A. Integrity of Network Security
New security policy created for e-mail will ensure e-mails are used for business purpose and limits personal usage of e-mails. Policy also permits Softsearch to monitor employee’s e-mails if required. Controls implemented by e-mail policy will help prevent confidentiality breach. However, e-mail policy does not govern attachments within e-mails. Policy should be enhanced to include e-mail attachment specific statement to prevent employees from opening attachments from unknown source & forwarding such attachments within the company network.
Internet policy prohibits employees from visiting indecent, illegal and pornographic sites, ...view middle of the document...
No. Vulnerability Threat Risk Likelihood
1 No Network isolation of development platform Unauthorized Access, Uncontrolled modification of software Partner employee can gain unauthorized access to source code once connected to Softsearch network. Likely
2 Co-hosted Print, File & E-mail servers Unauthorized disclosure, Unauthorized Access Any user/employee with access to print, file or e-mail servers can obtain sensitive information. Certain
3 Shared development platform across offices Unauthorized access, Uncontrolled modification of software Partner employee can access all systems in development and modify software or access other development information. Possible
4 Undocumented Remote connectivity policy Unauthorized disclosure, Unauthorized Access No auditing or control of who can connect to network from where and for how long could result in partner employee getting access to Softsearch network & compromise confidential information. Possible
5 Uncontrolled remote access Unauthorized disclosure, Unauthorized Access Partner employee can connect to Softsearch network remotely without any logging or auditing. Possible
Risk # 1:
Security of Softsearch development platform is critical due to nature of the business. Servers for development are in separate IP address range but not isolated by firewall or other security device. Once partner connectivity is established; partner employees can get access to Softsearch’s all development platforms and may lead to partner employee obtaining unauthorized access to Softsearch’s propriety developed software.
Risk # 2:
Print, fax and e-mail servers are co-hosted on the same physical server. This increase risk of network intrusion due to large number of required open ports and running processes on the same server.
Risk # 3:
Employees can access development platform from both locations. With shared development platform when Softsearch establishes network connectivity to partner, all partner employees will potentially have access to all development platforms. This poses greater risk to Softsearch private data and source code.
Risk # 4:
Softsearch do not have established remote connect policy. Without documented remote connectivity policy, it will be difficult to regulate who can connect to Softsearch network remotely, when remote connectivity is allowed and how to remote connect. Partner employee can gain access to Softsearch network remotely without any logging or auditing.
Risk # 5:
No system/platform exists to securely allow remote connectivity to Softsearch network. Remote connectivity to Softsearch network is not secured. Risk of data leak or unauthorized disclosure increases with unsecured remote...