FACULTY OF INFORMATION SCIENCE AND

TECHNOLOGY

TIA2221 Information Assurance and Security

Assignment: Project Selection and Risk Plan

Team Report Form

Description of roles and contributions of each team member:
Table of Contents

Introduction……………………………………………………………………………………..…1

About the Organization……….………….……………………………………..…………………1

Problem of the Organization…………………………………….……….…………….……….…1

Approach to Risk Assessment………………………………………………………….…………1

Identify the Risks…………………………………………………….….………….…..………1- 4

Assess Risk Exposure ……………………………………………………....…..………………4-5

Ranking of Top 20 Risks ……………………………………………..………………...………5-6

Risk Mitigation Plan…………………………………………………..…...…………………..6-13

Introduction
WRP Asia Pacific Sdn Bhd is a manufacturing company based in Malaysia. WRP is a manufacturer of
surgical, examination, high risk and multipurpose gloves with coverage in every key market sector. The
company's factories meet and exceed the most stringent international quality and product standards.

About the Organization

WRP success has come through close collaboration with their branded partners whose strength in sales
and marketing bring their products to a wide base of customers. WRP builds long-term value for their
clients. WRP factories employ state-of-the-art technology, modern dipping lines and flexible packaging
options, including sterile and non-sterile. The company on-site gamma sterilization facility and packaging
manufacturing plant ensures smooth uninterrupted order processing from start to finish. The company
produces a very wide range of gloves with nitrile, chloroprene, polyisoprene and natural rubber latex
materials. They offer a comprehensive selection of colors, weights, textures, lengths and coatings.

Problem of the Organization

From our observation and interview with the key personnel of WRP Asia Pacific, we can identify that
WRP Asia Pacific Sdn Bhd has some major problems internally and externally. For example, the
company has a poor data backup plan, limited storage server and employees misuse of the company’s
network resources. So, these risks will impact the company on data losses. This impact can cause many
consequences for the company like financial crisis, employee productivity could get affected, clients may
lose faith in the company and more.

Approach to Risk Assessment

Identify the Risks
1. Using weak passwords encryption.
Password encryption is essential to store user credentials stored in a database securely. Without password
encryption, anyone accessing a user database on a company's servers including hackers could easily view
any stored passwords. WRP Asia Pacific still is using MD5 salt to encrypt their passwords. MD5 is the
abbreviation of 'Message-Digest algorithm 5'. The MD5 algorithm is used as an encryption. MD5 is a fast
and memory-conserving algorithm. That means an attacker can compute the hash of a large number of
passwords per second.

2. Don't have proper prevention for Distributed Denial-of-Service (DDoS) attacks.

DDoS attack is an attempt to disrupt the traffic of a targeted server, service, or network by overwhelming
it with a flood of Internet traffic. By sending too many requests for information to a server, site, or
network, a DDoS can effectively shut down a server. And leaving it vulnerable and disrupting the
business operations of the company.

3. Poor data backup plan.

WRP Asia Pacific don’t have a proper data backup plan because the company has experienced data loss
several times. When important files and documents are lost, the company must spend time and resources
recreating or recovering these files to fill the gaps left by loss.

4. Weak firewall system.

The company only has a basic level of firewall that forms a loose perimeter around the entire network,
providing a basic degree of protection to the entire company. The firewall rarely updates the security
patches. This is an issue that arises when network firewall software isn’t managed properly.

5. Using a weak password policy.

In WRP Asia Pacific, a weak password policy is being used. This means that the employers and
employees are free to create their passwords. If a weak and easy to break password is used, hackers can
use brute force, dictionary and username or derivation to gain access to the company computers or
servers. This might further cause data loss, authentication system failure and compromise system security.

6. Server going down or crashing.

WRP Asia Pacific had experienced servers gone down or crashed several times due to power outages and
other reasons. This might lead to data loss if the data is not updated immediately in the server and
operations within the company might be affected or stop working.

7. Lack of IT Security employee training and awareness

WRP Asia Pacific has a lack of IT security employees and awareness. They have only a few employees in
their IT department. The company’s information system is vulnerable to security threats because the
company lacks IT experts to maintain the information system.
8. Misuse of network resources
Employees are allowed to install any software on company computers without permission. The
employees might surf the internet and install unneeded software or media such as music and video. This
will end up with security breaches, overload the network traffic and reduce the performance of the
network if they are not careful when downloading something.

9. Employees are not restricted to bring their hard drives.

WRP Asia Pacific’s employees can connect an external hard drive or a USB to the office PC that is
connected to the company’s network. Anything that can bring or transfer data from outside the network,
such as USBs, CDs, and Bluetooth, is a threat to the company. It could bring in a deadly virus, leak
sensitive data to outsiders or transfer illegal data to the machine.

10. Does not have multi factor authentication to enter the server room.
There is only one security authentication to enter the server room for limited and important employees,
which is using an access card. All employees will have their own access card to access their department
cabins. Sometimes there will be errors when setting access to the card. The employee also might take the
access card of the employee that got access to the server room without the person's knowledge. Then, the
employee can easily access the server room and it can cause many problems.

11.Employees can download any software on the company desktop.

Downloads of illegal software are frequently stuffed full of dangerous malware. Once a user has
downloaded and installed cracked software, the malware hidden inside can steal information from their
computer. And it can even go on to download more malware, making the problem much worse. It can
cause loss of data from the server.

12. Employees are not restricted to bring their own devices like laptops.
If WRP Asia Pacific lets employees use their own devices unchecked, it’s likely that some of the personal
applications they use may not be as stringent with their security requirements. If an account they have for
personal use is hacked, it could ultimately end up exposing corporate data and confidential information.
Cybercriminals are always looking for opportunities to steal potentially valuable corporate data, and
improperly managed personal devices can provide the perfect opportunity.

13. Does not perform vulnerability scan and penetration tests

Vulnerability scanners are used by most security teams to identify security flaws in their computer
systems, networks, applications, and processes. A penetration test, often known as a pen test, simulates a
cyber assault on your computer system in order to find exploitable flaws. The company does not perform
any of them.
14. Limited storage server
Storage server is a sort of server that is used to store, secure, manage, and retrieve digital data and files.
WRP Asia Pacific has a limited storage server. So, it may cause a data loss when the employee performs a
data backing up routine.

15. Using an old CCTV system

The company is using old CCTV cameras for surveillance to monitor employees and to avoid any
suspicious activity. The analog signals from the old CCTV camera can’t be encrypted, typically speaking,
meaning that it could be easier for unwanted eyes to view the signal.

16. Don't have a proper disaster recovery plan

The company did not have proper precautions and policies on disaster recovery plan. This problem will
end up with complete data loss, the company losing daily income and losing employee productivity as
well.

17. Don't have a clear employment agreement for employees.

WRP Asia Pacific don’t have precise and specified terms and conditions in their employee contract
agreement. So, the company will be facing problems and it will be hard to sue the employee when they
are involved in unethical activities like defamation, employee sabotage and spear phishing threats.

18. Ransomware attack

Ransomware attacks abuse encryption by locking legitimate users out of their sensitive data. This is
because typically an employee downloads a file, install a file via USB drive, or falls victim to a phishing
email. After the malicious code is installed, the infection begins.

19. Employee sabotage

WRP Asia Pacific do not have a proper plan to tackle this problem. Employee sabotage can occur in
many companies. Employee sabotage can take place in different forms like equipment destruction,
computer viruses, poisoning, working slowly, stealing or purposely treating a client rudely. The reason
for it is because they are unhappy with something in their workplace, whether it be a supervisor, an
unreceived promotion, or disciplinary actions taken against that employee.

20. Financial loss

WRP Asia Pacific is using uninsured software and hardware. So, it could cause financial loss to the
company when there is a hardware failure or corrupted system.
Assess Risk Exposure
Risk exposure is the measure of potential future loss resulting from a specific activity or event. In this
part, we are going to do an analysis of the risk exposure for the company that often ranks risks according
to their probability of occurring multiplied by the potential loss if they do. By ranking the probability of
potential losses, the company can determine and find a balance between realizing opportunities and
minimizing potential losses.

To calculate risk exposure, we use this equation:

(Probability of risk occurring) X (Consequence of risk occurrence) = Risk exposure.
We rated the consequence of risk occurrence from 1 to 5 and for the probability of risk occurring, we
rated as 0 to 1. The outcome value will be rated as a risk level which we divided to 5 levels such as
negligible risk, minor risk, moderate risk, major risk and catastrophic risk.

Negligible Risk Minor Risk Moderate Risk Major Risk Catastrophic Risk
0.1 – 1.0 1.1 – 2.0 2.1 – 3.0 3.1 – 4.0 4.1 – 5.0

Probability of risk occurring (0 -1)

Almost Very Possible Unlikely Rare
Certain (0.9) likely (0.7) (0.5) (0.3) (0.1)
(5) Loss of Data 4.5 3.5 2.5 1.5 0.5
Consequence of risk

(4) Financial crisis 3.6 2.8 2.0 1.2 0.4

occurrence

(3) Client 2.7 2.1 1.5 0.9 0.3

Dissatisfaction
(2) Poor quality of 1.8 1.4 1.0 0.6 0.2
work
(1) Negative 0.9 0.7 0.5 0.3 0.1
reputation
Ranking of Top 20 Risks

No. Risk Risk Level Risk Rating

1 Poor data backup plan 0.9 x 5 = 4.5 Catastrophic Risk
2 Limited storage server 0.9 x 5 = 4.5 Catastrophic Risk
3 Misuse of network resources 0.9 x 5 = 4.5 Catastrophic Risk
 4 Weak firewall system 0.7 x 5 = 3.5 Major Risk
5 Employees can download any software 0.7 x 5 = 3.5 Major Risk
on the company desktop
6 Employees are not restricted to bring 0.7 x 5 = 3.5 Major Risk
their own devices like laptops
7 Does not perform vulnerability scan and 0.7 x 5 = 3.5 Major Risk
penetration tests
8 Using a weak password policy 0.7 x 5 = 3.5 Major Risk
9 Employees are not restricted to bring 0.7 x 5 = 3.5 Major Risk
their hard drives.
10 Using weak passwords encryption 0.5 x 5 = 2.5 Moderate Risk
11 Don't have proper prevention for 0.5 x 5 = 2.5 Moderate Risk
Distributed Denial-of-Service (DDoS)
attacks
12 Does not have multi factor 0.5 x 5 = 2.5 Moderate Risk
authentication to enter the server room.
13 Using an old CCTV system 0.5 x 5 = 2.5 Moderate Risk
14 Server going down or crashing 0.7 x 3 = 2.1 Moderate Risk
15 Don't have a proper disaster recovery 0.5 x 4 = 2.0 Minor Risk
plan
16 Financial loss 0.5 x 4 = 2.0 Minor Risk
17 Ransomware attack 0.5 x 3 = 1.5 Minor Risk
18 Lack of IT Security employee training 0.5 x 2 = 1.0 Negligible Risk
and awareness
19 Don't have a clear employment 0.5 x 2 = 1.0 Negligible Risk
agreement for employees
20 Employee sabotage 0.5 x 1 = 0.5 Negligible Risk

Risk Mitigation Plan

1. Using weak passwords encryption.

Mitigation Plan
WRP Asia Pacific should upgrade their password encryption to a better one which is Advanced
Encryption Standard (AES). AES is very secure encryption and it brings additional security because it
uses a key expansion process in which the initial key is used to come up with a series of new keys called
round keys. These round keys are generated over multiple rounds of modification, each of which makes it
harder to break the encryption.
Monitoring plan
The company should monitor all network access. The ability to automatically discover, map and track
what is deployed across the entire company infrastructure provides a picture of your network in real-time.
Recovery plan
If the attacker decrypts the password and breached, the important step is the company needs to isolate the
affected machines. This step enables law enforcement agencies to perform analysis that may help them
identify the attacker and the vector of attack.

2. Don't have proper prevention for Distributed Denial-of-Service (DDoS) attacks.

Mitigation Plan
WRP Asia Pacific should create a Denial-of-Service Response Plan. The company also needs to secure
infrastructure with DDoS Attack Prevention Solutions. The company can equip the network, applications,
and infrastructure with multi-level protection strategies. This may include prevention management
systems that combine firewalls, VPN and anti-spam.

Monitoring plan
The company should use a monitoring system to display the traffic statistics across their entire stack and
help them identify if there are any anomalies 24/7. And also, can identify an ongoing attack and send
alerts to your administrators.
Recovery plan
First of all, once the attack is over, the company needs to analyse the details of the attack from the
internal network and application system logs and try to upgrade the DDOS defences. Then, perform a
network vulnerability assessment to identify weakness in your networks. Finally, patch up the company
infrastructure to be better prepared for a DDoS attack in future.

3. Poor data backup plan.

Mitigation Plan
The company can back their data up to on premise drives. For a more effective backup plan, the company
can back up their data to an off-premise server. Backing up the data to multiple off-premises locations can
add further layers of security to the data.
Monitoring plan
The company should run regular live backup tests to ensure their data is verified, safe, and secure at all
times. Regular monitoring also helps the company to keep track of any software or hardware changes that
may have an impact on data backups.
Recovery plan
The company should develop a contingency plan. In the contingency plan, must have details on the role
and responsibility of each department during the data recovery process. Clear procedures to be followed
to restore IT systems in the event of an emergency is also a must.
4. Weak firewall system.
Mitigation Plan
The company needs to use multiple firewalls that are most commonly used to segregate networks of
different sensitivity levels. For example, the company can use a series of layered firewalls to provide
different zones of security for various types of users.
Monitoring plan
The company can implement Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
on the firewall network. IDS monitors traffic on the network, analyses that traffic for signatures matching
known attacks, and when something suspicious happens, the company will be alerted. In the meantime,
the traffic keeps flowing. IPS also monitors traffic. But when something unusual happens, the traffic stops
altogether until the company investigates and decides to open the floodgates again.
Recovery plan
If the network is breached, identify the main causes of the problem and the best fix for this problem is to
create and stick to a strict security patch management schedule. Under such a schedule, the person who
manages cybersecurity should check for any and all security updates for the firewall software and make
sure to apply them as soon as possible.

5. Using a weak password policy

Mitigation plan
IT personnel should set up rules that require employees to create and use stronger passwords. Passwords
that were written on papers in case the employees forget their passwords should be kept at a safe place or
they should carry along with them. If login failed more than three times, the login should be disabled to
prevent brute force attack.
Monitoring plan
Employers should ensure their production software, servers and company computers use strong password
policies that require employees to create passwords containing uppercase and lowercase letters, symbols
and numbers. They should also make sure no login credentials are left at employees' working areas.
Recovery plan
If unauthorized access is made using an employee's account, the computer should be isolated from
company network and servers. Passwords and login credentials should be changed immediately if the
account still can be accessed. Check the system to ensure no further unauthorized access before
connecting back to the company network and server.

6. Server going down or crashing

Mitigation plan
The company should train on-site staff to be able to respond to server problems before, during and after
the outage. Data should be back up regularly to prevent sudden server down and data loss. Data center
that stores the servers should be located at a safe location and multi-factor access control must be
implemented to prevent unauthorized access.
Monitoring plan
The company should check primary and backup power systems regularly to ensure the system is full of
electrical loads. Backup should also be checked regularly to ensure that the backup is available for
recovery if the server goes down. Employees in charge should always ensure that no unusual activities are
going on the server.
Recovery plan
The company should identify the root cause of server crashes and use the secondary or backup server to
continue company services. Then, they should immediately start to recover the primary server.

7. Lack of IT Security employee training and awareness

Mitigation plan
Employers or heads of department should hold some security awareness training to train employees so
that they know what they shouldn’t do such as click on links in phishing emails. They should also develop
a disaster recovery plan which provides the instructions for employees to recover the normal operations of
the company as soon as possible. Supervisor or senior employees can be assigned to monitor new
employees.
Monitoring plan
Employers could check on employees and ask them some questions about security awareness. They
should also check on the computers whether antivirus, firewalls and other security software is available
and working. Phishing email can also be sent to employees to test their awareness.
Recovery plan
Disconnect the computers from the company network and server. Scan the computer and check which
data had been altered or any malware installed. Change the login credentials and attempt to recover the
data. Report the situation to the higher ups.

8. Misuse of network resources

Mitigation plan
Employers should keep log files that record employee’s activity and employees are not authorized to
change the log files. If security breaches happen, they can trace it back to the root of the cause. They
should also manage the network access to avoid employees browsing into non-secure websites.
Monitoring plan
Employers should check on employee’s activity logs and stop employees from browsing non-secure
websites. They can also use CCTV installed to monitor employees’ activities.
Recovery plan
If security breaches happen, isolate the computer from the company network and change login credentials
to prevent further unauthorized access. Scan the computer with antivirus and anti-malware, check for
alteration of data and recover it. If the network traffic is overloaded, employees need to stop some
unnecessary access.

9. Employees are not restricted to bring their hard drives.

Mitigation plan
Company organizations should tighten the rule to not allow them to bring hard drives. If they bring,
employees should get punished by getting fined or suspended for a week.
Monitoring plan
The employee in charge should monitor by using HddLed software. It will indicate whether employees
have plugged in the hard drive or not. It will be an easy way for the in-charge person to monitor.
Recovery plan
Organization should install antivirus software on all PCs and servers. Moreover, IT department managers
should make a briefing to all employees on how serious is the impact of using hard drives in company
PCs.

10. Does not have multi factor authentication to enter the server room.
Mitigation plan
Both single and multi-door applications can use PIN, credential card, or biometric options. With two-
factor authentication, a person attempting to enter the room must present two forms of identification. If a
credential card were lost, for example, it could not be used by the wrong person to enter the server room.
The credential card must be presented in tandem with a PIN or biometric credential before the door will
unlock.
Monitoring plan
The company can appoint a person to monitor the server room. Can fix CCTV cameras in the server room
and monitor the server room through camera. If there is any problem, the person in charge can
immediately take action.
Recovery plan
The company can change the access card authentication plan to enter the employee's respective cabin by
having a biometric option. So, they can only access their cabin and they can’t enter the server room.

11. Employees can download any software on the company desktop.

Mitigation plan
Uninstall the all-web browser. Just give access to use the company software. So, the employee cannot
access the web browser and download anything from the PC. Employees only can login using employee
authentication and use the PC which is installed with company software and can’t access any other
software.
Monitory plan
The company should use Controlio software to monitor staff PCs. This software can help to monitor the
employee PCs. If staff download or use any other software, it will indicate to the admin and can take
action.
Recovery plan
If the employee downloads any software, first of all needs to isolate the computer from the company
network. And then scan the computer with antivirus, check for alteration of data and recover it.

12. Employees are not restricted to bring their own devices like laptops.
Mitigation plan
If the employee wants to bring their own laptop, they should get permission from the head of department
and IT department Manager. They should prepare a letter with valid reason and get signatures from the
head of department and IT department manager.
Monitor plan
The company should install CCTV cameras in every department. It should be in every place so security
personnel can monitor all the employees and can be controlled.
Recovery plan
The company management will take severe action on the employee for bringing their own laptop without
the permission letter. So, the other employees also do not repeat the same mistake.
13. Does not perform vulnerability scan and penetration tests
Mitigation plan
The company should hire security teams to identify security flaws in their computer systems, networks,
applications, and processes in vulnerability and penetration.
Monitoring plan
The company should use vulnerability scanners tools that are on wired or wireless networks, network-
based vulnerability scanners discover potential network security assaults and susceptible systems. Host-
based vulnerability scanners are used to discover and identify vulnerabilities in servers, workstations, and
other network hosts, as well as providing further visibility into the scanned systems' configuration settings
and patch history.
Recovery plan
If the company wants to do penetration testing regularly, the company can use a penetration tests tool for
capacity to look at the tiniest details of actions across a network. Capturing data packets allows you to
investigate a variety of characteristics, such as the source and destination protocol. Examining security
and identifying holes, and putting a defense in place.

14. Limited storage server

Mitigation plan
The company requires equipment racks, as well as the appropriate servers, storage devices, power
systems, network connectivity, and a proper working environment for on-site data storage. The company
will also require sufficient floor space for the storage equipment rack, as well as, most likely, a raised
floor.
Monitoring plan
The company forms the IT team for managing the storage for infrastructure, operations, governance, any
residual data center operations, architects, security, storage, networking, and help to create and manage
the virtualized platform.
Recovery plan
If the company still has difficulties in storage capacity, the company can use cloud storage that manages
data storage, can decrease or eliminate the requirement for hardware infrastructure while also saving
money.

15. Using an old CCTV system

Mitigation plan
The company also needs to replace outdated CCTV cameras with new CCTV cameras so that they can
view real-time footage whenever they need it and that monitoring can be done quickly from a distant
computer, mobile phone, or tablet.
Monitoring plan
The company also can hire an extra person to keep an eye on all real-time footage.
Recovery plan
The company should back up the CCTV footage for access in future if something occurs that needs to be
investigated. For the backup, the company can use cloud storage because the current CCTV cameras are
in higher resolution, meaning larger files, so the company needs a lot more storage space on your hard
drive to accommodate them.

16. Don't have a proper disaster recovery plan

Mitigation plan
All of the company's IT resources must be audited. Building a disaster recovery strategy for the company
is one thing, but creating an inventory of all of the IT resources on the company network and copying
every bit of data from every IT asset on your network to a backup server is another.
Monitoring plan
The company needs to hire a special IT team to do all of this for disaster recovery plan mainly for backup
data frequently and do regular backup testing.
Recovery plan
The company should not just rely on external hard drives or portable devices for backing up your data.
These structures are easily destroyed, particularly if there's a natural disaster. At a minimum, your critical
data should be stored on a cloud and there should be access to a second server.
17. Don't have a clear employment agreement for employees.
Mitigation plan
The company should create a new employment agreement that specified and aimed at protecting things
like company important data, marketing strategies, product prototypes, company research data and client
details.
Monitoring plan
Keep employees well aware of the employment agreement and security system that the devices are under
an eye in-case of an unwanted act. So, the employees will avoid getting involved in unwanted acts
because they know the company will sue them.
Recovery plan
Making sure that the company contract is listing the right action needed to be taken if the employee
violated one of the conditions placed in which he or she agreed on.

18. Ransomware attack

Mitigation plan
The company can conduct a security awareness training to reduce the chance of suffering a ransomware
attack. By training employees to avoid phishing and typo squatting, the company can often prevent an
attack before it even happens. The company also can add additional layers of protection by using content
filter software without depending on default filter content by the email providers.
Monitoring plan
The company needs to monitor and ensure that they are keeping all IT systems and servers up to date with
the latest patches.
Recovery plan
The first and most important thing is to isolate the infected systems from your network. Immediately
disconnect from the network and consider powering the machine off. The last thing the company needs to
do is to make sure the ransomware is not spread to other devices because it causes more damage and
chaos with any type of malware.

19. Employee sabotage

Mitigation plan
Sabotage their workplace is because they are unhappy with something in their workplace, whether it be a
supervisor, an unreceived promotion, or disciplinary actions taken against that employee. So, the
company can be fair and have some level of honesty with the employees to avoid misunderstanding.
Make sure the employees are well aware of their roles and responsibilities.
Monitoring plan
Make sure the employees are well aware and kept under a watch and the system and devices are all under
some security login to each one of them. Having a security camera on the working place and at the
company sensitive places.
Recovery plan
The company should constantly make sure that the company devices are backed up and each device is
well updated often.

20. Financial loss

Mitigation plan
The company should take Electronic Data Processing insurance because it covers damage to computers,
media and data. This insurance can cover damage caused by electrical disturbance, mechanical
breakdown and also computer virus or hacking.
Monitoring plan
The company should review the policy of the insurance when renewed every year because of the new
changes in the policy. IT personnel always need to be alert and should contact the insurer agent
immediately when something happens in order to get compensation for the damages.
Recovery plan
If something happens to company hardware and software, the company can contact the insurer to claim
the replacement cash value from them based on the policy.

References

A.Ganji and S. Miles, Toward Human-Centered Simulation Modeling for Critical Infrastructure Disaster

Recovery Planning. 2018 IEEE Global Humanitarian Technology Conference (GHTC), 1-8. (2018).

Applebaum, S. H., Iaconi, G. D., & Matousek, A. (2015). Positive and negative deviant workplace

behaviors: Causes, impact, and solutions. Corporate Governance

Humayun, M., Jhanjhi, N. Z., Alsayat, A., & Ponnusamy, V. (2020). Internet of things and ransomware:

evolution, mitigation and prevention. Egyptian Informatics Journal.

Pappalardo, D. and Messmer, E. (2019). Extortion via DDoS on the rise. Retrieved March 2, 2022, from

Techworld.com website: http://www.techworld.com/security/features/index.cfm?featureid=1452.

Zetter, K. (2016). 4 ways to protect against the very real threat of Ransomware. Retrieved February 27,

2022, from Wired.com website: http://www.wired.com/2016/05/4-ways-protect-ransomware-youre-

targe

Appendix

Interview Question:

1. What are the services basically provided by your company?

2. Tell us about the IT Department of your company.
3. How do you manage your company during this pandemic and are there any employees who
work from home?
4. Did this company get secure with CCTV cameras?
5. Is there any disaster recovery plan?
6. Are the employees restricted to bring their own devices like laptops and tablets?
7. Are the employees restricted to bring their hard drives such as pen drives or hard disks?
8. Are your company PCs secure with any antivirus software?
9. How many servers were used in this company?
10. Did you experience a server going down or crashing in your company?
11. Are the employees trained to back up their data?
12. Do the employees need permission to install software on company computers?
13. Are the passwords being encrypted and stored in a secure location?
14. Do passwords use a weak or strong password policy?
15. Does the company have firewalls to monitor ingoing and outgoing network traffic?
16. Are employees still able to access the company system after resignation?
17. Do the employees require a password to access important data?
18. Does your company have any method or prevention from Denial-of-Service (DoS) attack?
19. Does your company have a clear employment contract for employees to prevent your
company from employee sabotage or spear phishing threats?
20. Tell me about the last time you monitored or reviewed information and detected a problem.
How did you respond?