Professional Documents
Culture Documents
Assignement # 2 Analyze & Design Security Polices
Assignement # 2 Analyze & Design Security Polices
Title Page………………………………………………………………………………………………………………………..1
Introduction……………………………………………………………………………………………………………………2
INTRODUCTION
All companies that have compliance necessities must have strategies in place for every employee to follow. These polices are
essential to reduce the impact of cyber-attacks. It has always been said people are the weakest link and easy to exploit compared to
other information assets. Human beings are bound to make mistakes and most of the time through ignorance they are vulnerable
and always expose company information assets to hackers to exploit. As such, a company needs strong polices and measures in
place to protect and safeguard its information assets. Specifically for information security, these policies also determine the
workflow of an organization. The following policies have been designed for Total Bloc Pty Ltd and it is the management’s
responsibility to ensure they are enforced and employees are trained with the necessary procedures.
1. POLICY STATEMENT
As Total Bloc Pty Ltd, we receive, store and process very sensitive customer financial data therefore it is paramount for
our employees to fully understand and obey to this Total Bloc Pty Ltd.’s Acceptable Use Policy. The company resources
included in this policy are to be used for business and Total Bloc’s work related purposes only. This policy will be obeyed
by all staff and requires full commitment, trust, transparency, integrity and professional conduct. Total Bloc is
committed to protect its employees, third parties from illegal activities therefore it is our anticipation that every
employee is fully mindful of the guidelines and execute their duties professionally.
2. PURPOSE /OBJECTIVES
Every employee should know that our customer service department is Total Bloc’s most critical business function hence
we must by all means make sure our IT infrastructure is safeguarded and secure to serve our clients. The tenacity of this
policy is to outline acceptable and unacceptable use of Total Bloc’s information assets, resources which comprises
applications, access to internet, computers and software used within Total Bloc’s environment. This policy is not meant
to punish employees but to protect both Total Bloc’s infrastructure our customers and employees. Unauthorized or
misuse of company resources will expose us to cyber-attacks such as malware attacks, data breaches, legal issues and
compromises in our information systems and this will result in legal penalties and revenue loss to ourselves and
esteemed customers.
3. SCOPE
This policy encompasses the use of electronic devices, computing devices, mobile devices, information and network
resources to conduct Total Bloc business or interact with internal networks, information assets, weather leased or
owned by Total Bloc, third parties or employees. All contractors, staff, consultants, temporary and other workers at
Total Bloc and its subsidiaries are responsible for exercising sound judgement regarding appropriate use of information,
network resources, and electronic devices, mobile phones in accordance with Total Bloc policies, local laws, standards
and regulations. The following listed assets owned by Total Bloc are incorporated by this policy:
Remote Access, endpoint devices, laptops, smartphones, switches, firewalls, and routers.
Computer hardware, software’s, networks and passwords, internet and email use. Third party software’s,
essential data and equipment at both our disaster recovery site and head office.
The use of emails and Internet of Total Bloc is intended for only work purposes, personal use is allowed when it does not
affect the individuals professional performance, does not violate any terms and conditions of employment, does not in a
way harm Total Bloc and does not place Total Bloc in violation of legal or other obligations.. All Total Bloc staff are
therefore expected to be responsible for their behaviour when using the internet as well as when using email systems.
Employees must not use internet or email for personal gains or run personal business.
Employees must not send sensitive or confidential information that is not safe to the outside world.
Employees must not forward business emails to personal email accounts e.g. Gmail or Yahoo.
Employees must not download copyrighted material such as music, videos etc.
Employees must not download any software from internet without prior consent of the IT department.
Employees must not connect Total Bloc devices to the internet using none standard connections.
Employees must exercise caution when opening attachments to emails received from unknown sources.
Employees must not use the internet or email for harassment or abuse.
Employees must not use profanity, vulgarities or disrespectful remarks in communications.
Employees must not access, upload send or receive data including images that Total Bloc considers offensive in a
way including sexual explicit, discriminatory, defamatory or vilifying material.
Access to Total Bloc IT equipment is precise by use of passwords, user IDs and tokens. All tokens, user ID’s and
passwords are to be exclusively assigned to named individuals who are answerable for all actions on the Total Bloc’s
systems. Personnel will use only software that is verified by Total Bloc on company computers. Authorized software
must be used in harmony with the licensed software suppliers. All software installed on Total Blocs computers must be
approved and installed by Total Bloc IT department.
Mobile Devices
Only approved mobile storage devices with encryption enabled should be used when transferring sensitive
confidential information.
Mobile devices such as CDs, DVDs, flash drives and removable hard drives should only be used when network
connectivity is not available.
Employees may not attribute personal statements, opinions or beliefs to the company when engaged on social
media platforms such as Whatsapp, YouTube and Facebook. Employees shall not participate in any social media
activities that can tarnish our company image, reputation or goodwill of the company. Employees are not
allowed to make biased or offensive or annoying remarks when engaged on social media. Employees must not
attempt to remove virus-infected files or clean up a virus infection. The limited and accessional use of the
company’s computer systems for social media is acceptable, provided that it is done in a practised and
responsible manner and does not otherwise violate the company’s policy and does not prejudice the best
interests of the company and does not interfere employee’s normal duties.
Remote Access
Extra caution should be exercised with the use of mobile devices such as laptops, phones, tables. They must be
protected at least by a password or PIN and where available encryption. Laptops and mobile devices must be
carried as hand luggage when travelling. It is allowed that laptops and mobile devices will be taken off-site.
Working away from the office must be in line the company’s remote working policy. Company devices and
assets must not be left unguarded in personal cars or public places. Company assets should at all times be
safeguarded when users are working outside company premises or remotely.
PROCEDURES
This Acceptable use policy will be sent via email to each employee and it is a requirement by the companies standard
procedures for each and every employee to read carefully, understand and accept this policy by signing the employee
Agreement on ACCEPTABLE USE POLICY accordingly as obligatory at the end of this document. This document should be
signed and submitted to employee’s respective department supervisors or managers.
6. GUIDELINES
Some employees might experience issues in executing, understanding the rules and regulations outlined above
however, as Total Bloc we will ensure every employee undergoes proper training through our IT Technical department.
Our technical staff will ensure employees fully understand and stick to to the company’s Acceptable Use Policy. We
value and care for our employees therefore it our primary objective as a service provider to comply with compliance
groups such as PCI DSS and IT security regulations frameworks and best practices. Further to the above, we will be
conducting regular user awareness webinars about the evolving technology changes to keep our employees abreast with
industry regulatory and compliance standards.
EMPLOYEE COMPANY
NAME………………………………… NAME……………………………….
Date…………………………………… Date…………………………………
Analyze & Design Security Policies EPHERT SAKA
SECTION 2 DISASTER RECOVERY PLAN
Astonishing data breaches occur time and again, management personnel often are ignorant about disaster recovery
plans. It is equally important to note that having a disaster recovery plan in the event the unexpected happens, gives
Total Bloc mileage to minimize the impact. This policy requires Total Bloc management to give financial support, and
meticulously attend towards disaster recovery planning efforts. Disasters can be also physical but mostly all disasters are
not limited to hostile weather conditions. Any potential threat that would likely disrupt operational services should be
considered. Therefore a disaster recovery plan is essential in every organizations business continuity plan should disaster
struck.
2. PURPOSE
This purpose entails the standard disaster recovery plan to be designed and enforced by Total Bloc Company that will
explain the processes to recover information systems infrastructure, sensitive data and applications from any threat that
can result in service disruptions.
3. SCOPE
Senior management and IT employees will ensure that this guideline is developed, tested and up to date with the ever-
changing landscape of information security measures. This policy states and recommends Total Bloc to have a disaster
recovery plan and does not necessarily provides the needs of what goes into or can be substituted from this plan. This
blueprint applies to Total Bloc, its branches, employees, affiliates and customers who will be affected by loss or
disruptions of normal business operations.
4. POLICY
Mechanisms to the day to day business operations, services and processes such as applications customers and systems
are critical to our business and will be defined by Recovery Time Objectives (RTO) and the Recovery Point Objectives
(RPO) for this business continuity and impact analysis plan. The Recovery Time Objective is the maximum interruption a
business can experience without usual services and the Recovery Point Objective (RPO) is the time to which normal
services are restored from either backups or other redundancy procedures.
The below table of contents illustrates the Recovery Time Objective (RTO) and (RPO) in the event a data breach occurs.
Normal operational services will be recovered within the business continuity scenario using the alternate processing and
impact severity strategy. These critical information assets will at all times be reviewed and updated by management on
an annual basis in order to assess and review changes that may arise.
Any facility where Total Bloc, its branches, affiliates and our clients lose connectivity and services it is part of this plan to
ensure all services are transferred to a disaster recovery site until such a time when all services have restored to
normally operations. The impact of the loss will determine the time taken to recover and the downtime experienced and
it is the Incident Response Team responsibilities to ensure the company recovers these essential normal operations.
PROCEDURES
After any disaster or incident which causes the loss or reduction of services or processes provided by Total Bloc, its
branches and affiliates, Incident Response Teams will be dispatched to assess the damage that may have been caused.
Once the impact has been determined, Disaster Recovery Teams will be notified and mobilized to address the recovery
of facilities, services or processes affected by the event.
Recovery may involve transfer of personnel, data or services to an alternate facility. The time needed to return to
operation will be assessed depending on the severity of the experienced attack in the affected information assets.
GUIDELINES
Implementation of this policy is dependent on approval of executive management, the Chief Information Officer (CIO)
and personnel assigned to the Incident Management Teams. The effectiveness of this plan is dependent on the Recovery
Time Objectives and Recover Point objectives of the personnel involved. The Incident Response Team and other
employees will be responsible for handling sensitive data and other various assets of Total Bloc, periodic testing and
simulated responses should be performed on a regular basis.
The frequency shall be recommended by the Chief Information Security Officer and personnel assigned to the Incident
Management Teams. This policy shall be revised as needed on an annual basis and changes shall be fully documented.
Any changes to this policy shall be distributed and reviewed by Executive Management, the Chief Information Security
Officer and personnel assigned to the Incident Management Teams.
This disaster recovery plan policy guideline is determined by the ultimate goal of achieving a minimal level of continuity
for business operations. All departments working together will provide the necessary updated information to be stored
in case of system failure due to disaster. Recovery Time Objectives and Recovery Point Objectives to standard business
operations is predicated on the company personnel adhering to this company policy and this will be enforced as
mandatory.
POLICY COMPLIANCE
Senior management and IT personnel will monitor and verify compliance to this policy through communication channels
and methods such as audits, video monitoring training sessions and feedback from staff.
1. OVERVIEW
For cyberattacks awareness and staff preparation, the most important aspect that a lot small to medium businesses
overlook is awareness. Not all company environments are 100% secure, however any unexpected disaster can be
mitigated or reduced to minimal levels if users are properly trained in areas that can be exploited by cyber criminals.
2. PURPOSE
The primary purpose of this policy is to make sure users are appropriately trained in areas pertaining to security
awareness, information safeguarding, access controls and other company resources.
3. SCOPE
This policy encompasses all Total Bloc employees, temporary workers, contractor’s third parties and other stakeholders
that handle or work on Total Bloc’s information assets.
4. POLICY
A. GENERAL
It is Total Bloc’s responsibility to ensure all Total Block employees are knowledgeable and adhering to industry best
practices for using company resources and managing customer sensitive information. Therefore extreme care will be
enforced by Total Bloc in order to produce effective employees who are well equipped with security awareness
throughout the organization. This will involve implementing critical information security awareness training seminars.
Different IT security departments will work together and the Chief Information Security Officer will scrutinise the
security of data and information assets of the entire company. Also senior management and personnel shall ensure this
policy is supported, dependable and enforced to full length in order to achieve desired compliance standards.
The IT security manager will be responsible for maintaining, developing a security awareness training program that will
be documented for staff education, timeline and procedures to ensure all employees fully understand their roles in
protecting sensitive data for both Total Bloc and our clients. This plan will include the information that will be
communicated, how to communicate and when, to whom and all the channels that require communication to be
instigated.
Management shall ensure staff are given all the support they need, regular interaction and training sessions and
reminders that will ensure they will appropriately safeguard sensitive data. Part of the training topics shall cover the
following
All Total Bloc employees and new staff to participate in security training classes within fourteen days of being
allowed access to Total Bloc information assets.
Employees will be trained on how to report, identify data breaches, defend and detect cyberattacks.
Acknowledgement by use of certificates received after training will prove employees have been equipped with
the necessary training as required by Total Bloc information security training standards and policies.
Training manuals and references will be provided for review to all staff members.
Refresher training will be conducted on an annual basis.
Further cloud training sessions will be conducted to ensure employees understand this technology.
Further training topics will be covered such as risks and responsibilities of using Bring Your Own Devices (BYOD)
C. MANGEMENT IMPLEMENTATION
Ensure structured communications processes in order to inform new security programs and matters of interest
to all staff members.
Ensure the IT department is responsible for implementing the necessary safeguards and training in security
awareness and best practises.
Flyers, emails, posters, verbal commination will be periodically used as a form reminders so that staff are kept
abreast with the ever-changing landscape of threats and security best parties.
Documented procedures and guidelines should be in place to ensure this policy is being adhered to. Some of the
expected management controls are as follows.
Training plan with proof of endless updates and document versions should be recorded.
Reviews of existing training programs that were conducted within the company.
Employee training certificates of completion should be logged.
The rate of completion statistic should be recorded.
Proof of reminders and continuing education should be documented.
6. ENFORCEMENT
Members of staff who will be found to be violating this policy will face disciplinary action which may lead to employment
dismissal.
7. DISTRIBUTION
This policy will be forwarded to all Total Bloc employees or third parties doing business with Total Bloc or contractors
who have access to Total BLOC Information resources and assets.
I acknowledge that I have received a copy of the Total Bloc Pty Ltd INFORMATION SECURITY TRAINING POLICY. I have
read and know the policy requirements. I appreciate that, if I infringe this policy, I may face punitive action, including
employment termination. I further understand that I will contact my supervisor or respectable authorities within the
company if have any questions about any aspect of the policy.
EMPLOYEE COMPANY
NAME………………………………… NAME……………………………….
Date…………………………………… Date…………………………………