Information Security Policy.
Added on - 17 Oct 2019
Information Security Policy1.1 SCOPEAs we can see that information security play an important role in increasing the business. But itsperformance totally depends upon the size of the company. EnsureSello is a bif company whichsells various types of insurance policies like home, business , car , and medical for both personaland organisations. People data like their name , address, contact no and their card cash cardinformation are going to stored. After the registration the profile is created. The data is divided in totwo catogeries public and private data. Once user is successfully authenticated then the user will usethe information according to their needs. Security policy of any company always reflect their actualwork. EnsureSello uses backend database with single server to host a single tire networkarchitecture. EnsureSello is going to completes its audit in next coming four months.1.2 PrinciplesIn order to make EnsureSello information security policy document first we have to define theobjective of the security and management strategy dicuss with every one for securing the companyinformation. As we know that the document of security industry standards is going to used as abaseline framework for the EnsureSello. Its information security is related with guaranteedavailability, confidentiality, integrity and authentication. Here we can see that the effective securityis only achieved through working in a proper framework. To make a good information securitypolicy we have to determine the scope of the security policy. Identifies the upcoming threat peopleface due to lack of proper information security policy.1.3 Policy StatementsEnsureSello informations and IT infrastructure is protected by security policies which is totallybased upon ISO 27001 and ISO 27002. here we can see that the information system security policymakes a standards and guidelines for accessing the company applications system and informations.It is responsibilites of the IT department to give adequate confidentiality and security which place inlocal media or remotely area. In EnsureSello only authorised and genuine software is installed aswell as internet and other services can be only used by authorised person only.2. Risk IdentificationDue to increasing dependence on IT also increased the risk impact of IT on overall organizationbusiness. Nowadays threats in IT services is increased because its vulnerabilities is exposed acrossthe world. EnsureSello wants to start their business in UK but their main center is going to stay inUSA. When we check in business model then we found that only the location of site is risky thingotherwise company purpose and plan are same and good.
IT risk constantly put pressure to company core business. In business essenetial data is also a riskfactor for the company. We have to store the data of customers as well as our products in such amanner so that we can use it in future without any hinderances. End user are the customers whovisit our website put their details in our form and register themselves . After passwordauthentication process they choose the policy or do other things on their profile. If any customersput their wrong credentials during login then he is not able to buy the policy from EnsureSellowebsite. During the sending and processing to third party the security of customer data is at veryhigh risk. There are so many risk factors available in the infrastructure. The software and hardwarepart which are going to use in the EnsureSello is also checked by the IT professional for upcomingrisks. Session management, ID management, security events and logging are the major risk factorareas of the EnsureSello.3. Identity & Access Management3.1 Risk IdentificationAs we already know that the password policy is mainly uses to protect the integrity andconfidentiality of the system from unauthorized people. Due to lack of password policyenforcement in EnsureSello attackers can easily controls the content of password protected things .Due to weak password policy there are so many ways through which attackers can get the passwordof the system or user page. To stop this EnsureSello should perform a security audit at regularinterval of time . They should also introduce a strong policy which forces end users to make astrong passwords.3.2 Password PolicyIt is a set of rules which mainly designed to increased the security of the system and networks bymaking people to choose passwords strong and use them properly. There are so many sailentfeatures of the password policy like enforced password history , password maximum age, passwordminimum age, password minimum length, passwords must meet the complexity requirements andthen after stores the passwords using the reversible encryption. In today time there are so manysystems like google and other IT giant have built in password methods to set the policy.4. Risk Management4.1 Qualitative Risk AnalysisThe person who manage the data center is regularly fighting the risk of threat to database. Beforemanaging the risk at data center data manager first have to understand the different type of riskwhich directly affect the core of the data center. The main basic risk catogery is power loss at datacenter. Frequent power loss at data center cause important data loss. The second major risk faced atthe data center is frequent service disruption due to malfunctioned software equipment as well asphysical euipment. After that third risk which mainly affected the data center is physicalenvironment or climate. Last but not the least risk of physical security and logical security at datacenter play a major role in risk management. In qualitative risk analysis logs of all risks and issuesis sorted out with various action plan. Data center don’t function alone so the risk at data center isalways a major problem.The main reason behind the testing of web security is to avoid potentialthreats. To test the security of web app we have to go for its lower level. We should frequently used