II.

Define a problem need to be solved by an Information System

that involves to develop a Plan Information System.
1.Define outcome
The vast majority of information systems store, process, or transmit sensitive data
—whether it’s proprietary information or client payment data.
Because this information is valuable, it’s often threatened by malicious attacks like
social engineering, phishing, or network traffic capture. In addition to direct
attacks, there are also accidental breaches caused by employees.
Keeping private information confidential isn’t only a good business practice, it’s
legally required in many cases. Laws like HIPAA and PCI regulate how
organizations manage their security; failure to comply can result in significant
penalties.
There are dozens of countermeasures organizations will enact within their IT
security program plan to ensure confidentiality, such as:
 Passwords
 Authentication procedures
 Access control lists
 Software controls
 IT policies
 Employee training
Confidentiality is all about making sure your data, objects, and resources are
secured in such a way that only authorized users can view them and gain access.
However, to perform the work of securing systems and information of customers
and the company, it is necessary to have teams that are trained, invested in
expertise, techniques, and strong enough infrastructure to deal with and overcome
these problems. consequences caused by cyber attacks. Help protect the company's
important business information, the privacy of customers when shopping at
Shopee, the accuracy, the future direction of the company.

2. Team roles and responsibilities

2.1 Director of Information Security
Responsible for ensuring various parts of internal network security within the
company
Ensure employees, operational processes, data and activities related to security and
company information are protected from threats, and prevent the occurrence and
recurrence of Bearer security incidents have happened in the past.
Manage the process of monitoring security activities, checking for security holes.
Actively search for those who are intending to attack the information system.
Report suspicious and unauthorized cases to company leaders, thereby providing
solutions.
Ensure the troubleshooting process after an incident, restore as soon as possible the
company's assets, information, and databases after cybercriminals' attacks.
Manage human resources, company assets, measure performance, work progress,
ensure completion of security procedures, repair according to schedule and
company activities
2.2 Data Protection Officer (DPO)
Responsible for ensuring that their organization is GDPR compliant.
Provide advice and guidance to the organization and its employees regarding the
requirements of GDPR
Monitor team compliance
Provide comments and advice on the organization's security and data protection
activities.
As a person who has the role of negotiating and cooperating with organizations,
monitoring agencies, and administrative security.
The DPO is responsible for performing data audits and for monitoring work and
compliance with the rules.
2.3 Critical Incident Readiness Team (CIRT)
CIRT is responsible for providing rapid, systematic, and coordinated early
intervention in critical incidents. CIRT works directly with the company's directors
and management to be able to react quickly - offer solutions and implement
solutions
2.4 Foundation Support
Senior employees have a responsible role, promoting the work progress of security
staff. Provide cross-cutting issues that need to be addressed in system security
work. Provide technical and professional support, request superiors to provide
resources, hardware, and machines to support information security work as planned
by the organization.
2.5 Admin Support
Support for security at the management level is essential. Management staff will be
invested in expertise and equipment, ensuring management, security, quick
response to network problems, network attacks with many forms of attack.
The team must ensure the investment in hardware equipment for the technical staff.
The investment will come from the finance department when approved by the
company's management
2.6 Confidentiality should be a joint effort between decision makers, technical
staff, and all other employees.
While tech support staff may best understand the ramifications of certain
technology initiatives, only users have the opportunity to enforce policies and
manage the power to enforce them- and policies that are neither implemented nor
enforced are worthless. True security requires clear, strong support from senior
management as a team, as well as individual accountability and exemplary
behavior from individual managers. If management ignores or avoids security
procedures, others will do the same.
3. Find solutions:
Estimate the extent of damage, decentralize appropriated authority according to a
specific table of cases and problems that may occur with the information system.
From there, give appropriate solutions to promptly solve and overcome problems
and damages and losses that the company has to bear.
Severity level Low Moderate High
Security Reveal the Disclosure of Disclose profile,
categories, the user's e-mails and financial
number of stores accounts. Other information,
operating, the information that business
number of affects the orientation of the
consumers using customer's life and company, business
shopee to shop. work such as relationships, and
Leaking small email. phone equipment supply
information about number, job relationships to
 customers and information, bank Shopee. Steal
companies account number, information
customer address, collected about
other potential
relationships, .... customers, stores,
Revealing emails and business
of stores doing items.
business on Destroying,
Shopee, encrypting the
information about company's
potential database, causing
customers, sources great loss to the
of goods, account operation of the
numbers, company's system
agreements with and business
suppliers, potential processes
products,
information about
products, future
business
expansion and
development
orientation
Data integrity Modifying Modifying the Serious
customer website interface modifications to
information makes makes it the interface:
it difficult to ship impossible for malicious changes,
goods, confirm users to use the affecting the
payments and website as they legality and
mess up the want, seriously tradition of the
system's data. affecting the company, creating
Modifying store shopping and bad reviews from
information, reference of cooperating
business items, Shopee's products businesses and
confusing and services. customers, the
customers and Changing data data on the
messing up the from the interface is
system's data management completely
system, causing corrupted.
the website to misleading or
become inconsistent with
unresponsive to the company's
 some users. Site purpose. And
manager can still company data:
take control Encrypt all
business data,
customer
information and
cooperating
businesses. The
company was
seriously affected
in terms of data
integrity, causing
heavy damage to
the company and
its cooperating
companies.
Availability Attacks on servers Attacks on servers Attacks on routers,
containing linked that manage user the systems that
websites, attacks information keep the website
on networked systems and running, this
environment cooperative stores makes the
controllers. information. company's website
Causing delay, Causing delay, no longer
affecting the loss of data, available,
shopping and affecting the technical staff and
working shopping and users can not
experience of working access the website,
employees and experience of causing damage.
customers employees and serious loss to the
customers. company
Authorized Use Using accounts of Gain access to a Gain access to a
company computer using computer using
employees, from available attack hacking tools, then
there can infiltrate tools, then use the use the computer
and inside the computer to get a as a platform to
company and password on the launch an attack
attack, destroy network, infiltrate that severely
information of the the company's compromises the
company. The internal data, and company's
manager is still in affect the control systems, hacks
control. can of the system. , business websites,
remove, repair reducing cooperate with
 these customers' trust in businesses,
compromised Shopee encrypt data,
accounts. business
information of the
company, steal
information about
cooperation
between
businesses,
business planning,
company
development

4. Find the right solution

4.1 Multi-Factor Authentication (MFA)
The identity management platforms of employees and customers using Shopee can
be deployed on many platforms, applying multi-factor authentication (MFA). The
login page will be authenticated by many factors, customers can use a similar
device to be able to log in by methods such as scanning QR code, sending login pin
code to customer's email, phone number .
MFA provides another line of defense against cyber attacks - from those who want
to break into the system, steal customer information, destroy information, business
data.
4.2 Endpoint system:
In an effort to help protect endpoints and the data on them, the following best
practices should be followed. Even so, following these best practices does not
guarantee complete data protection. Any data containing personally identifiable
information should not be stored locally.
Endpoint security :
Do not store personally identifiable information on the device
Only use locations based on encrypted cloud data and with auditing enabled.
Use only local file servers that have been identified as GDPR
Use full disk encryption on the device (including any attached media)
Using Microsoft Bitlocker Administration & Monitoring for Windows Devices
Using FileVault / Jamf Pro for Macintosh Devices
Using LUKS for Linux
Combine desktop/laptop with IASTATE.
Inventory / Audit
Apply Group Policy (GPO) settings
Manage User/Workstation Objects
Manage and monitor devices using enterprise services
System Center Configuration Manager (SCCM) and Intune for Windows and
Android devices.
Jamf Pro (Casper) for Macintosh and iOS devices
Satellite for Red Hat Enterprise Linux
Make sure the software is up to date as recommended by the manufacturer
Windows Server Update Services (WSUS)
Update Apple software
Update printer firmware
Assign users the least privileged access
Enable firewall
Use anti-virus/anti-malware software with centralized management and
monitoring
Clean data on disposal (computers and printers have memory)
Physical destruction of the storage device
Securely erase a storage device
Set password and encrypt mobile device
4.3 Guidelines for strong passwords
Passwords are one of the factors of computer security. A combination of the
following methods can help increase password security:
 Make passwords hard to guess
 Complexity adds strength
  Longer password than short password
 Use different passwords for different accounts
 Change your password periodically
4.4 Remote Access and Virtual Private Networks (VPNs)
For all remote access, employees should use a VPN.
During the Covid epidemic, the work-from-home model is making a trend that
companies like shopee and other technology and business companies are building.
In the process of working from home, technical staff can use their personal internet
to query data from the company. This increases the risk when someone takes
advantage of this to steal packets containing important data from the company.
The solution can use a VPN that provides remote access to services while providing
safe, secure login to the corporate intranet
4.5 Web Standards and Best Practices
Units in the group create websites and management applications that comply with
web standards
To comply with web standards, websites and applications must have valid HTML,
CSS, and JavaScript. They must also meet accessibility standards. Full compliance
also includes valid RSS, metadata, XML, SVG, device APIs, as well as object and
script embedding, and proper settings for character encoding. Websites also need to
be optimized for size and download speed.
5.Choosing the right vendor
There are many companies that provide security products and services for IT
environments. Choosing the right security vendor is key to the success of an
organization-wide cybersecurity deployment.
The essentials of a security provider:
 Suppliers clearly understand the risks that organizations face when attacked,
security incidents.
 The provider has security experts to ensure safety against cybercriminal
attacks.
 Vendors dispatch specialists as needed to address specific issues that cannot
be resolved by corporate security personnel
 Vendors use proven technologies that can work well or perfectly in an IT
environment.
  The provider has the technology to deal with threats in the IT environment
 Vendors modify and adapt technologies to deal with evolving threats and
challenges in the new environment of the deployment company.
 Suppliers have a proven track record of working with and developing new
technologies to cope with the evolving technology landscape.
 Suppliers are willing to help companies make technical transitions
 The provider will be around for the next 5 to 10 to ensure long term support.
Choosing the right vendor
Choosing the right vendor is critical to enterprise cybersecurity enforcement. In
doing so, however, organizations need to keep in mind that in the long run, security
isn't just a product - it's a process. Therefore, it is important for organizations to
choose a security vendor that has a comprehensive understanding of the content
and landscape of cybersecurity as it applies IT and the necessary technologies to
address it. Challenges in business implementation
6. Estimate implementation and operating cost
6.1 Guide to network security costs
The wide range between lower and higher network security costs corresponds to
the wide range of solutions available. Systems like business VPNs and email
security solutions, can help protect your business from specific types of threats
(such as phishing schemes) on a smaller scale. But if deployed at a larger scale,
businesses should deploy a security system with attached security services to
ensure system safety.
Higher priced systems are typically full-featured network monitoring solutions with
advanced security event logging and detection capabilities. They can help protect
an organization from large-scale attacks on an enterprise's network and, sometimes,
predict intrusions before they happen.
6.2 Pricing Model: By license
Licensing fees have the widest range of costs, often due to the density of the
program. For example, for a basic email security program, the average cost is about
$30 per license
Overall, the average cost per license for a year is $1,000–$2,000.
Price range: $26–$6,000 per license
6.3 Pricing Model: Per User
The user mentioned in this pricing scenario typically refers to anyone who uses
software to monitor and secure a network.
Regardless, the average cost of systems with this pricing model is $37 per user, per
month.
Price range: $4–$130 per user, per month
Pricing Model: Per Endpoint or Device
In a network, a device or an endpoint can refer to the same thing (a laptop can be
both an endpoint and a device). However, an endpoint can also refer to a server or
modem, which is beyond most people's definition of a device.
Fortunately, most sites will define their terms or minimize the cost of monitoring a
server compared to, say, securing a workstation. To avoid unexpected charges, be
sure to ask what the company means for the endpoint or device if both are not
clearly defined.
The average cost of systems with this pricing model is around $2.25 per device or
endpoint.
Price Range: $0.96–$4.50 per endpoint, per month
6.4 Pricing Model: Decentralized Bundle
A tiered plan that charges based on specific, included features. Lower-cost plans
typically only include basic or essential features, and costs increase as more
features are added or as features become more advanced.
Decentralized packages often include a consideration of the number of users on
your network or the number of members of your network team, but primarily with
the view that as your company grows in size, you will need access to More
advanced security monitoring tools.
The average cost of these types of systems is around $500 per month for basic
plans that meet the needs of smaller teams.
Price range: $20–$2,000 per month
6.5 The role of security investments and corporate losses after a cyber attack:
A successful cyberattack costs the average small business around $90,000. That's
not counting the cost to an organization's reputation as customers and customers
lose confidence in their ability to protect their data.
In fact, it takes so much time, effort, and money to repair the damage caused by a
cyber attack, that most SMEs are out of business within six months. falling prey to
cybercriminals.
7. Create an implementation plan
During this phase, we make sure the company has all the tools and resources it
needs before an incident occurs.
Hosting companies play an important role in this phase by ensuring that systems,
servers and networks are secure enough. It's also important to make sure the web
developer or engineering team is ready to handle security issues.
7.1 Detect & Analyze
There are actually methods of attack, so be prepared to deal with any incident.
After hundreds of thousands of responses, the security system narrows down most
infections to vulnerable components installed on the site (mainly plugins),
password compromise (weak passwords, etc.) ) and other components.
Depending on the problem and purpose, the detection phase can be complex. Cyber
attackers may want to use resources or intercept sensitive information (credit cards,
Shopee accounts, social media affiliate accounts, customer addresses, registered
stores, partnering companies). ,...)
In cases where malicious code is pre-installed but not activated, mechanisms
should be implemented to ensure the integrity of the system's file system.
7.2 Control, delete and restore
For the “Prevention, Removal, and Recovery” phase, the process must adapt to the
type of problem found on the site and the predefined strategies based on the attack.
This decision-making system and strategy is an important part of this phase. For
example, if we identify a particular file as 100% malicious, action should be taken
to remove it. If the file contains a malicious piece of code, only that part should be
deleted. Each scenario should have a specific process.
While there are several methods of attack, be prepared to deal with any incident.
After hundreds of thousands of responses, the system narrows down most of the
infections to vulnerable components installed on the site (mainly plugins),
password compromise (weak, brute force passwords) force) and other components.
7.3 Post incident activities
Works after network problems
During this phase, the Incident Response Team must present a report detailing what
happened, what actions were taken, and how effectively the intervention worked.
The team needs to acknowledge the incident, learn from the experience, and take
action to prevent similar problems in the future. These actions can be as simple as
updating a component, changing a password, or adding a site firewall to prevent
attacks on the edge.
Conduct a review of the actions that team members need to improve to further
strengthen security. Make sure the development team can take those actions as
quickly as possible.

Additional information security issues:

 Restrict global access to your site (or certain regions) through GET or POST
methods to minimize exposure.
 Update folder and file permissions to make sure read/write access is set
properly.
 Update or remove outdated software/theme/plugins.
 Reset password with strong password policy.
 Enable 2FA/MFA whenever possible to add an extra layer of authentication.
7.4.Recovery
Recovery planning will be in place when a complete review of all phases in the
event of a failure occurs. Recovery also involves having a backup plan for
situations where all previous stages have failed, such as in the event of a
ransomware attack.
This process should also include scheduling time to talk with the security vendor
about how to improve the weak areas. They are better equipped to provide insight
into what can be done.
7.5 Have a communication strategy
If any data is at risk, notify your customers.
Offer simple solutions that customers can fix temporarily while the technical team
restores the system. Notify potential threats, affecting the buying experience, the
risk of personal information leakage.
7.6 Data backup
If website functionality goes down, you need a way to recover your data quickly -
not just one way, but at least two ways. It is essential to have a local backup of the
entire application, and an external backup that is not directly connected to the
application in the event of a hardware failure or attack.
8. Data protection requirements
Data is a valuable asset of an e-commerce company like Shopee and some data
must be protected with a greater degree of care and attention. The method-based
protection level is determined by the Data Classification Policy along with the
Minimum Security Standard for Protected Data.
Physical security is the key to secure and confidential computing. Backup data to a
safe place in case of vandalism, theft of important data. Adequate measures are
needed to ensure data protection, making it difficult for criminals to gain access to
critical data, critical communications facilities, hardware/software, and other
means. necessary.
Training and raising security awareness
Resources for employee security training and awareness:

 IT security website
 IT Policies and Standards
 Training to improve technical and professional skills of technical staff
 Negotiate with software, equipment, and security service providers.
 Recruiting information security experts.
Review and Amendment of the Information Security Plan
The Information Security Plan will be evaluated and adjusted to reflect changing
circumstances, including changes in Shopee's business practices and operations.