A Software Engineer designs, develop, tests, and evaluates the software and the systems that allow computers to execute their applications.   Take on the role of Software Engineer for the organizatio

This is a manual of security standards, policies, and procedures recommended to the management of Brainhub limited. This manual will look at the importance of implementing security policies, plans, and procedures to the organization. It will also recommend appropriate policies and procedures for: data privacy, data-isolation, non-disclosure agreement (NDA), intellectual property, password policies, acceptable use of organizational assets and data, employee policies, risk response, compliance, incident response, auditing, environmental, and administrative and configuration policies and procedures.

According to Loots M (2001) a company’s security policy is the “central repository where intangible such as corporate philosophy, mission statements, culture, attitude to risk and other difficult to define parameters can finally be crystallized into enforceable, measurable action statements, procedures and ways of working”. Security plans, policies and procedures are important because:

According to Yeagley G (2015) they address threats. Yeagley G (2015) recognizes that threats are everywhere and ransomware are popping up every day, a security policy and procedure will be used to detect such threats and mitigate them.

According to Yeagley G (2015) a security policy and procedure is used to know who does what, when and why? Yeagley G (2015) says that security policies and procedures “provide a roadmap to employees of what to do and when to do it”. A good example of this is who is responsible for assigning passwords to users, and what to expect when creating a password and where to use the password so as to access the system.

Purpose

The main purpose of the data privacy policy and procedures is to protect peoples’ data from being accessed without the consent of the user.

Scope

These policies apply to employees, contractors, and clients

Responsibilities

The Data privacy policies will be enforced by the compliance management

Policies

The organization will notify the owner of the data the real intention of collecting the data

The organization will give owners of information the choice of cancelling further information processing of their data or not.

The organization will be responsible for the accountability of users’ information and the processing of the information

The organization will use the collected information for the intended purpose and nowhere else

Compliance

Any individual who does not comply with these policies will be subjected to disciplinary action and/or termination of employment.

Purpose

The data isolation policies purpose is to ensure data is isolated from unauthorized users.

Scope

The scope of the data isolation policy applies to data stored in database

Responsibilities

This policy will be enforced by the database security administrator

Policies

We need to use a password in order to access data saved in the database

The password needs to be encrypted

Data transferred over the network needs to be encrypted

Compliance

Noncompliance to these policies will result to disciplinary actions

Purpose

The purpose of the non-disclosure agreement policies is to explain how employees should handle organization confidential information and even trade secrets.

Scope

This policy applies to employees and contractors who work at the organization premises.

Responsibilities

The non-disclosure agreement policy will be enforced by the human resource management

Compliance

Failure to comply with these policies will lead to termination of employment and/or legal action

Policy

Confidential information should be inside the organizations’ premises at all times

Confidential information should be locked in a safe place at all times

Not everyone can access organization’s confidential information

Purpose

These policies purpose is to build a structure for ownership, reporting and commercialization of the Intellectual Property

Scope

These policies applies to employees, contractors who work for the organization

Policy

The organization sees creative work, intellectual property created out of research within the organization’s premises and day to day running of the organization as a valuable asset to the organization

Any commercialization of an intellectual property that was reached through the use of the organizations’ facility by the employee is part of the organizations property and the employee will receive certain amount that is agreed upon by the employee and the organization.

Purpose

The purpose of the password policies is to create a guideline on how passwords should be created and used within the organization

Scope

This policy applies to employees and contractors issued an organization account and can access the organizations’ network.

Responsibilities

This policy will be enforced by the Systems Administrator

Policies

Passwords are not meant to be shared among users

The system should lock out a user who inputs wrong password three times

A password should be more than 10 characters which include letters, special characters and numbers

A password should be changed periodically e.g. in a months’ time

Compliance

Failure to adhere to this policy will result to a user being denied access to organization system for a duration of time or may also lead to termination of employment if a user has been warned severally

Purpose

This policy shows how the organizations’ assets should be used and handled

Scope

This policy applies to organizations’ assets and they include laptops, workstations, servers, software, stationery etc.

Responsibilities

This policy will be enforced by the Chief Information Security Officer

Policy

Every employee assigned an asset by the organization is responsible for that particular asset

All users using IT assets must have prior training

IT assets must be used for the intended purpose and by authorized users

Purpose

The employees’ policies and procedures deals with how employees are to conduct themselves within the organization and while representing the organization to clients

Scope

This policy applies to all employees of the organization

Responsibilities

This policy will be enforced by the human resource management

Policy

Employees are meant to uphold ethical behavior at all times

Employees shall abide to the organizations’ rules and regulations and applicable laws at all times

Employee shall do the duties assigned to him/her as specified by the job description of a particular position

Employee shall meet stipulated individual performance

Purpose

This policy purpose is to manage risks that may arise from threats to data confidentiality, integrity and availability.

Scope

This policy applies to information system and electronic data that is transferred over the network.

Responsibilities

This policy will be enforced by the Chief Information Security Officer

Policy

Information system of the organization must be assessed for risks that may lead to threats to confidentiality, integrity, and availability of data

Risks identified will need to be mitigated

Every information system must have a security plan that is as a result of risk input, security and vulnerability assessment

Purpose

The purpose of this policy is to have effective governance of the company while maintaining policy, procedures and the law.

Scope

This policy applies to employees, contractors and users data that is collected

Responsibilities

This policy will be enforced by the senior management of the organization

Policy

The organization has a mandate of complying with relevant legislation and obligations

Since Brainhub operates in Europe it is meant to comply with Europe’s General Data Protection Regulation (GDPR)

Training will always be conducted by compliance management on compliance obligations

Purpose

This policy purpose is to come up with roles and responsibilities and a team that will perform investigation of computer security and data breaches

Scope

This policy applies to information system of the company

Responsibilities

This policy will be enforced by the Computer Security Incident Response Team

Policy

The Incident Response Team will detect and investigate security incidents and breaches

If an IT asset is affected you should not turn it off

Affected IT assets should be labeled so that users cannot use it.

Everything should be documented, from the incident, action taken to lessons learnt

Purpose

This policy deals with assessing of the organization’s performance while using certain metrics and regulations.

Scope

The scope of this policy include company’s business units, assets, governance and security

Responsibilities

Auditing will be done by internal and external auditors

Policy

Several audits will be performed and they will include: environmental audits, information technology audits (security), performance audits, and compliance audits

Purpose

The purpose of this policy is to ensure the physical security of the information processing equipment

Scope

This policy applies to business units, employees and contractors wishing to access the information processing facilities

Responsibilities

This policy will be enforced by the management of the organization

Policy

Servers will be placed in a well-ventilated room that is under lock and key at all times

CCTV will be installed in the organization premises so as to enforce security

The organization premises and offices will be accessed using an identification card

Compliance

Any person who does not comply with this policy will result to disciplinary measures and/or termination of employment.

Purpose

The purpose of this policy is to set rules on how the organization is run and governed on day to day basis

Scope

This policy applies to sick leave, hiring and firing of personnel, dress code, promotions etc.

Responsibilities

This policy will be enforced by the senior management of the organization

Policy

New employees will undergo a probation period of six months

If performance of the employee is not satisfactory during the probation period, he/she will be terminated

After an employee finishes the probation period, he or she will be confirmed within duration of one month after the probation period

Salary of an employee will be adjusted through assessing of the employee performance, work experience and education background.

Leave and public holidays will be days with pay

Compliance

Any person who does not comply with this policy will result to disciplinary action and/or termination of employment

Purpose

The purpose of this policy is to ensure proper configuration of devices within the organization and thus protecting the organization data and information system

Scope

This policy applies to information systems which include routers, switches, servers, firewalls etc.

Responsibilities

This policy will be enforced by system and network administrators

Policy

The organization devices must be configured in a proper manner and in accordance to the organizations’ standards

Loots, M. (2001). Importance of a security policy. Retrieved https://pdfs.semanticscholar.org/63f4/8a40f006c8e0c1de52903649217e589b89db.pdf

Yeagley, G (2015). IT security policies and procedures: why you need them. Retrieved from https://www.compassitc.com/blog/it-security-policies-and-procedures-why-you-need-them