Developing and Implementing Policy: A Case Study of Widget Enterprises

Verified

Added on  2023/04/04

|11
|1683
|323
Case Study
AI Summary
This document presents a case study solution focused on developing and implementing security policies for Widget Enterprises. It outlines a cyber incident response policy, detailing the purpose, scope, key assets, threat environment, reporting procedures, and stakeholder notification obligations. Additionally, it includes an information security and acceptable use policy, covering acceptable and prohibited uses of ICT resources, password policies, spam/phishing precautions, teleworking guidelines, unauthorized software restrictions, media handling procedures, and backup policies. The solution emphasizes the roles and responsibilities of staff, office managers, and business owners in maintaining a secure IT environment and adhering to security protocols. The case study also covers incident reporting procedures to be followed by the employees in case of a cyber attack.
Document Page
Running Head: WIDGET ENTERPRISES 1
Develop and Implement Policy: A Case Study of Widget Enterprises
By
University Affiliation
Date
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
WIDGET ENTERPRISES 2
WIDGET ENTERPRISES: CYBER INCIDENT RESPONSE POLICY
Purpose and Background
The role of this document is to enumerate the widget’s approach to the management of
Information Security (IS) incidents. An information security incident is the loss or compromise
of the widget’s information through deliberate or accidental acts.
Scope
This document will cover the responsibilities of management and staff in identifying, reporting
and managing information security incidents.
Key Assets
The following are the assets that are vulnerable to information security incidents.
ASSET DESCRIPTION AND RISK PROTECTION
ATTRIBUTES
Windows
Server
Provides email and file storage Unauthorized modification/
availability
NAS Provides backup Unauthorized modification/
availability
Laptops Used for daily task and to store company
information and working tools.
unauthorized
access/availability
Network
Infrastructure
Network switch and wireless access Availability
Document Page
WIDGET ENTERPRISES 3
Company
information
Clients and staff information held by the
organization
Unauthorized access
Threat Environment and Incident Types
Threat Environment
Threat Description and Risk
Cyber Crime Masquerading, snooping, ransomware attack, financial crimes.
Groups motivated
issues
Denial of service attack, eavesdropping, website defacement, and
defamation
State-sponsored
hacker
Snooping, spoofing
Reporting Procedures and Responsibilities
Key roles and responsibilities
The responsibilities of management in managing cybersecurity are as shown below.
WHO Responsibility
All Staff To familiarize with reporting procedures and to report any known or
suspected information security incident.
Office Manager To manage the security incidents
Business owner Updating reporting procedures, training staff, ensure appropriate follow-
Document Page
WIDGET ENTERPRISES 4
up actions are taken and manage recovery from ransom attack.
Reporting Procedures and Immediate Actions
The staff should follow the following procedure in handling security incidents; first, report it to
the office manager. Second, restart the computer and see if the problem will be resolved. Third,
if one has access to email services, notify all the staff about the incident via email. Fourth,
change the password if possible. Five, install and run an antivirus if possible. If all that does not
work the staff should take their laptops to the office manager so that the manager can rectify the
problem.
Incident Response
Assessment and Response procedure
After receiving the laptop from the staff the office manager shall perform the following tasks.
First, run a backup on the server to the NAS and then isolate the NAS and the server from the
network. Secondly, notify all the staff not affected to immediately backup their data to the AWS
bucket on the following URL: https://aws.Widget.customerprivatedata.bucket. Third, the
manager shall direct all the staff to change their passwords, install and run antivirus. If they
encounter any problem they should contact the manager. Fourth, loss assessment in which case
the office manager shall compile a report for the business owner advising the owner accordingly.
Six, if the demand of a ransom is made the owner will make a decision as to whether it will be
paid.
Stakeholder Notification/ Reporting Obligations
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
WIDGET ENTERPRISES 5
The list shows the stakeholders who need to be notified and the criteria of reporting to them:
Notifiable data breaches (NDB) scheme: Australian privacy act requires all data breaches
to be reported to the Australian Information Commissioner. Also if customers’ tax files
have been compromised it must be reported.
Loss/ Compromise of customer data: notify customers if their data has been lost or
compromised and also notify them of the steps that are to be taken to recover the data.
Criminal activity: contact the local police if the incident is believed to be a criminal act.
Financial institutions: if the incident has resulted in the compromise of customers’
banking details and/or electronic theft of money report to the relevant financial
institution.
Incident Review
Following an information security incident widget will conduct of the incident. The review
should cover: first, determining who is responsible for the action and the disciplinary measures
to be taken against them. Secondly, determining whether changes to ICT security and
infrastructure is necessary.
WIDGET ENTERPRISES: INFORMATION SECURITY AND ACCEPTABLE USE
POLICY
Document Page
WIDGET ENTERPRISES 6
Purpose
This policy directs Widget Enterprises employees and contractors on acceptable use of
information and communications technology resources, including acceptable use, prohibited use,
and information security practices.
Background and Scope
Employees are provided with ICT resources by Widget enterprises to perform their duties. This
policy applies to staff, contractors and all organization’s information and ICT equipment,
including; first, desktop computers and devices. Secondly, mobile devices such as laptops,
tablets, and smartphones provided by Widget. Third, personal devices which are connected to the
widget network. Fourth, network infrastructure, server, storage devices, and any information
stored in such devices.
Roles and responsibilities
WHO RESPONSIBILITY
All Staff Strictly follow the policy when using Widget information
assets.
Report any breaches or violation of the policy to the supervisor.
Strictly follow the Widget’s incidents policy while reporting
any security incident.
Office Manager Responsible just like any other staff.
Conduct backups
Manage cyber security incidents.
Training staff and providing cybersecurity awareness.
Document Page
WIDGET ENTERPRISES 7
Business owner Responsible just like any other staff.
Ensure policy compliance by the staff.
Acceptable and Prohibited Use
Acceptable Use of Assets and Information
The ICT resources are provided to enable the Widget’s staff to perform their duties according to
their job descriptions. Staff should never access any information that is not within the scope of
their role not unless they are assisting other staff. Some personal use of ICT resources such as the
internet is allowed if only it is reasonable. Employees are advised to consult their colleagues in
case they are unsure of what constitutes acceptable personal use.
Prohibited and Inappropriate Use
The following practices are prohibited
Using the ICT resources to commit acts which are against the law. For example,
purchasing illegal goods online.
Engaging in online gambling.
Sharing offensive information to colleagues. Before sending a joke, employees are
advised to first discuss any joke with their friends within the organization to ascertain that
the joke is not offensive.
Information Security Practices
Password policy
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
WIDGET ENTERPRISES 8
Passwords are one of the key security features which are used to protect Widget’s Information
Assets. Many of the systems used in Widget Enterprises have password protection. The
password policy for each system is as outlined below.
Work laptops: Employees are required to set their own passwords. The password should
be easy to remember but difficult to guess.
Email password: the password should be easy to remember but difficult to guess. If a
staff forgets their email password, they should contact the office manager who will reset
the password and email the concerned staff the new password.
Office 365 password: if a staff forgets their password, they can use the reset function of
their Microsoft account.
Software as a Service (SaaS) services: Widget Enterprises has four logins for the
accounting package and customer relationship management (CRM) package. The office
manager will notify via email the staff who wants to access the packages the user name
and password to use.
Office Wi-Fi network: the wireless access point name in the office is called WIDGET
and the password is ADMIN.
Spam/ Phishing
Last year the organization experienced a ransomware attack. One of the ways that a ransomware
attack can get into the system is through phishing and spam emails. All users of the
organization’s ICT resources are therefore, advised to only open emails from a known source.
Teleworking
Document Page
WIDGET ENTERPRISES 9
When working remotely staff should take the following precautions; first, in case the staff is
sharing a screen with a client, they should ensure that the client does not see another client’s
information. Secondly, remote workers should avoid using insecure public Wi-Fi points, unless it
is absolutely necessary.
Unauthorized Software
Installing games and other recreational software on work computers by staff is highly prohibited.
However, if an employee comes across software that they think will be of value to the
organization and its operations, the staff shall follow the following guidelines; first, try the
software at their own capacity to understand how it might be beneficial to Widget Enterprises.
Secondly, notify the office manager about the software.
Media Handling
Use of Universal Serial Bus (USB) connected media storage is another way that malware can
infect the organization’s information systems. Staff must be very careful when using these
devices. They should use only devices that they trust. Trusted USB devices include; new devices
purchased from a trusted vendor. Secondly, promotional USB devices received in trade events. If
any staff has any old USB devices that contain company information which is no longer in use
they should dispose of those devices.
Backup Policy
The best way to recover from a ransomware attack without paying the ransom is by backing-up
file. Employees are advised to backup files using the following policy:
Document Page
WIDGET ENTERPRISES 10
Laptops- Office Workers: Staff should store files in their laptop for up to one month. At
the end of one month, they should transfer the files to the office file server which is
regularly backed-up by the office manager to the next storage device. Staff who are
competent in data backup can try to use the NAS directly to backup data. The guidelines
to be followed in accessing NAS directly by staff are; first, installing the WinSCP client.
Secondly, reading the online documentation about NAS and attempting to connect. Any
challenges faced by staff in this process should be communicated to the office manager.
Laptops-Remote Workers: just like office workers remote workers should also backup
their laptops data monthly. At the end of the month, remote staff should put the month’s
files in the Amazon S3 bucket at https://aws.widget.customerprivatedata.bucket. The
remote workers should save the files in a folder and name the folder as
(YOURNAMECLIENTDATA). They should then contact one of their colleagues in the
office to transfer the folder and files to the file server.
Security Incident Reporting
If an employee believes that they are a victim of cyber-attack, they should follow the procedure
in the incident policy.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
WIDGET ENTERPRISES 11
chevron_up_icon
1 out of 11
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]