1.0 from third party vendors, with its applicable

1.0       SOFTWARE

Software are written
programs to operate the computer system and related devices. The University
maintains two types of software, namely System and Application Software
acquired and developed from third party vendors, with its applicable licenses
and agreements

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Whitman and
Mattord (2011, p. 42) maintained the importance of organizations safeguarding
all its applications, especially those that are essential to the them.

 

1.1       THREATS

 

MIS University
actualizes web empowered applications which exposes itself to diverse security
risk.  Due to technological advancement
and with information security always been an afterthought to most software
developers, the following threats have been identified:

 

1.      Software
Defects/Technical failures:  These are
due to bugs in the software program and it is central and critical of the
computer security. Technical failures arise due to misconfigurations of the
software system.

 

2.      Software
Attacks through virus, worms, malwares and Trojan. These attacks are perpetuated
by cybercriminals to lure Users of computer systems into parting with
confidential information needed to destroy or interrupt software functionality

 

3.      Unsophisticated
behavior of Users: Installation of pirated software and the visitation of questionable
sites by Users of the computer system.

 

4.      Un-patched
Softwares: Un-patching of system and application softwares such as operating
systems exposes the University to various forms of Day Zero attacks.

 

 

 

1.2       RISK CLASSIFICATION BY LIKELIHOOD

Implementing
the rating scale above, the Table below shows the likelihood of the threat
occurring:

THREATS

LIKELIHOOD OF OCCURENCE

LIKELIHOOD RATINGS

Defects/Technical
Failures

Functionality
errors due to Bugs, code problems, unknown loopholes

4

Software
Attacks

Attacks
through Worms, Virus, Denial of Service

5

Human
Errors/Behaviours

Illicit
behaviours of Users by installing pirated software and questionable site
visits

5

Un-patched
Software

Failure
to run patches released by third party vendors

4

 

1.3       IMPACT ANALYSIS

The impact analysis seeks
to identify and assess the potential impacts of an interference to the basic operations
of the Institution. The impact caused by the listed threats results in
financial and reputational losses. The table below shows the impact:

THREATS
TO SOFTWARE

LIKELIHOOD
OF OCCURRENCE

ASSET
VALUE

IMPACT

Attacks (5)

5

5

125

Human Behaviours (5)

5

4

100

Un-patch software (4)

4

4

64

Technical Failures (4)

4

3

48

 

1.4       CONTROLS

From the impact
assessment, threats in the form of Software Attacks and Human Behaviours poses
a higher impact on the Institution’s Software. Whitman and Mattord (2011, p.
146) suggested five security strategies an organization would adopt to control
the threats faced. The institution would adopt the following strategies:

DefenseTransferMitigation

 

1.4.1    DEFENSE

The Defense strategies
are controls put in place to prevent the threats from occurring. The following
controls have been adopted:

Enterprise
Anti-Virus Software programs shall be updated with the current virus database
definition at all times.Hard-to-crack
passwords shall replace default passwords to software programs before
usage. (Khimji, 2014).Built-in
security features of Operating Systems and Application programs shall be
utilized.Updates
of all system and application software programs shall be carried out on a
regular basis.Software
firewall shall be installed on every host machine to prevent the injection
of malwares, spywares and adwares into software programs.

 

 

 

1.4.2    TRANSFER

 

The
transfer control strategies seek to shift the risk to other entities such as
third party vendors, Insurance agencies. (Whitman and Mattord 2011, p. 147).
Some controls adopted include the following:

1.      Service
Level Agreement Contracts with third party vendors would be maintained.

2.      Third
Party Security Auditor shall be hired to perform security audit on all software
systems used by the University.

 

1.4.3    MITIGATION

 

These
control strategies endeavours to limit the impact caused by an abuse of a
system’s vulnerability through preparation and proper planning. The following
measures have been adopted:

1.      Periodic
penetration testing shall be carried out on all acquired or developed software.

2.      No
pilfered or unlicensed software shall be installed on individual machines.

3.      Adequate
training programs shall be organized for staff on newly acquired software
together with its security ramifications

4.      Periodic
security awareness training of system users shall be organized where current
trends of security risks would be highlighted.

5.      All
systems shall be effectively monitored with periodic review of logs

6.      Honey
pot systems would be deployed on the Institution’s DMZ to track activities of a
would-be intruder

7.      Strict
enforcement and compliance of the Institution’s ICT Policy.

 

 

 

 

 

 

 

REFERENCES

 

Khimji,
I 2014, System Hardening: Defend Like an
Attacker, Tripwire Inc, Oregon, viewed on 12 December 2017, https://www.tripwire.com/state-of-security/vulnerability-management/defend-like-attacker

 

Whitman, M.E.
and Mattord, H.J. 2011 Principles of
Information Security, 4th edn, Cengage Learning

 

 

Comments are closed.