Indigo’s Equestrian Ventures Security Plan
Bello Groups Written Information Security Plan
Patrick o James
INDIGO’S EQUESTRIAN VENTURES ORGANIZATION
INFORMATION SECURITY PLAN
The main objective of Indigo’s Equestrian Ventures in the planning, development and implementation of the following written information security plan is to create a robust security policy to that covers all the needs of the organization in order to identify administrative, physical and technical controls and develop a plan that evaluates the current security posture of the organization of the company and what controls need to be in place to safeguard the information. The security plan is used to set the procedures for evaluating the current security posture and to address physical and electronic methods of collection, accession, storage, transmission and protection of personal information.
For the uses of the WISP, some of personal information is defined in either a first initial and last name combined with any of the following data elements like the social security number, financial account, access code and even state-issued identification number, with or without any required security code, personal identification number or password, that would permit access to a resident’s financial account.
PURPOSE OF THE PLAN
The plan has the following purposes:
To ensure the security and the confidentiality of personal information
To protect the organization any anticipated threats or hazards to the security or integrity of any information.
Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
ACTION PLAN AND STEPS
In formulating and implementing the security plan, the Bello group has addressed and incorporated some of the following protocols :
Identify foreseeable and reasonable both internal and external risks to the security, the confidentiality, the integrity of any paper or electronic device that contains personal information that could result in disclosure, alteration, misuse or the destruction of the customer information all over the states.
Assess the potential and likelihood and the potential damage of these threats, mostly considering the sensitivity of the many personal information.
Evaluate the sufficiency of existing procedures, policies, customer information systems and many other available safeguards to control risks.
Implement a regular monitoring of the efficiency and effectiveness of the safeguards.
Implement and design a plan that enables safeguards to be in place to minimize the risks.
The Bello group has designed a vacancy for a Data Security Coordinator who will implement, supervise and maintain the security plan. This employee will be responsible for the following:
Training of employees.
Implementation of the security plan.
Evaluating the ability of other third party service provider to maintain and also implement appropriate security measures for any personal information for which has been permitted to be accessed, where it should also allow third party service providers by contracts to implement and maintain security measures.
To encourage regular testing of the controls and safeguards established by this plan.
Ensure the conduction of annual training sessions for all employees, managers,owners, independent contractors including the casual staff who have access to personal information on elements of the controls.
Internal risk mitigation policies
In order to guard against internal threats and risks to security, personal information, the integrity of any electronic or paper or any record and also evaluating where necessary, the following measures are considered mandatory and immediate effect should be taken:
The limitation to access to records containing personal information the employees whose duties and the relevancy to their job description, have a legitimate need to access the said records and only for the legitimate job-related purpose.
Only collect personal information of clients, customers, or employees that are necessary to accomplish the legitimate business transactions.
All employment contacts where they are applicable will be corrected in order to require all employees to comply with provisions to discourage any nonconforming of personal data.
There should be a training session for all employees on (INSERT DATE HERE) to put to detail all the provisions of the plan.
A supervisor or the data security coordinator is to be reported any report suspicious or unauthorized use of personal information.
The Data Security Coordinator or his/her designee shall be responsible for all review and modifications of the WISP and shall fully consult and apprise management of all reviews including any recommendations for improves security arising from the review.
The current employees’ user ID’s shall conform to accepted security standards, and all passwords to be exchanged every year or as soon as needed.
The data security coordinator shall maintain a secure, unique and confidential master list of all the lock combinations, keys, and passwords. the list shall be used to identify which employee possesses a certain key or password, key card or any other access credential and also ensure that only the approved personnel has been handed the respective key pass.
Disciplinary action to be taken or applied to violations of the security plan irrespective of whether personal data was accessed or used without authorization.
Written and electronic records containing any personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention by the respective personnel of the company.
Terminated employees have to return all records containing personal data, either of customers, clients, employees or any person related to the company which was in their possession before leaving the company premises or at a time of contract termination.
An employee after termination from either the main data center or regional offices, his or her physical and electronic access to records shall be restricted with an immediate effect. This should also include remote electronic access, voicemail, internet, and email access, the keys, business cards, access devices shall be confiscated and surrendered at the time of termination.
External risk mitigation policies
Operating system security patches and all software products sold online, firewall protection should be up-to-date updated in order to have the capability of sharing intelligence via reputation feeds and offer also the capability of performing browser and endpoint security and also the infection assessment.
A reasonably up-to-date of all system security software with the inclusion of, anti-malware, anti-virus, and internet security and well installed in a computer that stores, or processes information.
Any personal Information shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures as described in this policy.
There shall also be secure user authentication protocols in place which will control user ID and other identifier, control passwords to ensure that the password information is kept so securely.
Implement internal inspection devices, such as intrusion prevention system (IPS) and network behavior analysis (NBA) technologies between any VPN termination device and the internal network environment so that attacks or behaviors can be discovered or prevented within the remote access network infrastructure.
The inclusion of a network detection system (IDS) can identify traffic patterns that ca match network-based scanning.
Deploy security information management systems so that attacks can are able to be detected and analyzed through analysis and correlation of incoming threats.
Endpoint protection to be introduced where hot based malware protection solutions including antivirus software are available in all types, host intrusion prevention systems, and advanced malware protection solutions help identify, alert and block malicious software
Network security to also be hired to ensure validation of monitoring devices and controls are in place.
DAILY OPERATIONAL PROTOCOL
this is to ensure that the risks are minimized to any computer system that processes or stores any information.
Record keeping protocol
All papers containing personal information of clients, employees or any other personnel, can be stored in a locking cabinet. Only department heads and the Data
Security Coordinator will be assigned keys to file cabinets and only those
individuals are allowed access to the paper files.
All employees are prohibited from keeping unsecured paper files containing information.
At the end of each day, all the files containing personal information, are to be returned to the locked filing cabinet by the data security coordinator.
The following employees are authorized to access and assign to other
employees files containing personal information:
Employee Name Department
All Electronic records containing personal information shall not be stored or transported on any portable electronic device, sent or transmitted electronically.
Data Security Coordinator to develop departmental rules that ensure reasonable restrictions upon access and handling of files containing personal information.
The global use of social media and the risks it introduces to the enterprise is the most overlooked factor in any information security team’s overall security posture. It’s understandable why it’s overlooked: due to this, security teams lack visibility and control over society. However, that doesn’t mean it isn’t exposing their business, it is really making business, networking companies tremble in fear of cyber crimes, hacking, and this had made employees and customers be at a major cyber risk. Many of the employees from all offer have now turned into real threats from the inside,
Every single social media account associated with your employees – the average working-age American boasts on average three different accounts – is a vulnerability of the most dangerous kind. This should not be accepted by any company. This is the main objective of the formed group to ensure and evaluate all these risks and find a long-term solution to it.Good luck finding a patch to fix it. This is the new soft underbelly of the organization; this is the new most critical attack surface. Including social media risk exposure when evaluating their security posture is a necessity in this ever-connected era.
Access control protocol
All computers that have been inactive for 5 or more minutes shall require relog-in After 5 unsuccessful log-in attempts by any user ID, that user ID will be blocked from accessing any computer or file stored on any computer until access privileges are reestablished by the Data Security Coordinator or his/her designee
Access to electronically stored records containing personal information shall be electronically limited to those employees having an authorized and unique login
ID assigned by the Data Security Coordinator
Where practical, all visitors who are expected to access areas other than common retail space or are granted access to office space containing personal
Information should be required to sign-in with a Photo ID at a designated reception area where they will be assigned a visitor’s ID or guest badge unless escorted at all times. Visitors are required to wear said visitor ID in a plainly visible location on their body unless escorted at all times.
Where practical, all visitors are restricted from areas where files containing personal information
All the computers with an internet connection to be an up-to-date version of software providing virus anti-spyware and anti-malware protection installed and active at all times.
Network tools to be deployed.
A network management system (NMS), refers to toolset on a server that monitors each device on a network and communicates all the information about those devices to an IT administrator.
Ping- refers to a network available in most computers that send internet messages between two hosts.
PRTG Network Monitor is a tool that monitors system availability using a variety of methods from a simple ping to SNMP and WMI protocols to specific tasks such as HTTP, DNS, and Remote Desktop availability using various sensors
In conclusion, it threats keep on becoming more dangerous, hackers increasing in every part of the globe, companies experiencing hardships in the maintenance sectors as challenges get complex and the cost of security failure keeps growing hitting costly figures. This has caused the business to no longer protect enterprise networks against this threats. That is why this group has suggested the above to rules, steps and the whole plan to be adhered to in order to avoid the risks and persistent threats coming with network management.
Managing Information Security Risks: The OCTAVE ApproachSEI series in software engineeringSEI seriesIT Security Risk Control Management: An Audit Preparation Plan