OS A3 Task 2

Task 2 

Introduction 

As a new, up-and-coming, growing organisation, Linkchain Gaming must ensure that its information security policy is tailored to its requirements and aligned with regulatory standards. A modern security compliance with laws and regulations. This report will outline recommended user and administrative controls for an updated security policy. These controls aim to protect sensitive data, and recommendations are supported by recognised frameworks. 

User Controls  

Network and Wi-Fi Access: 

Threats Addressed: Network passphrase on noticeboard, visitors on same network 

To protect the network, it is important to remove the passphrase from the noticeboard and change it. It is recommended to create a segmented network with a separate guest passphrase for visitors, so they are completely isolated from internal systems and the file server. By restricting network access so that only authorised, enrolled devices can connect to the internal network, it makes it easier for the IT team to monitor the network without the presence of any unauthorised access.  

Password Management: 

Threats Addressed: Uneforced password policy, shared PIN, and network passphrase exposed. 

To protect internal systems, Linkchain Gaming should implement strong password policies. All employees should use complex passwords and be required to change them regularly to reduce the likelihood of data breach. Enforcing this policy would reduce the likelihood of unauthorised access to the system and reduce the likelihood of password cracking. In line with NCSC guidance, it is also stated to not force regular password resets unless a breach is suspected, as it can encourage weaker password choices putting data at jeopardy. 

Multi-Factor authentication should be enforced for access to critical systems. It helps validate the user's identity by using security questions tailored to the user.  

Physical Access Security: 

Threats Addressed: Main Entrance on busy public street, shared PIN, no receptionist, smart ID cards not being supported 

At the momentLinkchain Gaming employees use shared PIN code to enter the office, which is outdated and easily discoverable by an attacker. The shared PIN system should be replaced with the individual smart ID card access, which are already in place but unsupported, so activating them means that each entry is logged and traceable to a specific individual, making it crucial evidence in unauthorised access settings. I would also recommend implementing an intercom or video doorbell system at the main entrance for visitors so that staff can verify visitors before granting access.  Furthermore, they should enforce a tailgating policy where staff should be aware of not holding the door open for others, even colleagues. 

Enforce a clear desk and secure building policy, as windows must be locked at the end of each working day, with a named person responsible for checking and ensuring external access is denied. Report and urgently re-enable the disabled fire alarm on the first floor, as it’s a legal health and safety obligation and not just a security issue. Installing air conditioning in the server room to manage temperature and prevent hardware failure from overheating should be considered, as it can impact employees’ performance due to downtime, and put data at risk if not backed up securely. 

Personal Devices (BYOD)  

Threats Addressed: Employees encouraged to use personal devices 

Introducing a formal BYOD (Bring Your Own Device) policy defining what personal devices are permitted, what they can access, and what security requirements they must meet. Personal devices should only access company data through VPN and a secure managed portal, and not directly, in case of malware being spread to the wider network. If employees can do without their personal devices is recommended to discontinue entirelygiven the sensitivity of data on the file server. 

Security Awareness Training: 

Threats Addressed: Pre-recorded training from 4 years ago, unenforced policies, exposed network passphrase, USB taken home by an IT member 

As Linkchain Gaming expands, employees need training to help them spot threats like phishing and social engineering. Replacing the 4-year-old pre-recorded presentation with up-to-date interactive monthly training covering emerging threats and acceptable use. Training should be made mandatory for all staff, including new starters, as part of onboarding. Specific guidance, such as not sharing credentials, not posting passphrases publicly, and safe data handling, can be considered beneficial when comparing them to current security gaps within the organisation.  

 

 

 

Administrator Controls  

Access Management 

Threats Addressed: All users have full admin access, file server accessible to all, shared workstations, smart ID cards unsupported 

The business should control who has access to what. Implementing Role-Based Access Control (RBAC) access to systems, files and the network should be granted based on job role only, following the principle of least privilege, reducing the risk of data loss. It is important to remove full administrative rights from all standard users immediately; it should only IT staff should hold admin privileges. We could also activate and enforce the smart ID card system for both building entry/access and system login, with each card tied to an individual account. 

Onboarding and Offboarding Procedures 

Threats Addressed: Inconsistent onboarding/offboarding procedures 

It is important to onboard and offboard users safely to address any malicious employee risk. By creating a standardised onboarding checklist covering issuing ID cards, creating user accounts with appropriate RBAC permissions, enrolling devices in MDM, and completing mandatory training before system access is granted. As well as creating an offboarding checklist covering immediate account deactivation, ID card deactivation, device retrieval, and removal from all systems on the employee’s last day. 

Incident Response Plan 

Threats Addressed: All users have full administrative access, and the majority of file server content is accessible to all employees. 

Linkchain Gaming must be prepared to respond quickly to security incidents, especially given risks such as the shared PIN code, the network passphrase posted on the noticeboard, unlocked windows, the disabled fire alarm, and the fire door in the server room that could allow intruders to bypass reception. A clear Incident Response Plan would define who is responsible for reporting, investigating, and containing incidents such as unauthorised access, data breaches caused by misused credentials, or malware introduced through visitors on the same network or personal devices encouraged under the current BYOD approach. It would also outline how to respond to lost or stolen data, such as the full system backup stored on a USB drive taken home by an IT staff member, and how to manage operational disruptions like groundfloor connectivity issues or failures in the allonpremises server infrastructure. By establishing structured procedures for detection, escalation, communication, and recovery, the Incident Response Plan ensures that Linkchain Gaming can minimise damage, preserve evidence, comply with legal obligations, and learn from incidents to strengthen future security. 

Mobile Device Management (MDM) 

Threats Addressed: Employees are encouraged to use their personal devices, USB drive taken home by an IT staff member 

MDM allows Linkchain Gaming to centrally control, monitor, and secure all mobile devices, laptops, and tablets that access company data. This is especially important because laptops are issued with preinstalled files that could expose sensitive information if lost or stolen. With MDM, the company can remotely wipe missing devices, enforce encryption, apply security policies, and restrict access to confidential data, ensuring that only compliant and protected devices can connect to business systems. 

Policy Review & Enforcement 

Threat Addressed: Some policies in place but not tailored, unenforced password policy 

Conduct a full audit of existing policies and rewrite them so they reflect Linkchain Gaming’s specific risks, sector requirements, and organisational size. All policies should be formally acknowledged by staff during onboarding and resigned whenever major updates occur to ensure accountability. To maintain consistency and compliance, the company should also introduce an annual policy review cycle, with a named policy owner responsible for keeping each document accurate, up to date, and aligned with evolving security needs. 

VPN Management  

Threat AddressedOnly 20 VPN licenses, remote working, personal devices 

Audit current VPN usage to determine whether the 20 existing licences are sufficient, especially if remote working continues to grow. All remote access to company systems must be routed through the VPN with no exceptions, ensuring traffic is encrypted and monitored. VPN credentials should be individual rather than shared, and MultiFactor Authentication must be enforced to verify user identity and prevent unauthorised access. 

USB and Backup Management  

Threats Addressed: Full backups on a single USB drive, USB taken home by IT staff member 

A single USB drive taken home is a major single point of failure and a serious databreach risk,  if it is lost or stolen, all backup data becomes exposed. Linkchain Gaming should adopt a 321 backup strategy: three copies of data, stored on two different media types, with one copy kept securely offsite. An encrypted cloud backup should be considered to strengthen resilience while addressing the organisation’s concerns about cloud use. All physical backup media must be encrypted and stored in a locked, controlled location, never taken home informally. If cloud services remain unsuitable, the company should document the justification and implement compensating controls such as an encrypted offsite backup vault. 

Calls Logging and Data Handling 

Threat Addressed: Calls manually logged by apprentices on spreadsheets 

Manual spreadsheet logging is errorprone, difficult to audit, and increases the risk of data mishandling. Linkchain Gaming should replace this with a proper IT service management (ITSM) tool, such as Freshservice or Jira Service Management, to ensure calls are logged consistently and securely. Access to call records must be rolebased and not left open on shared workstations. Apprentices and any staff handling personal data should also receive datahandling training aligned with GDPR and the UK Data Protection Act 2018 to ensure compliance and reduce the risk of accidental breaches. 

Infrastructure & Cloud Risk 

Threat Addressed: All server-based infrastructure, no cloud services, connectivity issues on ground floor 

Conduct a formal risk assessment of the fully onpremises infrastructure, as housing all systems in a single location means a fire, flood, or DoS attack could cause complete operational loss. Leadership should be presented with a clear costbenefit analysis of adopting a hybridcloud model, supported by evidence of modern security controls such as encryption, access management, and compliance certifications to address their concerns. The groundfloor connectivity issue must also be investigated and resolved, as unreliable network performance affects productivity and may indicate deeper infrastructure weaknesses that need attention. 

Data Security and Protection 

Data Encryption 

All company data should be labelled and protected based and how sensitive it is. Laptops with pre-installed files and software may expose confidential information. Encrypting stored and transmitted data can prevent this. All sensitive data should be encrypted ensuring that even if devices are compromised, the data remains protectedThese actions help meet GDPR Article 32 and UK Data Protection Act requirements. 

Data Retention and Secure Disposal 

The company should avoid keeping data longer than necessary, as doing so increases the chance of it being accessed improperly. Policies should define how long different types of data are kept and include secure deletion practices for when data is no longer required. With devices containing preloaded fines, secure disposal methods like wiping hard drives or using certified destruction tools are especially important. These practices support the GDPR Article on data minimisation and help reduce unnecessary risk.  

Growing the Business Securely 

Scalability of the Policy 

As the company grows, its security policy must evolve. This includes reviewing and updating the policy regularly, at least once a year, and making changes through a formal process. Right now, many systems are still running on outdated platforms like Windows Server 2012 and 2016, which may no longer receive security updates. Upgrading these systems and updating policies accordingly is crucial for staying protected. This approach supports ISO’s continuous improvement model and the COBIT framework for business IT governance 

Third-Party Risk Management  

Shared office spaces and access by non-employees pose extra risks. For example, the car park has no access control, and shared kitchens and toilets are open to guests from other businesses. Fire exits are used for deliveries, bypassing reception and reducing security oversight. Linkchain Gaming should create clear guidelines for working with external vendors and services, including risk assessment and security agreements. These steps help comply with GDPR Article 28 and ISO 27036, which focus on third-party security.  

Asset management 

Effective asset management is critical for tracking and protecting all physical and digital assets within Linkchain Gaming. This recommendation is based on ISO/IEC 27001. It highlights the importance of knowing what assets Linkchain Gaming owns and making sure they’re properly protected and tracked throughout their use. 

Legislations 

General Data Protection Regulation (GDPR) 

This regulation contributes to protecting individuals' personal data with regarding on how the data is being handled and processed and rules to the free movement of personal data. It is important for an organisation to make the client/costumer aware of this, and it's required by the act to receive consent by the user in any form weather that is by a written statement, electronically, or an oral statement. Consent would provide processing activities for the same purpose. Data should only be used for its intended purpose, if not it can lead to breaching the regulation which has consequences of its own. In the context of Linkchain Gaming, this regulation ensures the protection of the rights and freedoms in respect of the processing of employee personal data in the employment contextfor the purpose of recruitment processes, contract of employment, and when someone is being discharged from the organisation 

UK Data Protection Act 2018 

Similarly to GDPR, the UK Data Protection Act control how individual's personal information is being used by organisations like Linkchain GamingOrganisations are obliged to handle personal information responsibly and follow strict rules called “data protection principles”. There are occasions where these rules are further enforced when more sensitive information such as race, background, political opinions, health, biometrics. As an employee at Linkchain Gaming, you have the right in relation to your personal data and be informed about how your data is being handled, have incorrect data updated and stop the processing of your data. 

UK Computer Misuse Act 1990 

This act provisions for securing computer materials from unauthorised access or modification. A person is found guilty of an offence if they have either installed indirect harm to the computer enabling them to access data or the intends to access to unauthorised information. A person is guilty of an offense under this section shall be liable to imprisonment according to the court or to a fine not exceeding the statutory maximum or to both. In the scenario of Linkchain Gaming, it's crucial to implement employee policies to reduce the likelihood of unauthorised access from within the organisation and externally. As previously faced by Linkchain a disgruntled employee may expose data which covers Section 1 of the Computer Misuse Act as its access to someone computer to perform an intent to access data they are not authorised to access.  

ISO/IEC 27001 – Information Security Management System (ISMS) 

ISO/IEC 27001 is an international standard for information security management systems (ISMS). It provides organisations such as Linkchain Gaming from all sectors with guidance on how to continually improve their ISMS. Implementing this framework helps organisations reduce vulnerabilities to the growing threats of cyberattacks and respond to evolving security risks. This ensures that the assets of an organisation, such as financial statements, intellectual property, and employee data, remain undamaged, confidential and available as needed. 

NIST Cybersecurity Framework (CSF) 

A United States framework which involves prioritising and understanding the risks and working through them, depending on the organisation's needs. We can understand and assess risks by identifying current gaps in the organisation's security posture. Thereafter, we can prioritise actions on how we can manage these risks that align with Linkchain Gaming’s legal and regulatory requirements. Finally, we need to clearly communicate the risks inside and outside the organisations about the needs and expectations.  

NCSC Cyber Essential  

This is a training course offered for organisations and individuals, which provides the minimum standards of cybersecurity practices recommended by the government for organisations of all sizes. Once the training course is completed, NCSC issues a Cyber Essentials certificate for the organisation. There is a higher-level certificate available called the Cyber Essentials Plus, which offers a more rigorous, independent technical testing. These certifications help the organisation ensure 5 technical controls: 

  • Setup configuration  

  • Secure the network to minimise the ways a cyber-criminal may find a way into the system network. 

  • User Access Control 

  • Control who can access your data and services and what level of access they have  

  • Malware Protection 

  • Identify and immobilise viruses or other malicious software before it has a chance to cause harm to the network.  

  • Security Update Management  

  • Prevents cyber criminals using vulnerabilities they find in software as an access point to your system 

  • Firewalls 

  • Creates a layer of security between the internet and the network 

Conclusion 

Linkchain Gaming must improve its information security practices to protect its systems, comply with the laws and regulations, and support safe business growth. The company faces several real-world risks, including shared facilities, insecure access points, outdated software, and weak physical security. The recommendations provided in this report offer practical solutions to these issues. By implementing these controls, Linkchain Gaming can build a safer, more resilient security environment that will support the business now and into the future. 

Comments

Popular posts from this blog

OS A3 Task 1