Software is the various
kinds of programs used to operate the computer system and related devices. The
University maintains two types of software, namely System and Application
Software acquired and developed from third party vendors, with its applicable
licenses and agreements
Mattord (2011, p. 42) maintained the importance of organizations safeguarding
all its applications, especially those that are essential to the them.
MIS University implements
internet-enabled applications which exposes itself to diverse security
risk. Due to technological advancement
and with information security always been an afterthought to most software
developers, the following threats have been identified:
Defects/Technical failures: These are
due to bugs in the software program and it is central and critical of the
computer security. Technical failures arise due to misconfigurations of the
Attacks through virus, worms, malwares and Trojan. These attacks are perpetuated
by cybercriminals to lure Users of computer systems into parting with
confidential information needed to destroy or interrupt software functionality
behavior of Users: Installation of pirated software and the visitation of questionable
sites by Users of the computer system.
Softwares: Un-patching of system and application softwares such as operating
systems exposes the University to various forms of Day Zero attacks.
1.2 RISK CLASSIFICATION BY LIKELIHOOD
the rating scale above, the Table below shows the likelihood of the threat
LIKELIHOOD OF OCCURENCE
errors due to Bugs, code problems, unknown loopholes
through Worms, Virus, Denial of Service
behaviours of Users by installing pirated software and questionable site
to run patches released by third party vendors
1.3 IMPACT ANALYSIS
The impact analysis seeks
to identify and assess the potential impacts of an interference to the basic operations
of the Institution. The impact caused by the listed threats results in
financial and reputational losses. The table below shows the impact:
Human Behaviours (5)
Un-patch software (4)
Technical Failures (4)
From the impact
assessment, threats in the form of Software Attacks and Human Behaviours poses
a higher impact on the Institution’s Software. Whitman and Mattord (2011, p.
146) suggested five security strategies an organization would adopt to control
the threats faced. The institution would adopt the following strategies:
The Defense strategies
are controls put in place to prevent the threats from occurring. The following
controls have been adopted:
Anti-Virus Software programs shall be updated with the current virus database
definition at all times.Hard-to-crack
passwords shall replace default passwords to software programs before
usage. (Khimji, 2014).Built-in
security features of Operating Systems and Application programs shall be
of all system and application software programs shall be carried out on a
firewall shall be installed on every host machine to prevent the injection
of malwares, spywares and adwares into software programs.
transfer control strategies seek to shift the risk to other entities such as
third party vendors, Insurance agencies. (Whitman and Mattord 2011, p. 147).
Some controls adopted include the following:
Level Agreement Contracts with third party vendors would be maintained.
Party Security Auditor shall be hired to perform security audit on all software
systems used by the University.
control strategies endeavours to limit the impact caused by an abuse of a
system’s vulnerability through preparation and proper planning. The following
measures have been adopted:
penetration testing shall be carried out on all acquired or developed software.
pilfered or unlicensed software shall be installed on individual machines.
training programs shall be organized for staff on newly acquired software
together with its security ramifications
security awareness training of system users shall be organized where current
trends of security risks would be highlighted.
systems shall be effectively monitored with periodic review of logs
pot systems would be deployed on the Institution’s DMZ to track activities of a
enforcement and compliance of the Institution’s ICT Policy.
I 2014, System Hardening: Defend Like an
Attacker, Tripwire Inc, Oregon, viewed on 12 December 2017, https://www.tripwire.com/state-of-security/vulnerability-management/defend-like-attacker
and Mattord, H.J. 2011 Principles of
Information Security, 4th edn, Cengage Learning