Security Development PolicyChaston CarterHuman Factors in Security03/11/17As new chief officer of  (MUSA) Multiple Unite Security, it has been brought to my attention that the company is having some very low security postures . In the mist of me reviewing some of these low security postures this company possessed , I was able to meet with a team member . This team member had shown me a very eye opening presentation  emphasizing the importance of having a security awareness program. This Program was much needed for a company as big as this one, and there were a couple of security gaps  this company had that possessed and they needed to be fixed immediately .To mitigate some of the gaps the company has, I have came up with some security policies as a part of a solution to fill in these gaps. One of which , is a very extensive 6 month long training course going over all types of cyber security awareness factors . This training course will cover all the potential risk we potentially face when accessing our computers or any other websites.It will cover a vast list of high phishing attacks like , Emailing phishing attacks when an attacker sends out thousands of fraudulent messages and possibly able to retrieve  significant information and  large sums of money, or even spear phishing attacks that target a specific person or enterprise, as opposed to random application users. This type of attack is usually a more in depth version of phishing that requires special knowledge about an organization, including its power structure.There are many other Phishing attacks out there , and our training course will bring awareness to all types of threats and also what type of things we can do to protect us from these phishing attacks like. Two-factor authentication method will most defiantly be a part of our solution which is proven to  be the most effective method for countering phishing attacks,  it adds an extra verification layer when logging in to sensitive applications. It accomplishes this with a second layer of protection by relying on the user to use something they know such as a password they only would know or username, and also strongly Encourages Strong passwords usage as well.Within this training course , there would be a separate course for managers and employees in higher authority to discuss a configuration change policy to be in place. This Policy will cover certain permissions each employee should have and how to determine which ones to assign to which.  All employees  will get a better understanding of  certain configuration settings on certain networks and how they should only be changed by a superior  , unless given permission. By only giving certain employees certain permission this will eliminate  the risk of potential Threats to the company as a whole.We will discuss the possibility of creating a some type of intrusion  detection program to alert us as well as employees when their computers are in the risk of potential  threats as well as prevention tips the user can utilize to prevent these certain intrusions. I have noticed that there hasn’t been any logged information collected from employees on their daily tasks completed nor worked on. This type of information is very important and collected for a important reason. One of the reasons being that if a certain activity is worked on by a employee and there is a reported attack this could possibly tie that attack to that employee and possibly be the solution to the threat itself. This program will express the importance of collecting this data and how it can be analyzed to prevent future attacks as well.  Media access control policies will play a major role in this awareness program . This is a requirement that this is  put in place, for All Employees.  This policy will limit the everyday employee on their usage of the companies internet access all across the board whether its for mobile phones , tablets or any other media devices that can be connected to the internet. These type of connections usually slow down the companies bandwidth and could ultimately affect the daily task we are actually suppose to complete, which delays the overall performance.Encryption and hashing will play a very important role as well when handling certain data. This Program will discuss the importance of  encryption  and why it is extremely  important to encrypt certain data flow to the point where unauthorized readers and Hackers find it  difficult to decipher . We will discuss 2 major key points when approaching this subject in 2 different classes. One of which will be  “What is Encryption”? and we will discuss Passwords, server locks, firewalls and removable storage and all are other means of securing data. Lastly “How Does Encryption Work”? This process  will be explained using real algorithms that convert data into codes so complex that the most powerful computers would take years to break them.  Only a person or computer who has the correct key can quickly decrypt the information, or put it back into its original form. The decryption key is another algorithm that will be discussed  that reverses the process of the encryption algorithm. We will have 2 weeks to discuss the two different types of encryption like Symmetric , and Public Key Encryption. So this will be heavily enforced. To my understanding there is a Vulnerability assessment being conducted which is very good, But it looks as if there is one being conducted for every 3 years. I will explore the Pros and More of  cons of this being conducted every 3 years for the company vs every year. The more frequent (MUSA) runs this a assessment the more they would be updated on what errors or issues the company faces, towards future threats . Without knowing the status that this company is in it makes it harder each day to know what threats are ahead being that we know its low.This program will hold a conference meeting every end of the month  with employees to express each of their planning strategies when  approaching their daily work. I will get a full understanding of each employees specific work plan to determine what works for the company and what doesn’t. Not only will I get to listen, but other employees might posses a similar work flow and can all get positive feedback and criticism all at once . Based on the feedback I receive , from each employee, I will develop a strategic plan on how I can make employees more  comfortable in the work place, and what specific area they need extensive help in.This will ultimately lower the turnover rate for the company and help the company grow in knowledge , Prevention tools and higher morale standards. It has been brought to my knowledge that a high number of theft has been reported in this company by employees?This is completely un acceptable and there will be legal action put in place to stop any future theft . In order to prevent things like this there will be a new security policy put in place.Each and every electronic will be stamped and given a specific barcode and put into a private database and be stored to keep track of every device in the  inventory. Not only will inventory be watched but the company will be as well. I will install new cameras in all areas of building where certain assets are stored to prevent anymore more thefts. All Security Incidents reported from here on out will be taken extremely serious and there wont be any slap on the wrist for any employees no matter how disgruntled any of them are.Second to last thing  to end this program I will develop a plan for mandatory vacation and express the reasoning for this to supervisors and other positions in higher authority. I will express the need for vacation as far as for the employees which gives them a break from work , which could possibly affect their mental state of completing their daily duties at work , and also for the company which ties back to collecting data on each employee and how logged information is analyzed to determine who was  present when certain threats occurred and who was not  present this helps the process of elimination on who could’ve potentially played a part in the threat. Lastly I will express the Importance of  Segregation of duties  and the two main key purposes which are : 
1 To ensures that there is oversight and review to catch errors, (At all Times) 
2 It helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction.Segregation of duties includes 3 main functions and there will have to be implemented by 3 different employees  which duties include the following: 
1 One having complete access and and custody of  company assets 
2 Being able to authorize the use of assets for every employee 
3 One having the duty to Record all of company of assetsI will express to the new employees why this should be implemented as much as possible. In some cases, in some cases  it may result in an employee from another department being responsible for one of the functions.All in conclusion, This program will be put in place to help the company grow as a whole and be able to easily identify threats as they are being approached on a daily basis. My ultimate goal will be to get the company security posture back in good standing, by providing  enchanted solutions to theses specific security gaps stated in the program and also while providing best practices. This program will will foster  new relationships among employees and  develop a more  healthy security culture and ensure continuous improvement.References: Internal controls | Accounting | Segregation of duties. (n.d.). Retrieved March 19, 2018, from Importance of Understanding Encryption in Cybersecurity – Florida Tech Online. (2017, September 14). Retrieved March 19, 2018, from Data at Rest: Developing a Database Encryption Strategy, RSA Security Incorporated, How to Offer the Strongest SSL Encryption, VeriSign, White Paper,