Student Name: Ephert Saka

Course Name: W21 Capstone Information Security Project

Instructor Name: Saikat Asaduzzaman
Date: 16-02-2021

Analyze & Design Security Policies

Analyze & Design Security Policies EPHERT SAKA

TABLE OF CONTENTS

Title Page………………………………………………………………………………………………………………………..1

Introduction……………………………………………………………………………………………………………………2

Section 1 Acceptable Use Policy……………………………………………………………………………………..2

Section 2 Disaster Recovery Plan…………………………………………………………………………………….5

Section 3 Information Security Training Policy……………………………………….……….................7

Analyze & Design Security Policies EPHERT SAKA

SECTION 1 ACCEPTABLE USE POLICY

INTRODUCTION

All companies that have compliance necessities must have strategies in place for every employee to follow. These polices are
essential to reduce the impact of cyber-attacks. It has always been said people are the weakest link and easy to exploit compared to
other information assets. Human beings are bound to make mistakes and most of the time through ignorance they are vulnerable
and always expose company information assets to hackers to exploit. As such, a company needs strong polices and measures in
place to protect and safeguard its information assets. Specifically for information security, these policies also determine the
workflow of an organization. The following policies have been designed for Total Bloc Pty Ltd and it is the management’s
responsibility to ensure they are enforced and employees are trained with the necessary procedures.

TOTAL BLOC PTY LTD

TOTAL BLOC PTY LTD / ACCEPTABLE USE POLICY

1. POLICY STATEMENT

As Total Bloc Pty Ltd, we receive, store and process very sensitive customer financial data therefore it is paramount for
our employees to fully understand and obey to this Total Bloc Pty Ltd.’s Acceptable Use Policy. The company resources
included in this policy are to be used for business and Total Bloc’s work related purposes only. This policy will be obeyed
by all staff and requires full commitment, trust, transparency, integrity and professional conduct. Total Bloc is
committed to protect its employees, third parties from illegal activities therefore it is our anticipation that every
employee is fully mindful of the guidelines and execute their duties professionally.

2. PURPOSE /OBJECTIVES

Every employee should know that our customer service department is Total Bloc’s most critical business function hence
we must by all means make sure our IT infrastructure is safeguarded and secure to serve our clients. The tenacity of this
policy is to outline acceptable and unacceptable use of Total Bloc’s information assets, resources which comprises
applications, access to internet, computers and software used within Total Bloc’s environment. This policy is not meant
to punish employees but to protect both Total Bloc’s infrastructure our customers and employees. Unauthorized or
misuse of company resources will expose us to cyber-attacks such as malware attacks, data breaches, legal issues and
compromises in our information systems and this will result in legal penalties and revenue loss to ourselves and
esteemed customers.

3. SCOPE

This policy encompasses the use of electronic devices, computing devices, mobile devices, information and network
resources to conduct Total Bloc business or interact with internal networks, information assets, weather leased or
owned by Total Bloc, third parties or employees. All contractors, staff, consultants, temporary and other workers at
Total Bloc and its subsidiaries are responsible for exercising sound judgement regarding appropriate use of information,
network resources, and electronic devices, mobile phones in accordance with Total Bloc policies, local laws, standards
and regulations. The following listed assets owned by Total Bloc are incorporated by this policy:

 Remote Access, endpoint devices, laptops, smartphones, switches, firewalls, and routers.
 Computer hardware, software’s, networks and passwords, internet and email use. Third party software’s,
essential data and equipment at both our disaster recovery site and head office.

Analyze & Design Security Policies EPHERT SAKA

4. STANDARDS

The use of emails and Internet of Total Bloc is intended for only work purposes, personal use is allowed when it does not
affect the individuals professional performance, does not violate any terms and conditions of employment, does not in a
way harm Total Bloc and does not place Total Bloc in violation of legal or other obligations.. All Total Bloc staff are
therefore expected to be responsible for their behaviour when using the internet as well as when using email systems.

 Employees must not use internet or email for personal gains or run personal business.
 Employees must not send sensitive or confidential information that is not safe to the outside world.
 Employees must not forward business emails to personal email accounts e.g. Gmail or Yahoo.
 Employees must not download copyrighted material such as music, videos etc.
 Employees must not download any software from internet without prior consent of the IT department.
 Employees must not connect Total Bloc devices to the internet using none standard connections.
 Employees must exercise caution when opening attachments to emails received from unknown sources.
 Employees must not use the internet or email for harassment or abuse.
 Employees must not use profanity, vulgarities or disrespectful remarks in communications.
 Employees must not access, upload send or receive data including images that Total Bloc considers offensive in a
way including sexual explicit, discriminatory, defamatory or vilifying material.

Computer Hardware and Software.

Access to Total Bloc IT equipment is precise by use of passwords, user IDs and tokens. All tokens, user ID’s and
passwords are to be exclusively assigned to named individuals who are answerable for all actions on the Total Bloc’s
systems. Personnel will use only software that is verified by Total Bloc on company computers. Authorized software
must be used in harmony with the licensed software suppliers. All software installed on Total Blocs computers must be
approved and installed by Total Bloc IT department.

 Employees must not store information on any non-authorized equipment.

 Employees must not give or transfer data or software to any person or organization outside Total Bloc premises
without the authority of the IT department.
 Employees are prohibited from Intrusions of a person or company protected by rights, trade secrets, patents or
other intellectual property or by similar laws or regulations including but not limited to the installation or
distribution of pirated products or software which is not authorized by the company.
 Employees must not export software, technical information, encryption software or technology in violations of
international or regional export control laws which is illegal. Employees must restrict colleagues to use their user
tokens and passwords on any of the business’s workstations.
 Employees must not leave their user accounts logged in at an unattended and unlocked computer.
 Employees must not use someone else’s user ID and password to access the company’s computers.
 Employees must not write their secrets passwords down.
 Employees must not perform unauthorized changes to the companies IT Systems.
 Employees must not connect any none company authorized devices to the company network or IT systems.

Mobile Devices

 Only approved mobile storage devices with encryption enabled should be used when transferring sensitive
confidential information.
 Mobile devices such as CDs, DVDs, flash drives and removable hard drives should only be used when network
connectivity is not available.

Analyze & Design Security Policies EPHERT SAKA

Social Media

 Employees may not attribute personal statements, opinions or beliefs to the company when engaged on social
media platforms such as Whatsapp, YouTube and Facebook. Employees shall not participate in any social media
activities that can tarnish our company image, reputation or goodwill of the company. Employees are not
allowed to make biased or offensive or annoying remarks when engaged on social media. Employees must not
attempt to remove virus-infected files or clean up a virus infection. The limited and accessional use of the
company’s computer systems for social media is acceptable, provided that it is done in a practised and
responsible manner and does not otherwise violate the company’s policy and does not prejudice the best
interests of the company and does not interfere employee’s normal duties.

Remote Access

 Extra caution should be exercised with the use of mobile devices such as laptops, phones, tables. They must be
protected at least by a password or PIN and where available encryption. Laptops and mobile devices must be
carried as hand luggage when travelling. It is allowed that laptops and mobile devices will be taken off-site.
 Working away from the office must be in line the company’s remote working policy. Company devices and
assets must not be left unguarded in personal cars or public places. Company assets should at all times be
safeguarded when users are working outside company premises or remotely.

PROCEDURES

This Acceptable use policy will be sent via email to each employee and it is a requirement by the companies standard
procedures for each and every employee to read carefully, understand and accept this policy by signing the employee
Agreement on ACCEPTABLE USE POLICY accordingly as obligatory at the end of this document. This document should be
signed and submitted to employee’s respective department supervisors or managers.

6. GUIDELINES

Some employees might experience issues in executing, understanding the rules and regulations outlined above
however, as Total Bloc we will ensure every employee undergoes proper training through our IT Technical department.
Our technical staff will ensure employees fully understand and stick to to the company’s Acceptable Use Policy. We
value and care for our employees therefore it our primary objective as a service provider to comply with compliance
groups such as PCI DSS and IT security regulations frameworks and best practices. Further to the above, we will be
conducting regular user awareness webinars about the evolving technology changes to keep our employees abreast with
industry regulatory and compliance standards.

EMPLOYEE AGREEMENT ON ACCEPTABLE USE POLICY

I acknowledge that I have received a copy of the Total Bloc Pty Ltd Acceptable Use Policy. I have read and know the
policy requirements. I appreciate that, if I infringe this policy, I may face punitive action, including employment
termination. I further understand that I will contact my supervisor or respectable authorities within the company if have
any questions about any aspect of the policy.

EMPLOYEE COMPANY

NAME………………………………… NAME……………………………….

Authorized Signature…………. Authorized Signature……….

Date…………………………………… Date…………………………………
Analyze & Design Security Policies EPHERT SAKA
SECTION 2 DISASTER RECOVERY PLAN

TOTAL BLOC PTY LTD

TOTAL BLOC PTY LTD / DISASTER RECOVERY PLAN

1. OVERVIEW

Astonishing data breaches occur time and again, management personnel often are ignorant about disaster recovery
plans. It is equally important to note that having a disaster recovery plan in the event the unexpected happens, gives
Total Bloc mileage to minimize the impact. This policy requires Total Bloc management to give financial support, and
meticulously attend towards disaster recovery planning efforts. Disasters can be also physical but mostly all disasters are
not limited to hostile weather conditions. Any potential threat that would likely disrupt operational services should be
considered. Therefore a disaster recovery plan is essential in every organizations business continuity plan should disaster
struck.

2. PURPOSE

This purpose entails the standard disaster recovery plan to be designed and enforced by Total Bloc Company that will
explain the processes to recover information systems infrastructure, sensitive data and applications from any threat that
can result in service disruptions.

3. SCOPE

Senior management and IT employees will ensure that this guideline is developed, tested and up to date with the ever-
changing landscape of information security measures. This policy states and recommends Total Bloc to have a disaster
recovery plan and does not necessarily provides the needs of what goes into or can be substituted from this plan. This
blueprint applies to Total Bloc, its branches, employees, affiliates and customers who will be affected by loss or
disruptions of normal business operations.

4. POLICY

Mechanisms to the day to day business operations, services and processes such as applications customers and systems
are critical to our business and will be defined by Recovery Time Objectives (RTO) and the Recovery Point Objectives
(RPO) for this business continuity and impact analysis plan. The Recovery Time Objective is the maximum interruption a
business can experience without usual services and the Recovery Point Objective (RPO) is the time to which normal
services are restored from either backups or other redundancy procedures.

The below table of contents illustrates the Recovery Time Objective (RTO) and (RPO) in the event a data breach occurs.
Normal operational services will be recovered within the business continuity scenario using the alternate processing and
impact severity strategy. These critical information assets will at all times be reviewed and updated by management on
an annual basis in order to assess and review changes that may arise.

System Components Recovery Time Recovery Point Severity Impacted

Objective (RTO) Objective (RPO) Customers/Systems
Application Server 2 hours 4 hours Critical Operations-100
Web Server 2 hours 16 hours Critical 100-staff
Database Server 2 hours 4 hours Critical 100-staff

Analyze & Design Security Policies EPHERT SAKA

 Desktop Computers 24 hours 4 hours Major 100-staff
Firewalls and Switches 1 hour
1 hour Critical 100-staff

Any facility where Total Bloc, its branches, affiliates and our clients lose connectivity and services it is part of this plan to
ensure all services are transferred to a disaster recovery site until such a time when all services have restored to
normally operations. The impact of the loss will determine the time taken to recover and the downtime experienced and
it is the Incident Response Team responsibilities to ensure the company recovers these essential normal operations.

PROCEDURES

After any disaster or incident which causes the loss or reduction of services or processes provided by Total Bloc, its
branches and affiliates, Incident Response Teams will be dispatched to assess the damage that may have been caused.
Once the impact has been determined, Disaster Recovery Teams will be notified and mobilized to address the recovery
of facilities, services or processes affected by the event.

Recovery may involve transfer of personnel, data or services to an alternate facility. The time needed to return to
operation will be assessed depending on the severity of the experienced attack in the affected information assets.

GUIDELINES

Implementation of this policy is dependent on approval of executive management, the Chief Information Officer (CIO)
and personnel assigned to the Incident Management Teams. The effectiveness of this plan is dependent on the Recovery
Time Objectives and Recover Point objectives of the personnel involved. The Incident Response Team and other
employees will be responsible for handling sensitive data and other various assets of Total Bloc, periodic testing and
simulated responses should be performed on a regular basis.

The frequency shall be recommended by the Chief Information Security Officer and personnel assigned to the Incident
Management Teams. This policy shall be revised as needed on an annual basis and changes shall be fully documented.
Any changes to this policy shall be distributed and reviewed by Executive Management, the Chief Information Security
Officer and personnel assigned to the Incident Management Teams.

This disaster recovery plan policy guideline is determined by the ultimate goal of achieving a minimal level of continuity
for business operations. All departments working together will provide the necessary updated information to be stored
in case of system failure due to disaster. Recovery Time Objectives and Recovery Point Objectives to standard business
operations is predicated on the company personnel adhering to this company policy and this will be enforced as
mandatory.

POLICY COMPLIANCE

Senior management and IT personnel will monitor and verify compliance to this policy through communication channels
and methods such as audits, video monitoring training sessions and feedback from staff.

Analyze & Design Security Policies EPHERT SAKA

SECTION 3 DISASTER RECOVERY PLAN

TOTAL BLOC PTY LTD

TOTAL BLOC PTY LTD / INFORMATION SECURITY TRAINING POLICY

1. OVERVIEW

For cyberattacks awareness and staff preparation, the most important aspect that a lot small to medium businesses
overlook is awareness. Not all company environments are 100% secure, however any unexpected disaster can be
mitigated or reduced to minimal levels if users are properly trained in areas that can be exploited by cyber criminals.

2. PURPOSE

The primary purpose of this policy is to make sure users are appropriately trained in areas pertaining to security
awareness, information safeguarding, access controls and other company resources.

3. SCOPE

This policy encompasses all Total Bloc employees, temporary workers, contractor’s third parties and other stakeholders
that handle or work on Total Bloc’s information assets.

4. POLICY

A. GENERAL

It is Total Bloc’s responsibility to ensure all Total Block employees are knowledgeable and adhering to industry best
practices for using company resources and managing customer sensitive information. Therefore extreme care will be
enforced by Total Bloc in order to produce effective employees who are well equipped with security awareness
throughout the organization. This will involve implementing critical information security awareness training seminars.
Different IT security departments will work together and the Chief Information Security Officer will scrutinise the
security of data and information assets of the entire company. Also senior management and personnel shall ensure this
policy is supported, dependable and enforced to full length in order to achieve desired compliance standards.

The IT security manager will be responsible for maintaining, developing a security awareness training program that will
be documented for staff education, timeline and procedures to ensure all employees fully understand their roles in
protecting sensitive data for both Total Bloc and our clients. This plan will include the information that will be
communicated, how to communicate and when, to whom and all the channels that require communication to be
instigated.

Management shall ensure staff are given all the support they need, regular interaction and training sessions and
reminders that will ensure they will appropriately safeguard sensitive data. Part of the training topics shall cover the
following

 Tasks for safeguarding critical information.

 Threats to data assets and company resources.
 Safe use of information and company assets.
 Total Bloc data security guidelines, techniques, and best practices
 Safeguarding information assets and physical assets.

Analyze & Design Security Policies EPHERT SAKA

  Access logins to all devices should be enforced and all data should be encrypted between networks.

B. TRAINING PLAN REQUIREMNTS

The training plan will include the following:

 All Total Bloc employees and new staff to participate in security training classes within fourteen days of being
allowed access to Total Bloc information assets.
 Employees will be trained on how to report, identify data breaches, defend and detect cyberattacks.
 Acknowledgement by use of certificates received after training will prove employees have been equipped with
the necessary training as required by Total Bloc information security training standards and policies.
 Training manuals and references will be provided for review to all staff members.
 Refresher training will be conducted on an annual basis.
 Further cloud training sessions will be conducted to ensure employees understand this technology.
 Further training topics will be covered such as risks and responsibilities of using Bring Your Own Devices (BYOD)

C. MANGEMENT IMPLEMENTATION

The Chief Information Security Officer or their subordinates shall:

 Ensure structured communications processes in order to inform new security programs and matters of interest
to all staff members.
 Ensure the IT department is responsible for implementing the necessary safeguards and training in security
awareness and best practises.
 Flyers, emails, posters, verbal commination will be periodically used as a form reminders so that staff are kept
abreast with the ever-changing landscape of threats and security best parties.

5. AUDIT CONTROLS AND MANAGEMENT

Documented procedures and guidelines should be in place to ensure this policy is being adhered to. Some of the
expected management controls are as follows.

 Training plan with proof of endless updates and document versions should be recorded.
 Reviews of existing training programs that were conducted within the company.
 Employee training certificates of completion should be logged.
 The rate of completion statistic should be recorded.
 Proof of reminders and continuing education should be documented.

6. ENFORCEMENT

Members of staff who will be found to be violating this policy will face disciplinary action which may lead to employment
dismissal.

7. DISTRIBUTION

This policy will be forwarded to all Total Bloc employees or third parties doing business with Total Bloc or contractors
who have access to Total BLOC Information resources and assets.

Analyze & Design Security Policies EPHERT SAKA

8. POLICY VERISON HISTORY

Date Version Description Approved By

10/2020/16 2.0 Initial Drafted Policy

EMPLOYEE AGREEMENT ON INFORMATION SECURITY TRAINING POLICY

I acknowledge that I have received a copy of the Total Bloc Pty Ltd INFORMATION SECURITY TRAINING POLICY. I have
read and know the policy requirements. I appreciate that, if I infringe this policy, I may face punitive action, including
employment termination. I further understand that I will contact my supervisor or respectable authorities within the
company if have any questions about any aspect of the policy.

EMPLOYEE COMPANY

NAME………………………………… NAME……………………………….

Authorized Signature…………. Authorized Signature……….

Date…………………………………… Date…………………………………

Analyze & Design Security Policies EPHERT SAKA