IT21- Group 3

• Identify the • Scope • Standards and

Objectives Determine the scope of Guidelines
Clearly define goals and the policy, specifying the Establish the security
objectives of the systems, networks, and standards and guidelines
information security policy. information it applies to. that need to be followed.
 • Roles and • Legal and
Responsibilities regulatory
Define the roles and
compliance
responsibilities of Ensure the policy aligns with
individuals involved in relevant laws, regulations,
implementing and and industry standards.
enforcing the policy.
 • Acceptable use • Risk • Incident
Management Response
Specify acceptable and
unacceptable use of Integrate risk
Include guidelines on
information assets, management principles
incident reporting,
including data handling to assess and mitigate
escalation, and
and access restrictions. potential threats and
investigation
vulnerabilities.
procedures.
 • Regular Review • Policy Update
Policies should be Update policies in
reviewed periodically to response to changes in the
ensure they remain threat landscape,
relevant and effective. technology, or
organizational
requirements.
 • Communication • Documentation
and training
Communicate policy Maintain a centralized
changes to all relevant repository for policies and
stakeholders and provide related documents, making
training to ensure them easily accessible.
awareness and
compliance.
 • Access Controls • Encryption
Implement mechanisms Use encryption
such as user technologies to protect
authentication, sensitive data in transit
authorization, and access and at rest.
privileges to prevent
unauthorized access.
 • Security
Awareness
Educate employees about
security best practices,
social engineering, and
phishing attacks to mitigate
human-related risks.
• Patch • Network
Management Segmentation
Regularly apply security Divide networks into
patches and updates to segments to limit the
software and systems to impact of a security
address vulnerabilities. breach and control
access.
• Incident Detection • Forensic
and Reporting Investigation
• Incident • Evidence Preservation
Response Plan • Recovery & lessons learned
 • Incident Detection
and Reporting
Establish mechanisms to detect
and report security incidents
promptly.
• Incident
Response Plan
Develop an incident
response plan that
outlines the steps to be
taken when a security
incident occurs.
 • Forensic • Evidence • Recovery &
Investigation Preservation lessons learned

Conduct forensic analysis Ensure proper collection, Restore systems to normal

to determine the cause, preservation, and operations, conduct a post-
extent, and impact of documentation of evidence incident analysis, and
security incidents. for potential legal update policies based on
proceedings. lessons learned.
• Physical Security • Cloud Security

• Network Security • Mobile Device Security

• Internet Security
 • Physical Security
Integrate physical security
measures like access control
systems, surveillance
cameras, and secure
facilities.
• Network Security • Internet Security
Implement firewalls, Deploy web application
intrusion detection and firewalls, secure coding
prevention systems, and practices, and secure
network segmentation to communication protocols
protect against to safeguard online
unauthorized access and services and data.
attacks.
 • Cloud Security • Mobile Device Security

Implement appropriate Enforce policies for secure

security controls and configuration, device encryption,
ensure compliance with and mobile application
cloud service provider management.
policies.