0 SOFTWARESoftware is the variouskinds of programs used to operate the computer system and related devices. TheUniversity maintains two types of software, namely System and ApplicationSoftware acquired and developed from third party vendors, with its applicablelicenses and agreementsWhitman andMattord (2011, p. 42) maintained the importance of organizations safeguardingall its applications, especially those that are essential to the them. 1.1 THREATS MIS University implementsinternet-enabled applications which exposes itself to diverse securityrisk. Due to technological advancementand with information security always been an afterthought to most softwaredevelopers, the following threats have been identified: 1.
SoftwareDefects/Technical failures: These aredue to bugs in the software program and it is central and critical of thecomputer security. Technical failures arise due to misconfigurations of thesoftware system. 2. SoftwareAttacks through virus, worms, malwares and Trojan. These attacks are perpetuatedby cybercriminals to lure Users of computer systems into parting withconfidential information needed to destroy or interrupt software functionality 3. Unsophisticatedbehavior of Users: Installation of pirated software and the visitation of questionablesites by Users of the computer system. 4.
Un-patchedSoftwares: Un-patching of system and application softwares such as operatingsystems exposes the University to various forms of Day Zero attacks. 1.2 RISK CLASSIFICATION BY LIKELIHOODImplementingthe rating scale above, the Table below shows the likelihood of the threatoccurring: THREATS LIKELIHOOD OF OCCURENCE LIKELIHOOD RATINGS Defects/Technical Failures Functionality errors due to Bugs, code problems, unknown loopholes 4 Software Attacks Attacks through Worms, Virus, Denial of Service 5 Human Errors/Behaviours Illicit behaviours of Users by installing pirated software and questionable site visits 5 Un-patched Software Failure to run patches released by third party vendors 4 1.3 IMPACT ANALYSISThe impact analysis seeksto identify and assess the potential impacts of an interference to the basic operationsof the Institution. The impact caused by the listed threats results infinancial and reputational losses.
The table below shows the impact: THREATS TO SOFTWARE LIKELIHOOD OF OCCURRENCE ASSET VALUE IMPACT Attacks (5) 5 5 125 Human Behaviours (5) 5 4 100 Un-patch software (4) 4 4 64 Technical Failures (4) 4 3 48 1.4 CONTROLSFrom the impactassessment, threats in the form of Software Attacks and Human Behaviours posesa higher impact on the Institution’s Software. Whitman and Mattord (2011, p.146) suggested five security strategies an organization would adopt to controlthe threats faced. The institution would adopt the following strategies:DefenseTransferMitigation 1.
4.1 DEFENSEThe Defense strategiesare controls put in place to prevent the threats from occurring. The followingcontrols have been adopted:Enterprise Anti-Virus Software programs shall be updated with the current virus database definition at all times.Hard-to-crack passwords shall replace default passwords to software programs before usage. (Khimji, 2014).
Built-in security features of Operating Systems and Application programs shall be utilized.Updates of all system and application software programs shall be carried out on a regular basis.Software firewall shall be installed on every host machine to prevent the injection of malwares, spywares and adwares into software programs.
1.4.2 TRANSFER Thetransfer control strategies seek to shift the risk to other entities such asthird party vendors, Insurance agencies. (Whitman and Mattord 2011, p.
147).Some controls adopted include the following:1. ServiceLevel Agreement Contracts with third party vendors would be maintained.2. ThirdParty Security Auditor shall be hired to perform security audit on all softwaresystems used by the University. 1.4.
3 MITIGATION Thesecontrol strategies endeavours to limit the impact caused by an abuse of asystem’s vulnerability through preparation and proper planning. The followingmeasures have been adopted:1. Periodicpenetration testing shall be carried out on all acquired or developed software.2. Nopilfered or unlicensed software shall be installed on individual machines.3. Adequatetraining programs shall be organized for staff on newly acquired softwaretogether with its security ramifications4.
Periodicsecurity awareness training of system users shall be organized where currenttrends of security risks would be highlighted. 5. Allsystems shall be effectively monitored with periodic review of logs6. Honeypot systems would be deployed on the Institution’s DMZ to track activities of awould-be intruder7. Strictenforcement and compliance of the Institution’s ICT Policy. REFERENCES Khimji,I 2014, System Hardening: Defend Like anAttacker, Tripwire Inc, Oregon, viewed on 12 December 2017, https://www.
tripwire.com/state-of-security/vulnerability-management/defend-like-attacker Whitman, M.E.and Mattord, H.J. 2011 Principles ofInformation Security, 4th edn, Cengage Learning