to sign a compliance statement indicating that they will abide by the policies and procedures enforced by the company.

Enforcement

This policy will be enforced by the Chief Information Security Officer.

Violation of this policy may result to termination of employment and / or legal action taken.

Password policies

Purpose

The purpose of this policy is to ensure that only authorized users gain access of the company’s information system.

Scope

This policy applies to employees of the organization, contractors, consultants, temporary employees and business partners.

Policy

All organization systems will require a valid user ID and password.

Passwords should not be stored in readable form without access control or in locations where unauthorized users can discover them.

All programs and applications including third party applications and the applications developed by the organization should be password protected

Password should not be less than 10 characters and it should have letters, numbers and special characters.

All passwords should be promptly changed if they are suspected of being disclosed

All users must change their passwords at least once every month.

After three failed attempts on inputting a password, the user-ID must be suspended until reset by a system administrator

Enforcement

This policy will be enforced by the system administrator and violation of this policy will result to a user being denied access to the organization system for a period of time seen fit by the systems administrator.

Administrator roles and responsibilities

Systems administrator

Roles and responsibilities for systems administrator

User administration (setup and maintaining account)

Maintaining system

Monitor system performance

Create a backup and recovery policy

Monitor network communication

Ensure update of the system and new patches installed

Setup security policies for users

Password and identity management

Network administrator

Installing and configuring computer networks and systems

Monitoring computer networks and systems

Providing network administration and support

Chief Information Security Officer

Oversee security operations

Oversee cyber risks and cyber intelligence

Oversee data loss and fraud prevention

Oversees security architecture in designing applications

Ensures identity and access management

User roles and responsibilities

The users will use the company’s computer systems as described in the physical assets policy

The employees will abide by the policies described in the employee policies

The users should protect the organizations’ data and secrets as described in the non-disclosure agreement policy

Authentication strategy

The organization will use encryption in order to ensure that data remains authentic as it passes over the network.

The information system will log out a user who has attempted to access the system three times but failed until the systems administrator resets his/her account.

The server room will use biometric authentication where the user needs to verify his/her fingerprint.

Intrusion detection and monitoring strategy

We will employ the host-based intrusion detection and the network based intrusion detection.

Network based intrusion detection

Network-based intrusion detection analyzes data packets that travel over the actual network. The packets are examined and sometimes compared with empirical data to verify their nature. We will use snort for network intrusion detection.

According to Snort.org “snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks”.

Host-based intrusion

Host-based intrusion consists of a special agent on the host that observes the different activities such as calls of system, file logging and many other applications of relevant field and can protect them from other hosts.

Virus detection strategies and protection

All computer systems of the organization shall have anti-virus software installed and scheduled to run at regular intervals.

The anti-virus software should be up to date with the latest security patches.

The network should be behind a firewall that check incoming and out-going packets.

All computer systems should have internet antivirus that checks malicious websites and emails.

Users should not download suspicious attachments.

If a workstation is infected by virus it needs to be removed from the internet to prevent spreading of the virus

Always scan external devices such as hard drive before using them

Auditing policies and procedures

Purpose

Auditing policy ensures that organization’s performance is assessed while using a number of policies, standards, metrics, or regulations. The audit may include, looking at the organizations’ governance, IT controls etc.

Scope

The auditing policy applies to organization business units, assets, governance of the organization and security at large

Policy

Various audits need to be performed every year and they include

Compliant audits
Environmental audits
Operational audits
Performance audits
Information technology audits

Enforcement

Auditing will be enforced by internal and external auditors

Education plan

Employees and business partners will be educated on risk mitigation and company security at large, starting from cyber threats to physical access threats etc. every year and also when changes are done to the security documents.

Risk response

Risk acceptance

The organization knows that sometimes and in rare circumstances that the software developed by the organization can fail at the hands of the user. The organization though accepts these risks.

Risk avoidance

The organization knows that certain programming languages may be better for certain jobs than java (the programming language used by the organization). The organization therefore avoids programming an application of a client which would have been programmed better with another programming language in order to avoid the risks that may arise later.

Risk limitation

The organization employs risk limitation a lot, and this can be seen in performing data backup, using of firewall to protect the network, performing fire drills to get to know what to do when fire starts etc.

Risk transference

Risk transference involves handing the risk off to a willing third party. The organization also practice risk transference by undertaking insurance of various forms such as employee insurance, business premises insurance etc.

Change management/ version control

Purpose

This policy refers to a formal process for making changes to IT, software development and security services / operations.

Scope

This policy applies to all company computing systems and platforms.

Policy

Change request should be submitted to the management

A complete risk assessment and impact analysis ought to be done

Technical impact analysis needs to be done

Approval of change will be done by the change advisory board

A rollback/mitigation plan to be designed in case of failure

Acceptable use of organization assets and data

Purpose

This policy outlines the acceptable use of assets and data in the organization. Inappropriate use may result in compromise of network systems and services, virus attack and even legal issues

Scope

This policy applies to the assets of information, electronic and computing devices, and network resources.

This policy also involves employees, contractors, consultants and temporary employees

Policy

You have the responsibility of reporting theft, loss or unauthorized disclosure of company’s proprietary information

You may share proprietary information only to the extent that it is authorized to fulfill your duties

All devices such as mobile and computing devices connected to the internal network must comply with minimum access policy

System level and user level passwords must comply with the password policy.

Accessing data, server or account to conduct any other business other than the organizations’ activities is prohibited

Using the organization assets to promote country politics is prohibited

Using the organization assets to abuse or send racist messages is prohibited

Employee policies

Purpose

The employee policy shows how employees are meant to conduct themselves within the organization and when representing the organization to clients.

Scope

This policy applies to all employees

Policy

The employees are expected to conduct themselves in an ethical manner within the organization premises or when representing the organization.

Standards

Employee shall abide by applicable laws, regulations and all standards

Employee shall meet the stipulated individual performance

Employee shall maintain the confidentiality of the organization’s information

Enforcement

This policy will be enforced by the Human Resource Management

Violation to this policy will result to termination of employment

Incident response

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, it can also be known as a security incident.

An incident occurred whereby an employee opened an email and downloaded an attachment that was infected with malware.

Incident response process

An incident response process will include preparation, identification, containment, eradication, recovery and lessons learnt.

Preparation

This involves preparing users to handle potential incidents should they arise

In our scenario, this involves letting user report the malicious downloaded attachment

Identification

This involves determining whether an event is indeed a security incident

In our scenario, it will involve scanning of the downloaded attachment using an antivirus software

Containment

This involves limiting the damage of the incident

In our scenario, it involves removing the affected machine from the network

Eradication

This involves finding the root cause of the incident

In our scenario, we already know the root cause of the problem so we scan the downloaded attachment and the workstation and removing the virus.

Recovery

This involves returning the affected system back to the production environment.

In our scenario, we return back the workstation to the organization network

Lessons learnt

This involves completing incident documentation, and learning from the incident to improve future response efforts

In our scenario, users should learn that they should not download suspicious attachments, or they should scan them before downloading.

Introduction

Security policies and controls

Purpose

The purpose of this policy is to ensure adequate level of security in protecting JJ People Limited data and Information Systems from unauthorized access.

Scope

This policy affects all the employees of the organization, contractors, consultants and temporary employees.

The policy also applies to computer and communication systems owned or operated by JJ People and it also applies to all application systems of the organization.

Policy

Any user accessing the organization network and systems must be authenticated. The authentication will include biometric identification, password, and personal identification number.

Users are expected to log out of a workstation after they are done with what they are doing. Users will be held responsible for any activity after they have signed on a workstation

Workstations that are inactive will be reset after a period of time of inactivity (typically 30 minutes).

Access control will be applied to all computer systems

System access will not be granted to any user without appropriate approval. User access will immediately be revoked if the individual has been terminated or the contract has expired.

Users will be granted access on a need to know basis. That is, users will be granted the minimal privileges so as to perform their jobs.

Users of the company’s system will need to sign a compliance statement indicating that they will abide by the policies and procedures enforced by the company.

Enforcement

This policy will be enforced by the Chief Information Security Officer.

Violation of this policy may result to termination of employment and / or legal action taken.

Password policies

Purpose

The purpose of this policy is to ensure that only authorized users gain access of the company’s information system.

Scope

This policy applies to employees of the organization, contractors, consultants, temporary employees and business partners.

Policy

All organization systems will require a valid user ID and password.

Passwords should not be stored in readable form without access control or in locations where unauthorized users can discover them.

All programs and applications including third party applications and the applications developed by the organization should be password protected

Password should not be less than 10 characters and it should have letters, numbers and special characters.

All passwords should be promptly changed if they are suspected of being disclosed

All users must change their passwords at least once every month.

After three failed attempts on inputting a password, the user-ID must be suspended until reset by a system administrator

Enforcement

Administrator roles and responsibilities

Systems administrator

Roles and responsibilities for systems administrator

User administration (setup and maintaining account)

Maintaining system

Monitor system performance

Create a backup and recovery policy

Monitor network communication

Ensure update of the system and new patches installed

Setup security policies for users

Password and identity management

Network administrator

Installing and configuring computer networks and systems

Monitoring computer networks and systems

Providing network administration and support

Chief Information Security Officer

Oversee security operations

Oversee cyber risks and cyber intelligence

Oversee data loss and fraud prevention

Oversees security architecture in designing applications

Ensures identity and access management

User roles and responsibilities

The users will use the company’s computer systems as described in the physical assets policy

The employees will abide by the policies described in the employee policies

The users should protect the organizations’ data and secrets as described in the non-disclosure agreement policy

Authentication strategy

The organization will use encryption in order to ensure that data remains authentic as it passes over the network.

The information system will log out a user who has attempted to access the system three times but failed until the systems administrator resets his/her account.

The server room will use biometric authentication where the user needs to verify his/her fingerprint.

Intrusion detection and monitoring strategy

We will employ the host-based intrusion detection and the network based intrusion detection.

Network based intrusion detection

According to Snort.org “snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks”.

Host-based intrusion

Virus detection strategies and protection

All computer systems of the organization shall have anti-virus software installed and scheduled to run at regular intervals.

The anti-virus software should be up to date with the latest security patches.

The network should be behind a firewall that check incoming and out-going packets.

All computer systems should have internet antivirus that checks malicious websites and emails.

Users should not download suspicious attachments.

If a workstation is infected by virus it needs to be removed from the internet to prevent spreading of the virus

Always scan external devices such as hard drive before using them

Auditing policies and procedures

Purpose

Scope

The auditing policy applies to organization business units, assets, governance of the organization and security at large

Policy

Various audits need to be performed every year and they include

Compliant audits
Environmental audits
Operational audits
Performance audits
Information technology audits

Enforcement

Auditing will be enforced by internal and external auditors

Education plan

Risk response

Risk acceptance

The organization knows that sometimes and in rare circumstances that the software developed by the organization can fail at the hands of the user. The organization though accepts these risks.

Risk avoidance

Risk limitation

Risk transference

Change management/ version control

Purpose

This policy refers to a formal process for making changes to IT, software development and security services / operations.

Scope

This policy applies to all company computing systems and platforms.

Policy

Change request should be submitted to the management

A complete risk assessment and impact analysis ought to be done

Technical impact analysis needs to be done

Approval of change will be done by the change advisory board

A rollback/mitigation plan to be designed in case of failure

Acceptable use of organization assets and data

Purpose

This policy outlines the acceptable use of assets and data in the organization. Inappropriate use may result in compromise of network systems and services, virus attack and even legal issues

Scope

This policy applies to the assets of information, electronic and computing devices, and network resources.

This policy also involves employees, contractors, consultants and temporary employees

Policy

You have the responsibility of reporting theft, loss or unauthorized disclosure of company’s proprietary information

You may share proprietary information only to the extent that it is authorized to fulfill your duties

All devices such as mobile and computing devices connected to the internal network must comply with minimum access policy

System level and user level passwords must comply with the password policy.

Accessing data, server or account to conduct any other business other than the organizations’ activities is prohibited

Using the organization assets to promote country politics is prohibited

Using the organization assets to abuse or send racist messages is prohibited

Employee policies

Purpose

The employee policy shows how employees are meant to conduct themselves within the organization and when representing the organization to clients.

Scope

This policy applies to all employees

Policy

The employees are expected to conduct themselves in an ethical manner within the organization premises or when representing the organization.

Standards

Employee shall abide by applicable laws, regulations and all standards

Employee shall meet the stipulated individual performance

Employee shall maintain the confidentiality of the organization’s information

Enforcement

This policy will be enforced by the Human Resource Management

Violation to this policy will result to termination of employment

Incident response

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, it can also be known as a security incident.

An incident occurred whereby an employee opened an email and downloaded an attachment that was infected with malware.

Incident response process

An incident response process will include preparation, identification, containment, eradication, recovery and lessons learnt.

Preparation

This involves preparing users to handle potential incidents should they arise

In our scenario, this involves letting user report the malicious downloaded attachment

Identification

This involves determining whether an event is indeed a security incident

In our scenario, it will involve scanning of the downloaded attachment using an antivirus software

Containment

This involves limiting the damage of the incident

In our scenario, it involves removing the affected machine from the network

Eradication

This involves finding the root cause of the incident

In our scenario, we already know the root cause of the problem so we scan the downloaded attachment and the workstation and removing the virus.

Recovery

This involves returning the affected system back to the production environment.

In our scenario, we return back the workstation to the organization network

Lessons learnt

This involves completing incident documentation, and learning from the incident to improve future response efforts

In our scenario, users should learn that they should not download suspicious attachments, or they should scan them before downloading.