VolitionWhy our company is assured in Volition’s information and the securities that protect it

Represented by: Brian Mazurowski, Michael Mack, Michael Agosto, and Adam Pexton

Company Overview• Volition is a Maple Syrup manufacturer and supplier.• Located in Vermont• Business Structure:

– Financial– Sales– Development– Human resources

AssetsAssets: Price:

-100 Acres of land $175,000-Manufacturing Plant $500,000-500 Maple Trees $25,000- 50 Land workers $25,000 (each, yearly)

-Sap Collectors – 20 workers-Water / Tree Maintanance – 20 workers-Mowers – 10

-50 Factory Workers $30,000 (each, yearly)

Assets (continued)Assets : Price:

-25 Office Personnel $40,000 (each, yearly)-Human Resources – 2-Payroll – 8-I.T – 5-Security - 10

- 12 Delivery Personnel $35,000 ( each , yearly)- 4 Managers $200,000 (each, yearly)- 8 Delivery Trucks $120,000

-

Assets (continued)Assets: Price:

-35 Dell Computers $14,000- Windows XP ( all computers ) $3,150- Factory Machinery $300,000

TOTAL: $6,107,150.00

RisksRisk - is any situation that can possibly expose your company or business to danger.Envronmental Risks-

• Weather• Fungus / Disease

Human Risks - • Cyber Attack• Internal Abuse• External Mass Attack• Lack of Maintenance

Natural Risks -• Accidents• Infrastructure Failure

VulnerabilitiesVulnerability - a weakness or flaw which allows a company to be exposed to

problems.Vulnerabilities-

• Lack anti-malware and the most up to date firewall softwares

• New employees• No back up generators

or computer systems• Spare parts• Underpaid security officers

• When personal information is required we only ask for a name, email address, mailing address and phone number. This is done when an order is placed

• How we protect this information:– Regular scanning of website for security holes and

vulnerabilities– Information can only be seen by limited number of people

who have special rights– Any credit/ debit card information is encrypted using

Secure Socket Layer technology

Privacy Policy

Privacy Policy (continued)• Third Party Disclosure;

– We do not sell, trade or transfer information to outside parties– We do not offer third party services on our website– We do not allow third party behavioral tracking– Volition agrees to the following:

▪ Users can visit the site anonymously ▪ Users will be notified of any policy changes via the Privacy Policy Page▪ Users are able to change their personal information by emailing, calling, or

logging in to their account on our website

j

In Volition’s Privacy Policy, it is also touches on the Childrens Online Privacy Protection Act (COPPA)

- When it comes to the collection of personal information from children under 13, the COPPA put parents in control.

- We cooperate with this act and do not specifically market to children under 13

Incident Response Plan• The first person to discover the incident must call the security department and

provide a list of sources that found the incident (i.e. helpdesk, manager…)• The security department will refer to the IT emergency contact list and must log

details about the incident including:– Name of caller– Time of call– Contact information– Nature of incident– What equipment was involved– Location of persons involved– How it was detected– When was is first noticed

Incident Response Plan (continued)

• The IT staff member will then contact the departments involved and log the information in the same format as before

• Those contacted will meet to discuss a response strategya) Is the incident real or perceived?

b) Is the incident still in progress?

c) What data or property is threatened and how critical is it?

d) What is the impact on the business should the attack succeed? Minimal, serious, or critical?

e) What system or systems are targeted, where are they located physically and on the network?

Incident Response Plan (coninued)An incident ticket will then be created and will be categorized into one of

these categories:1) Category 1- A threat to public safety or life2) Category 2- A threat to sensitive data3) Category 3- A threat to computer systems4) Category 4- A disruption of services.

The last steps are:- Evidence Preservation- Notify proper external agencies- Assess damage and cost- Review response and update policies

Acceptable Use Policy

• Information Resources are strategic assets of the Volition and must be treated and managed as such.

• Volition provides various computer resources to its employees for the purpose of assisting them in the performance of their job-related duties.

• This policy secures company information because it implements the standards to establish, enforce and educate Volition’s employees on the acceptable uses of Volition-owned property. As well as, the repercussions of mistreating those uses.

Acceptable Use Policy

• This Acceptable Use Policy in conjunction with the corresponding standards is established to achieve the following:

• 1. To establish appropriate and acceptable practices regarding the use of information resources.

• 2. To ensure compliance with applicable Vermont State law and other rules and regulations regarding the management of information resources.

• 3. To educate individuals who may use information resources with respect to their responsibilities associated with computer resource use.

Acceptable Use Policy

• This Acceptable Use Policy contains four policy directives.

• Part I – Acceptable Use Management• Part II – Ownership• Part III – Acceptable Use• Part IV – Incidental Use

Acceptable Use Policy

• The policy is implemented by the following:• 1. Volition management will establish a

periodic reporting requirement to measure the compliance and effectiveness of this policy.

• 2. Volition management is responsible for implementing the requirements of this policy, or documenting non-compliance via the method described under exception handling.

• 3. Volition Managers, in cooperation with Security Management Division, are required to train employees on policy and document issues with Policy compliance.

• 4. All Volition employees are required to read and acknowledge the reading of this policy.

Disposal and Destruction Policy

• Volition’s policy regarding the proper transfer, disposal and/or reuse of computers and other digital storage media by employees.

• Volition is committed to compliance with Vermont State and Federal Statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.

• This policy secures company information because it implements the removal of confidential information from Volition’s systems, in such a way that information is not to be leaked.

Disposal and Destruction Policy

• THOSE COMPRISED IN THIS POLICY INCLUDE:• All employees of Volition have a responsibility to

ensure the confidentiality of Vermont State and federally regulated and otherwise protected sensitive or proprietary information residing on Volition-owned computer systems and other digital storage devices and media.

• All computers and digital storage devices including, but not limited to desktop, laptop, server, notebook, and handheld computer hard drives; external hard drives; and all external data storage devices such as disks, SANs, optical media (DVD or CD), magnetic media (tapes or diskettes), and non-volatile electronic media (thumb drives), are covered under the provisions of this policy.

Disposal and Destruction Policy• Computer and electronic storage equipment

identified for title transfer must be reviewed and then subsequently cleaned by a Volition IT service provider approved to perform data erasing.

• Computer and digital storage media which are included as part of a trade-in purchase or disposal must be identified on the purchase order for new equipment. Documentation attesting to the erasure of licensed software and company data by an authorized Volition IT service provider will be required in order to complete the purchase or disposal.

Disposal and Destruction Policy• Volition-owned computer and digital storage media must

have all company data and licensed software reliably erased from the device prior to its transfer out of Volition control, and/or the media must be destroyed, using current best practices for the type of media.

• Authorized employees may be approved to erase computer and digital storage media for transfer, and/or to destroy media, using approved best practices developed by the Volition’s Information Security & Policy Office (VISPO), which will work with the appropriate Volition IT staff to ensure that procedures consistent with security best practices are followed for the reliable removal of licensed software and confidential data before equipment transfers take place. Otherwise, authorized employees must engage a Volition IT service provider approved by the VISPO to prepare media for transfer or disposal.

Conclusive Remarks

• Through this presentation, and the installation of necessary and appropriate policy, Volition has shown the assurance our security has to protect imperative information.

• Moreover, how the policies are properly implemented to mitigate risk and confirm the security structure to protect Volition’s assets.