Safety Improvements Policy
The backbone of any information security program is the security policy of the organization. In this assignment, you will review what you have learned in this course and make recommendations on how the organization in the scenario below can improve its security policy and incorporate routine penetration testing into its information security system.
The X Corporation is a mid-level retailer that sells many different types of goods from household items to clothing to electronic devices. The X Corporation accepts major credit cards for payment in its stores and for online purchases. The X Corporation has had a rash of issues with viruses on its network, data leakage of customer identity data, and a host of application issues. These attacks have more than likely contributed to a recent 30% drop in sales. The X Corporation currently does not perform any regular penetration tests and it was recently discovered that the antivirus software was not updated. This organization needs to incorporate more routine monitoring and penetration testing to improve its security policy, prevent future attacks, improve sales, and restore customer trust.
Review the information on penetration testing and security from your readings throughout the course.
Research company security policies. Be sure to use scholarly resources.
Using scholarly resources as well as what you have learned in this course, write a 3-to 4-page report outlining your suggestions for X Corporation, including the following:
Recommendations for a stronger, functional security policy, including your suggestions for implementation.
Suggestions for routine monitoring and testing (including penetration tests required based on recent security issues), in order to prevent future attacks.
Safety Improvements Policy
The information security policy of an organization ensures that all users of their information technology infrastructure comply with rule and guidelines relating to the security of the stored information. The technological evolution has enhanced the sharing of information largely. Today, the exchange of information is approximately a trillion bytes in each millisecond. However, there is confinement of some data for purposes of sharing and intellectual property. To that extent, the information security policy enacts the protective measures for organizations and it limits distribution of the data not meant to be in the public domain. A progressive security information policy protects the data and incorporates measures to monitor the safeguards of the system.
All organizations need to protect their data and account for its distribution. The dissemination of data can be within or outside the boundaries of the entity. One of the measures to protect information sent out is by encrypting and authorizing third party distributions (Safa, Von Solms, & Furnell, 2016). Additionally, the company might enforce restriction on distribution by setting up a reference classification system to guide the sharing of information to different outside parties. Penetration testing can also be a mandatory obligation in the information security policy. For instance, X Corporation can set a policy that a penetration test is necessary after a three-month cycle.
In penetration testing, cyber experts attempt to discover vulnerable points in the computer system. The simulated attack analyses the system defenses for any areas of weakness that an attacker may find (Flowerday & Tuyikeze, 2016). At best, an individual without prior information or knowledge about the system performs the test. To that extent, they are able to reveal some of the blind spots left by the developers. The penetration-testing contractors use the name ethical hackers. Many penetration testers have certifications and advanced degree qualifications in the practice. The first phase of ethical hacking is reconnaissance of the system. The professionals gather as much information as they can about the system. The focus then shifts to accessing the system and maintaining the access.
After completing the tests, the ethical hackers share findings with the information security team of the organization. The result of the testing informs the security system upgrades and guides the formulation of better information security policies in the organization (Shi, Qin, Cheng, & Zhu, 2019). Effective policies coupled with taking the right steps to ensure compliance is essential in the prevention and mitigation of security breaches (Satria, Alanda, Erianda, & Prayama, 2018). The effectiveness of the policies is also dependent on regular updates in the response to changes and the new threats. The policy should be enforceable and practical to the users. Further, a strong information security policy has measures to accommodate urgencies arising from distinct segments of the organization.
The security policy is better when it is broad because it relates the many aspects of the organization. The policy guides the conduct of the management and the staff members on the digital security of the organization. Due to the numerous changes in the information security environment each day, the policy should be flexible and adaptable. The policy should also inform the monitoring and Assessment programs. For instance, the management should have the obligation of authorizing penetration tests after certain period cycles. The expertise of the penetration hackers is able to guide the organization on how they can protect their data and systems in a better way. The best form of defense in information security is awareness and anticipation.
References
Flowerday, S. V., & Tuyikeze, T. (2016). Information security policy development and implementation: The what, how and who. computers & security, 61, 169-183.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. computers & security, 56, 70-82.
Satria, D., Alanda, A., Erianda, A., & Prayama, D. (2018). Network Security Assessment Using Internal Network Penetration Testing Methodology. JOIV: International Journal on Informatics Visualization, 2(4-2), 360-365.
Shi, P., Qin, F., Cheng, R., & Zhu, K. (2019, July). The Penetration Testing Framework for Large-Scale Network Based on Network Fingerprint. In 2019 International Conference on Communications, Information System and Computer Engineering (CISCE) (pp. 378-381). IEEE.