Question

As a security manager or administrator of a fictitious company, write a Security Plan Proposal as a project draft document.

Briefly provide an overview/description of your fictitious company.

Identify and discuss the importance of risk assessment to the organization’s security framework? Discuss the five layers of risk.

Answer 1

INTRODUCTION AND BACKGROUND
---------------------------
Mipro (formerly, Medeival India Palm Refined Oil Limited, legally Mipro Limited) is an Indian multinational corporation that provides information technology, consulting and business process services. It is headquartered in Bangalore, Karnataka, India. In 2013, Mipro separated its non-IT businesses and formed the privately owned Mipro Enterprises.

Mipro Limited is a provider of IT services, including Systems Integration, Consulting, Information Systems outsourcing, IT-enabled services, and R&D services.

Mipro entered into the technology business in 1981 and has over 160,000 employees and clients across 110 countries.[62] IT revenues were at $7.1 billion for the year ended 31 March 2015, with a repeat business ratio of over 95%.

INFRASTRUCTURE
The goal of infrastructure is to narrow risk by creating concentric circles of protection. Emergency
preparedness and response must be woven into every aspect of the learning space.
Security Camera System
-----------------------
Decentralized camera systems exist on each campus, largely utilizing analog technology. Analog technology offers a lower grade picture quality than IP cameras and camera systems.
In order to provide full coverage,main campus is expected to require 96 cameras.

Security Fencing
-----------------------
Main campus lacks security fencing around the perimeter of the site or around
specific site features such as playgrounds, temporary buildings and parking lots. Facilities Department team members have estimated the need for up to 36,000 linear feet of fencing .

Campus Emergency Generators
------------------------------
Emergency generators will be installed at each campus to provide back-up power for phone systems,
critical lighting, cold food storage areas, and other identified essential outlets.

Wireless Network Coverage
--------------------------------------
The company does not have 100% wireless network coverage at each campus and branch offices.

Campus Emergency Notification System
-------------------------------------------------------
A campus emergency notification system will alert all staff members at main campus and branch offices that an emergency is approaching and evasive action is required. The plan is to use a notification system that delivers an emergency message from a single point of contact, to each computer screen where an incident is occurring, as well as utilizing LED message boards in common areas to broadcast notifications and directions. This notification system requires an acknowledgement on the part of the recipient, ensuring the emergency message was delivered. Delivering an emergency message through this type of
emergency notification system is much faster than the traditional phone tree method currently in place.
-----------------------------------------------------------------------------------
Cybersecurity policy
Cyber criminals aren’t only targeting companies in the finance or tech sectors. They’re threatening every single company out there.
The increasing frequency of high-profile security breaches has made C-level management more aware of the matter. This is an important step, but one of many. External attacks are frequent and the financial costs of external attacks are significant.
we need the following thing to deal with the problem:-
1.establish cybersecurity governance
2.protect company networks and information
3.encrypt the files
4.using mutlilayer of protection
5.protect the client information and funds transfer requests.

The following are the things that are needed to be done to protect the company:-
1.Creating an application portfolio for all current applications, tools, and utilities.
2.Documenting security requirements, policies, and procedures.
3.Establishing a collection of system architectures, network diagrams, data stored or transmitted by systems, and interactions with external services or vendors.
4.Developing an asset inventory of physical assets (e.g., hardware, network, and communication components and peripherals).
5.Maintaining information on operating systems (e.g., PC and server operating systems).
6.Information about:
   a.Data repositories (e.g., database management systems, files, etc.).
   b.Current security controls (e.g., authentication systems, access control systems,    antivirus, spam controls, network monitoring, firewalls, intrusion detection, and    prevention systems).
   c.Current baseline operations and security requirements pertaining to compliance of      governing bodies.
   d.Assets, threats, and vulnerabilities (including their impacts and likelihood).
   e.Previous technical and procedural reviews of applications, policies, network    systems, etc.
   f.Mapping of mitigating controls for each risk identified for an asset.

The 5 layers of risk
---------------------------
Layer 1 concerns external risks. These risks can close your business both directly and indirectly. Events such as natural disasters, like flooding and hurricanes, and risks from manufactured objects, such as railroads or airplanes. When these events occur they not only disrupt our own employees but also our customers and suppliers.

Layer 2 examines risks to your local facility. Risks like these can involve one or two buildings to everything at that site. They can be due to the way your office was constructed, results of severe weather, medical emergencies and also include basic service outages such as electrical power and telephone access to your building.

Layer 3 is your data systems organization. Throughout your organization there are computers sharing information and performing other functions. In addition to operations issues, loss of data can lead to legal problems. Data systems deserve their own layer since in most companies, if the computers stop working, so do the people.

Layer 4 is the individual department. Each department has critical functions to perform to meet its production goals and weekly assignments. Each department needs to identify the critical programs and tools needed to perform weekly tasks. These risks may not threaten the company’s primary functions, but over time can severally impact the overall performance.

Layer 5 is your own desk area. If you are unable to complete your tasks and do your job, it may not stop the company from operating, but it does add a lot of unnecessary stress to your life. Typically the risk assessment you perform on your own job will be more detailed, since you know more about it, making it easier for you to take time off and recover from the crisis.