Running head: creating and communicating a security strategy.

Your name

Instructor

Course

Date
Running head: creating and communicating a security strategy.

Memorandum.

TO: All employees.

FROM: Wiz Japhe, IT network security analyzer.

CC: Technical team coordinator.

DATE: 25/10/2018

SUBJECT: JAVA TRM Mall IT Security Strategy.

Retailers are facing a new era in the forces of social media, channel shopping and

payment technologies that are transforming the industry (Bayuk, 2012). Java is a retail shop

within TRM mall. The business has several computers assigned to designated workers. To

enhance efficiency in customer services it uses a point of sale system that is networked. Each

employee has a username and a password. Each employee has an identity in form of a number,

then a password that is user dependent. When admitting a new employee, it is the responsibility

for the technical assistance team to create the account for the employee and then on new

interaction with the system, the system demands that they change their password before full

activation of the account. The business also offers delivery services on payment.

Sales are made using four computers at the point of sale. Employees take turns and when

they want to make a sale, they always have to log into their accounts. After a successfully log-in

the employee can proceed to scan of the product code to make a sale, the system recognizes the

code and assigns the price of the product. The customer provides a means of payment, the means

of payments supported are cash, mobile money transfer, or plastic money. If the products exceed

the customer’s budget, they shall have to be returned to shelfs. But before shelfing, the head the
Running head: creating and communicating a security strategy.

chief accountant should verify. Since employees work in shift, they can randomly choose a

system when on duty. The system is distributed and administrative actions and network

administration is executed by the technical team.

Since the system distributed and uses a networked database that is updated from the user

accounts, this leaves a vulnerability. The business accepts mobile money transfer, and plastic

money it leaves the vulnerability due to the emergence of fake credit cards and fake mobile

payment codes. The point of sale is vulnerable due to increased marketplace for stolen cards,

lack of point security encryption, software vulnerabilities, and systems susceptible to malicious

code. The computers are run by different accounts since employees work in shifts initial user

account that was active might be misused by fellow staff. Moreover, shared passwords might

result in illegitimate log in and transactions. The business also uses a shared network that is used

by other businesses within the mall, this makes the system vulnerable to internal attacks by other

individuals within the network but not necessarily within the business. Since most of this issues

can be handled, creating awareness might be the basis of closing the vulnerability. These

problems have resulted in consumer disappointments, mobility, digital influence that has resulted

to degradation of local loyalty. This can be made simple by the use of security policies.

Security policy.

P1/018: Training; based on security chain people are identified to be the weakest in the security

chain. It will be compulsory for all new employees to undergo training on admission to be

informed about the security measures and precautions this being a networked system and is

susceptible to internal attacks. Every employee must undergo information security training

before resuming their activities within the organization with the support of the management.
Running head: creating and communicating a security strategy.

P2/018: password management; After admission, each employee must change the account

default password to his choice of characters that is subject to expire after every 3 months and the

similar password shall not be valid on renewal. In case you forget the user password, it will be

the responsibility of the technical team to reset the password after the presentation of a duly

filled application that is subject to validation signatory by the clerk. Any issues should be

addressed to the technical team and respective users shall be held liable for any account activity

unless otherwise.

P3/018: Intruder detection system; due to flaws that exist in the point of sale system, it will be

compulsory for the business to install an IDS. IDS shall be able to detect any irregular pattern or

matching addresses of suspicious systems that had been marked. This shall create an alert and

enable the team to block this suspicious system from attack. Any malicious activity detected

must be addressed accordingly by the designated technician reported to the director.

P4/018: Firewall; The business network system and POS computers must be secured with

firewall, this will block unauthorized intrusion into the system. It is the responsibility of the

technical team to install this system, update, and ensure that they are in a healthy state of

working. Occurrences of any malicious activity detected by the firewall must be reported

immediately, it will be the responsibility of the technical assistant team to address the issue and

shall be liable for any issues that arise due to ignorance. Each staff must check if their system is

installed with a firewall.

P5/018: Password policy; Sharing of passwords shall NOT be allowed among staff. Each staff

is allocated with a user account and under no condition should another staff request to use other

accounts unless with authorized permission from the management. In case of any issues that

might arise from the account, the account holder will be held liable. Remember, you must ensure
Running head: creating and communicating a security strategy.

that you log out when taking shifts, any negligence that will result in compromise of personal

account shall be addressed to the account holder and held responsible for that activity.

P6/018: Software installation; No software installation by the staff shall be allowed unless the

technical team. Installation shall only be limited to the technical team accounts. The technical

assistant who attempts to misuse this priority shall be held responsible.

Standards.

Password characteristics; a standard password must have numerical, symbol, letters and

at least one capital letter to be validated. This will enhance the strength of the password and

reduce the risks of being user account being compromised. A password that shall not have these

characteristics shall not be validated (Information Security, 2011).

Information security standards; the systems must attain all information security standards

including the use of passwords to ensure that user accounts are secure.

Network administration; to mitigate the chances of being attacked, the network must be

secured by the firewall and an intrusion detection system. This shall enable the system to detect

malicious activity over the network and alert the technical team who shall respond accordingly

(Robertson, 2012).

Firewalls; all systems must have a firewall and an antivirus software that is up to date to

before it is administered. This shall ensure that the system is secured at all times.
Running head: creating and communicating a security strategy.

Practices.

Passwords; every employee must secure his/her account with a password that meets the

organization set standards to enhance the security of their personal accounts. The passwords shall

expire after every 3 months where the system shall demand that the user renew the password.

Network management; the network system shall have only a list of allowed devices to

connect to the network, the technical team shall allow this system on the basis of their addresses.

This shall help reduce the chances of unauthorized intrusion into the system.

Software updates; antivirus programs and firewalls must be updated at least once a

month to ensure that the system conforms to the basic information security requirements. The

technical staff shall check to ascertain that all these systems are updated. The IDS must be

regularly updated to enhance its efficiency.

Installation of software; only scanned software shall be installed in the systems. This

shall help to reduce chances of installation of malicious systems that might compromise the user

information like keyloggers (Booth, 2015).

I expect the cooperation of the staff and the management to adhere to this policies, standards,

and practices.

Thank you.
Running head: creating and communicating a security strategy.

References
Bayuk, J. (2012). Cyber security policy guidebook. Hoboken, N.J.: Wiley.

Booth, D. (2015). Information security management: policies and standards. Engineering &

Technology Reference. doi: 10.1049/etr.2015.0082

Robertson, R. (2012). Security Auditing: The Need for Policies and Practices. Journal Of

Information Privacy And Security, 8(1), 30-37. doi: 10.1080/15536548.2012.11082760

정익재. (2011). Information Security as Policy Responses to Manage Uncertainty in Information

Society. Public Policy Review, 25(4), 55-76. doi: 10.17327/ippa.2011.25.4.003