Scribd
Upload
82 views

ICT380 - Workshop 7

1) The document outlines best practices for implementing controls from Report 2-5, including updating outdated technologies, keeping operating systems and patches current, implementing robust physical access controls, educating employees on security practices, encrypting data and devices, enforcing strong password policies, and following frameworks like ITIL. 2) Key activities required are dumping FTP for secure file transfer, upgrading workstations, limiting access to specific areas with biometrics, escorting visitors, encrypting devices, enforcing a new password policy, and identifying an off-site backup location. 3) Considerations include ensuring employee compliance, allowing time for new controls, securing management support, assuming backup location stability, and having expertise to implement changes.

Uploaded by

Neelav Barai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
82 views

ICT380 - Workshop 7

1) The document outlines best practices for implementing controls from Report 2-5, including updating outdated technologies, keeping operating systems and patches current, implementing robust physical access controls, educating employees on security practices, encrypting data and devices, enforcing strong password policies, and following frameworks like ITIL. 2) Key activities required are dumping FTP for secure file transfer, upgrading workstations, limiting access to specific areas with biometrics, escorting visitors, encrypting devices, enforcing a new password policy, and identifying an off-site backup location. 3) Considerations include ensuring employee compliance, allowing time for new controls, securing management support, assuming backup location stability, and having expertise to implement changes.

Uploaded by

Neelav Barai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Best practices for implementing the control identified in Report 2 -5.

1. The use of outdated technology needs to be stopped immediately as the technology


space grows very fast and potentially harmful entities keeps on searching for new
vulnerabilities to explore and take advantage of. Old technologies like FTP, TELNET, and
HTTP were excellent products of their time but now the loopholes or the backdoors of
these technologies are known to everyone and especially hackers sniff for such
opportunities to inflict financial and structural harm to organisations.
2. Operating system is one of the most crucial parts of any system. Without it no servers
or workstations will work the way we want it. It communicates with the internal
hardware and provides instructions to perform different activities. Every operating
system is built with resilience towards unauthorised access to its components and it
actually works very well. But with the passage of time, some or few vulnerability is
discovered by harmful people or organisation and if the defects are not patched on time
then hackers can gain unauthorised access to the system. This will leads to unimaginable
outcomes which can be sometimes shutdown of whole organisation. So to tackle this it
is the responsibility of IT security department to keep operating system updated and
correct patches should be applied on time after testing the compatibility of the new
patches with the existing applications.
3. If we discuss regarding physical security, first of all we need to have robust access
control. The implementation of Proximity cards and optical turnstiles for every person
entering the building is a must. There must be security cameras, alarms and manual
monitoring is the greatest requirement and this will work as a great checkpoint in the
case when someone ties to enter the premise without proper authorisation. The use of
RFID, magnetic cards, or biometric checkpoints increases the security vastly and keeps a
log of every person that is entering the office.
4. Every organisation should adopt the some framework for Rigour in operation to educate
the employees and create awareness among them towards proper use of office facilities
and maintain security by employing few basic precautions. The precautions may be like
closing the door after entering any room or the building, do not allow anyone to tail-
gate with someone, keeping the access card very carefully and in the event of lost card
report it immediately, or report of any suspicious activity by any person. There should
be a periodical training and evaluation of all the employees regarding their knowledge
on information security.
5. The encryption of data and portable workstations’ hard drive is a necessary part of
information security and it needs to be taken very seriously by the organisation. There
should not be any overlooking on it.
6. A good password policy is always a requirement of every organisation as the theft of
password belonging to some very important person can be very dangerous. The
password policy should consist of:
a. Choosing a very strong password which will be combination of alphanumeric
characters and special characters.
b. The password should not be any word from dictionary.
c. When password is changed, it cannot be similar to any password that was used
in the past by the same user.
d. The passwords have to be changed every month.
e. No one should note the password in plain text to keep it handy for regular use.
7. Every organisation should follow information technology like ITIL framework to maintain
the business continuity and provide deliverable to the client on time. It is a widely used
framework in the IT industry and it deals with the ways of risk management, business
management and builds a stable IT environment to achieve growth in the industry.

Activities required to complete due diligence in this matter.

1. We have to dump the old FTP technology of transferring files and adopt new and more
secure technology of SSH to send files to customer.
2. All the workstations need to be upgraded to windows 10 after through testing for the
compatibility of all the applications that has been currently used.
3. The access to the upper levels will only via front security desk and security officers will
be present on the security desk every time. There will be biometric access given to each
user and access to the users will be given to only specific areas.
4. Visitors should be escorted in and then out of the building of the office. There will be
proper training programs for the employees to create awareness among them.
5. All the portable workstations and devices will be encrypted to prevent data theft.
6. Password policy as described above will be applied immediately.
7. Auto locking features of the door will be implemented so that only people with
authorisation can enter the rooms and after they have entered or left the room, the
doors will automatically close it.
8. A proper BCP location will be identified and the tapes will be stored in a location away
from the city where the organisation office is located.
Considerations need to be taken into account.

1. The consideration that we need to keep in account first is that all the employees are
following the instructions that have been given to them during the training and them a
vigilant enough to point out any violation of security policy by any one.
2. The second assumption that we need to take is that till all the new changes in the
security policy have been implemented, no breach of security will take place and current
setup will be able to hold off any kind of attempt of unauthorised access.
3. The third assumption we have to take is that senior management is willing to put effort,
resources and investment into the change in security policy.
4. The fourth consideration will be regarding the backup location. We will assume that the
location that has been considered for BCP will not be hit by an outage at the same time
when the present location faces any serious outage.
5. The fifth assumption is that we have the required expertise in the organisation to
implement the changes and if we don’t have the correct experts in the company then
we will be able to hire some talent but that process will take up some extra time.

Metrics and measurements to monitor the impact of the control.

1. There need to be an internal audit performed by associates from the same company
who have the correct knowledge of the security policies and the process of
implementing them. A regular audit of the system and activities is very necessary in the
organisation.
2. There is a need of an external audit also which will bring professional from third party
organisations who will audit the security policy and implementation. This will provide
great insight on improving the existing policies.
3. Daily monitoring the access usage by the employees is required to identify any person if
tried to enter any restricted space. This will help in tightening of security in the
attempted zones.
4. The monitoring of the training progress of the employees should be considered which
will tell us how effectively the associates are participating in the training programs.
5. Organising physical workshops for the employees to create awareness in a fun and
hands on method.

You might also like