Denver International – Utilities and Engineering

Assignment Task

Denver International – Utilities and Engineering

ABC Water Treatment and Purification

I have been asked to discuss the issues of Denver International with regards to their Security policies and staff training. Throughout this proposal I will discuss the methods in which we will try to tackle the issues that they are having. Throughout this report there will be suggestions to for new staff such as a CISO, making sure they have a contingency plan in place to ensure safety for any unexpected events that could occur. Also, I will discuss security policies that Denver should consider having in place and any user training that would also help make the organisation more secure overall.

An issue that needs to be changed is that the organisation doesn’t have an InfoSec expert, information security is important because it protects the organisations information assets from the threat that they face. Additionally, information security focuses on the protection of information and its characteristics that give it value, which include CIA triad (confidentiality, Integrity and availability), policy training and awareness programs. A recommendation for Denver would be to plan for InfoSec implementation to help with the issues that they are having, so therefore to plan for a in translating the overall strategic plan into tactical and operational security plans. Denver should employ a CISO (Chief Information Security Officer) as they will create a strategic information security plan with a vision for the future of information security at Denver. Additionally, the role of the CISO is the understanding of the fundamental business activities performed at Denver, and then based on this understanding suggesting the appropriate information security solutions that will protect these activities. The CISO will also develop action plans, schedules, budgets, status reports and other top management communications which will be intended to improve information security within Denver. Then finally once the plan has been translated into IT and information security objectives within the tactical and operational plans then information security implementation can begin. I believe this would be very beneficial for Denver has having an experienced CISO will help with the information security issues they are facing.

There are some factors that Denver may want to consider in order to make themselves more secure, so therefore one of the recommendations would be for them to make sure they have an effective contingency plan in place. The reason that I recommend this is because they were recently the brunt of a ransomware attack and were lucky enough to receive their systems back once they paid. However, if they had not got the data back then without a good contingency plan in place they could have been in trouble and the fundamentals for contingency planning is making sure that there are plans in place for unexpected events. There are four components for Denver to consider and this would be a Business Impact analysis (BIA), Incident Response plan (IR plan), Disaster Recovery plan(DR plan), and finally Business continuity plan (BC plan). I would suggest that Denver consider making sure that their DR and BC plan are very well done to ensure that if something like this was to happen again then there would be measures in place to protect the data. Additionally I believe that it would be a good idea for Denver to change the equipment all to the same OS to ensure good security, this is because some old OS are more susceptible to attacks and receive less frequent patches to ensure that they are secure.

Policies are an essential foundation of an effective security program; the success of an information resources protection program depends on the policy that is generated and the attitude of the management toward securing information on automated systems. Denver needs to have policies, standards and practices in place, a policy is a set of organisational guidelines which dictate certain behaviour within the organisation. A standard is a detailed statement what must be done to comply with policy, and practices are examples of actions that illustrate the compliance with policies.

A policy that I would recommend is the Enterprise Information Security Policy (EISP) which sets out the strategic direction, scope and tone for all of the organisation security efforts. There are many elements to the EISP policy, such as assigning responsibilities for maintenance of InfoSec policies and the practices and responsibilities of end users. As well as guiding the development, implementation, and management requirements for InfoSec management and specific security functions. This relates specifically to Denver because by using this policy the organisation will be able to assign specific responsibilities to individuals which will help then with the lack of experience that the employees have as they will only have to worry about specific issues.

Moreover, I would recommend that Denver use the Issue-Specific Security Policy (ISSP), which is a policy that provides targeted guidance to instruct all members of the organisation in the use of a resource such as one of it processes or technologies. Moreover, the policy will help regulate the use of some technology or resource issues within the organisation, it is often referred to as fair and responsible use policies which describes the intent on the policy to regulate proper use. Also the policy will provide a common understanding of the purposes for which an employee can and cannot use the resource. Also the policy is effective and specific, it articulates the organisations expectations about how its technology based system should be used. As well as indemnifies the organisation against liability for an employees inappropriate or illegal use of a system. The reason Denver should consider this is because it suggest the use of access control credentials for users which relates specifically to the organisation, as they don’t have any structured admin rights.

Additionally, another policy that could be recommended for Denver is the Systems-Specific Security Policy (SysSPs) which appear to seem more like procedures, and may often function as standards or procedures that should be used when configuring and maintain systems. SysSPs can be separated into different section such as, Managerial Guidance SysSPs which is created by management in order to guide the implementation and configuration of technology; it also applies to any technology that affects the confidentiality, integrity or availability of information. Likewise, there are Technical specification SysSPs which are the system administrators direction on implementing the managerial policy, there are two general methods of implementing such technical controls which are the use of access control lists and configuration rules. Currently Denver has no Structure admin rights, they also consider people to have way too many rights so a recommendation to fix this would be from the use of Access control lists. The reason that Access control lists would be important for Denver to include within their system, as it will govern who has rights and privileges to different parts of the network. Additionally, ACLs can also regulate who can use the system, what authorised users are able to access, when they are able to access the system, where they can access it from and finally how they can access the system. This is important is because it will stop unauthorised users from accessing parts of the network that they should not be able to, this would fix the issue of people having way too many rights as they would only be able to do what the administrator has set out. Additionally another reason that Denver need to have access control lists in place is because they have no control over BYOD devices, this is a risk because you don’t know what kind of viruses/malware could be on that system. So therefore with this being said these devices should not be able to access the main system, as it could risk a potential malware infection from the users device. De Risio (2021) believes that one of the most important aspects of a ACL is the ability to prevent unauthorised users from accessing sensitive information.

I also believe that it is important for Denver to consider an acceptable use policy even though they recently turned it down. An acceptable use policy is important because it stipulates the constraints and practices that a user needs to agree in order to access the organisations network. The objective of the Acceptable Use Policy is to set guidelines for what can be done on their system by a user, the is important to consider from an information security standpoint. The reason it is important is because, it outlines how the user should conduct themselves when using the companies network. There are several guidelines that should be included within the acceptable use policy which include some of the following, prohibits the download and dissemination of uncouth items. Additionally, it should also have a template for emails that are sent from the companies system, also it must prohibit the searching, copying and sending of confidential material and will also include advice for employees on inappropriate use of the IT systems and the penalties.

Denver needs to make sure that the policies that they include are effective they ensure this by making sure they are developed using industry accepted practices and must be approved by management. Additionally, the need to distribute then using all appropriate methods, make sure that the policies are read and understood by all employees as well as making sure they are agreed to and then must be enforced and applied throughout. Furthermore, policy distribution can be accomplished through the means of a hard copy distribution or and electronic distribution, and unless the Denver can prove that the policy made it to the end users then that cannot enforce the policy. When distributing the classified policies its important to ensure that their additional levels of controls, so therefore making sure that the document is labelled. Also, the collection and destruction of old versions is important, as it assures the confidentiality of information contained within the policy documents. Also, it’s important to make sure that the employees have understood what the policy means for them, so therefore Denver could do is have some form of assessment to gauge how well the employees have understood the policy. Another important aspect would be ensured policy compliance, failure the agree to the policy is equivalent to refusing to work so this would likely be ground for termination. The final component for Denver to consider in the design and implementation of effective policies is the uniform and impartial enforcement, which must be able to withstand external scrutiny. I believe that it would also be important for Denver to consider hiring a Policy Administrator as they will be responsible to the creation, revision, distribution and storage of the policy. Another important aspect for Denver to consider would be the review schedule of policies, as they can only be effective is they are reviewed periodically for the currency and accuracy and then modified to ensure they are up to date.

Another critical point in which Denver need to consider is User Training, this is important because it will help to prevent breaches which would benefit Denver as they have already had a recent Ransomware attack. Also, important because it will build a culture of security, which means building security values into the fabric of Denver. Moreover, the use of user training can make technological defences more robust which include firewalls being turned on, software being updated and much more. However, without the proper security training for users then the technological defences that are in place can’t fulfil their potential. It will also give Denver’s customers more confidence, as consumers are becoming increasingly aware of cyberthreats, they want to feel as though their data is safe and secure so it important to make sure that the users are trained. It also may be beneficial for Denver to conduct research and find out what the employees already know, before wasting their time training users about issues they already know. As discussed earlier with regards to contingency planning there will be a need for user training because they will need to know what to do if a disaster was to occur. Additionally, they will need training with the incident response as well so that if anything happens they know the right procedures to effectively deal with the situation. Also some forms of training may seem generic but it may be important to teach the basics so therefore telling users to make sure they don’t access any websites that they should not, and make sure that they are doing all the security and patch updates as well as antivirus scans to make sure that the system is secure.

An important thing for Denver to consider with regards to information security training would be password security training, so therefore ensuring that users have strong passwords. A strong password must have some of the following traits, it must be of roughly 14 characters this is because the length of the password can make it exponentially harder to brute force. A password must also use multiple character sets this would be through a mix of uppercase, lowercase, numerals and symbols which would create another level of complexity that would make it harder to crack. In order for a strong password, it must not use complete word which users often do because it is easy to remember, however this makes it very easy for an attacker to break because they add a dictionary attack to their password cracker script. Additionally, it is believed that a password should be changed regularly because using the same password over and over again makes it more likely to be compromised. Hoffman (2016) suggests otherwise and believes that having a really strong password is just as effective because having to regularly change passwords makes users choose weaker ones each time. One of the main issue’s is compliance, so therefore I would recommend that Denver also use a password manager to ensure that users have strong passwords and stick to the guidelines for a strong password.

More user training that might be effective for Denver making sure that employees are aware about email and phone phishing scams, so the employees need to know what phishing is, how it actually happens and what risks it can pose on a personal or company level. Also need make sure the that the users are aware of the different methods of phishing attacks, as well as how cybercriminals are able to find and use personalised information to achieve their goal. Users need to be able to recognise the signs of phishing attacks, such as emails with incorrect spelling and grammar, fraudulent emails and incorrect email addresses. The training needs to cover how to spot phishing links, attachments and spoofed emails and then know what steps to take when a phishing attempt is identified. Another effective method may be to use phishing simulation training, through the use of these managed attacks you are able to gain which will allow you to identify how your business it at risk and the most significant risk allowing you to customise the training. Jones (2021) suggests that users should hover over emails to make sure they go where they say that they go, as well as scanning any attachment before the user’s tries to open it to ensure its safe. This is an important aspect for Denver to consider because, recently someone clicked on an unknown link and it caused a ransomware attack so they need to know what to look out for in the future.

In conclusion throughout the proposal, I have made various recommendations for Denver which I believe they should consider because it will allow them to become more secure. Through the use of a CISO they will help develop effective security standards for the business to follow, additionally through the use of a contingency plan this will help make sure that if a potential disaster was to occur then the business would have systems in place to ensure that the business could continue. Likewise, in the repost security policies we suggested because they are an essential foundation of an effective security program and it is important to have in place so that users know what they can and can’t do. Finally we discussed user training that would be needed throughout to the organisation to ensure users are keeping themselves and the organisation safe.

This IT Assignment has been solved by our IT experts at Schooling Best. Our Assignment Writing Experts are efficient to provide a fresh solution to this question. We are serving more than 10000+ Students in Australia, UK & US by helping them to score HD in their academics. Our Experts are well trained to follow all marking rubrics & referencing style.

Be it a used or new solution, the quality of the work submitted by our assignment experts remains unhampered. You may continue to expect the same or even better quality with the used and new assignment solution files respectively. There’s one thing to be noticed that you could choose one between the two and acquire an HD either way. You could choose a new assignment solution file to get yourself an exclusive, plagiarism (with free Turnitin file), expert quality assignment or order an old solution file that was considered worthy of the highest distinction.