National Teachers College

A Comprehensive Security Framework for

INFOAS Music Star: Policies, Encryption, Network Security,
and Incident Response

Estuesta, Peter Daniel O.

Tubao, Alex Joseph T.
Palubon, Rusty L.
Monforte, Kenneth C.
Abella, Jonah Mae R.
Macadato, Jehadee Lindongan
 Table of Contents

Introduction............................................................................................................................
Overview of INFOAS Music Star.....................................................................1.1
Importance of Data Security in Music Retail...................................................1.2
Objectives of the Security Framework .............................................................1.3
Security Policy Design ...................................................................................................2.0
Purpose.............................................................................................................2.1
Policy Creation.................................................................................................2.2
Access Control..................................................................................................2.3
Inventory Protection.........................................................................................2.4
Secure Payment Processing.............................................................................2.5
Data Protection Policy.....................................................................................2.6
Customer Data Protection................................................................................2.7
Employee Data Protection...............................................................................2.8
Marketing Policy..............................................................................................2.9
Responsible Marketing..................................................................................2.1.1
Employee Code of Conduct............................................................................2.1.2
Encryption ........................................................................................................................3.0
Encryption Strategy..........................................................................................3.1
Data in Transit.................................................................................................3.2
Data at Rest......................................................................................................3.3
Justification for Encryption Method.................................................................3.4
Network Security ............................................................................................................4.0
Network Architecture........................................................................................4.1
FirewallsIntrusion Detection and Prevention Systems (IDS/IPS)....................4.2
Security Protocols............................................................................................4.3
IPSec..................................................................................................................4.4
SSL/TLS..............................................................................................................4.5
SSH......................................................................................................................4.6
 Additional Security Measures...............................................................................4.7
Endpoint Security..................................................................................................4.7
Network Segmentations..........................................................................................4.8
Incident Response ............................................................................................................5.0
Incident Response Plan (IRP)..........................................................................5.1
Detection & Identification................................................................................5.2
Containment......................................................................................................5.3
Eradication........................................................................................................5.4
Recovery............................................................................................................5.5
Roles and Responsibilities.................................................................................5.6
IT Support..........................................................................................................5.7
Network Engineer...............................................................................................5.8
Cybersecurity Personnel....................................................................................5.9
Real-World Incident Response Examples........................................................5.1.1
Conclusion........................................................................................................................6.0
References..............................................................................................................................
 Introduction

In today's digital age, businesses must prioritize the security of their data and
systems, particularly in industries dealing with sensitive customer information, such as
the music retail business. INFOAS Music Star, an organization dedicated to selling music
instruments, must protect not only its physical assets but also its digital infrastructure to
maintain trust with customers and employees.

This paper outlines a comprehensive security framework designed to safeguard

INFOAS Music Star from internal and external threats. The security framework will
cover key areas such as Security Policy Design, Encryption, Network Security, and
Incident Response. Each of these components is critical to building a resilient security
infrastructure capable of adapting to evolving cyber threats while ensuring compliance
with relevant laws and industry standards.
 Security Policy Design

Access Control Policy

To regulate who can access the store's physical and digital assets, ensuring that
only authorized personnel have entry to sensitive areas and information.

Description:
 Physical Access: Limit access to the store's premises to authorized employees
only. Use keycards or biometric systems for entry.

 Logical Access: Implement user authentication measures, such as unique

usernames and strong passwords, for accessing digital systems.

 Access Levels: Define access levels based on roles:

 Level 1: Administrative access (e.g., management, IT staff)

 Level 2: Sales and customer service access (e.g., sales staff)

 Level 3: Limited access (e.g., maintenance personnel)

Alignment with Standards:

 Compliance with best practices in information security (ISO/IEC 27001).

 Promotes a secure environment by minimizing unauthorized access risks.

Data Protection Policy

To safeguard customer and employee data, ensuring confidentiality and integrity
in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173).

Description
  Data Classification: Identify and classify data based on sensitivity.

 Encryption: Use encryption for sensitive data, such as customer payment

information, both in transit and at rest.

 Data Retention: Establish guidelines for how long data is retained and ensure
secure disposal of data no longer needed.

Alignment with Standards:

 Adheres to international data protection standards (GDPR).

 Enhances customer trust by demonstrating a commitment to data security.

User Responsibilities Policy

To outline the responsibilities of employees regarding the handling of sensitive
data and security practices.
Description:
 Password Management: Employees must create strong passwords and change
them regularly.

 Data Handling: Employees are trained to handle customer data responsibly and
report any data breaches immediately.

 Security Awareness: Conduct regular training sessions to keep employees

informed about security threats and best practices.

Alignment with Standards:

 Follows industry best practices for employee training and awareness (NIST
Cybersecurity Framework).

 Promotes a culture of security within the organization.

Network Security Policy
To protect the store's network infrastructure from unauthorized access and cyber
threats.
Description:
 Firewall: Install and configure firewalls to monitor and control incoming and
outgoing network traffic.

 Anti-Virus Software: Ensure that all computers have updated anti-virus software
to detect and mitigate threats.

 Network Segmentation: Separate networks for different functions (e.g., POS

systems, employee access) to limit potential breaches.

Alignment with Standards

 Complies with best practices for network security (CIS Controls).

 Minimizes risks associated with cyber threats and data breaches.

Incident Response Policy

To establish a clear process for responding to security incidents effectively and
efficiently.

Description
 Incident Response Plan: Develop and maintain an incident response plan that
outlines steps to take in the event of a security breach.

 Reporting Mechanism: Employees are required to report security incidents to

designated personnel immediately.

 Post-Incident Review: Conduct post-incident reviews to analyze the cause and

improve future responses.

Alignment with Standards:

 Aligns with best practices for incident management (NIST SP 800-61).
  Enhances organizational resilience by preparing for potential security incidents.

Compliance Policy
To ensure ongoing compliance with applicable laws and regulations related to
security and data protection.

Description
 Regular Audits: Conduct regular audits to assess compliance with security
policies and legal requirements.

 Policy Review: Review and update security policies periodically to reflect

changes in laws and technology.

 Training: Provide ongoing training for employees regarding compliance

obligations and security practices.

Alignment with Standards

 Ensures adherence to legal requirements (Data Privacy Act, Cybercrime
Prevention Act).

 Promotes a culture of accountability and compliance within the organization.

 Encryption

Encryption Strategy

Data in Transit
 TLS 1.3: Use the latest TLS version for stronger encryption, faster performance,
and reduced vulnerabilities.
 HSTS (HTTP Strict Transport Security): Enforce HTTPS to prevent SSL stripping
attacks.
 Perfect Forward Secrecy (PFS): Ensure session keys are unique and not
compromised if long-term keys are exposed.

Data at Rest
 AES-256: Upgrade to AES-256 for stronger encryption.
 Key Management Systems (KMS): Use systems like AWS KMS or HashiCorp
Vault for secure key storage and rotation.
 Tokenization and Anonymization: Protect sensitive data like PII through
tokenization and anonymization.

Key Security
 Hardware Security Module (HSM): Use HSMs for secure key generation and
storage.
 MFA for Key Access: Ensure multi-factor authentication is required to access
keys.

Data Integrity
 Digital Signatures and Hashing: Use SHA-256 or SHA-3 to ensure data
authenticity and integrity.
  Certificate Pinning: Prevent attacks from compromised Certificate Authorities.

Monitoring and Auditing

 Real-Time Monitoring: Use tools like Splunk for real-time tracking of encryption
activities.
 Audit Logs: Maintain secure logs for key access and encryption events.

Regular Security Audits

 Conduct routine security audits and penetration testing to identify vulnerabilities.

Outcome: The implementation of these encryption methods guarantees that INFOAS

Music Star's critical data remains secure, even in the event of a data breach, minimizing
the risk of data exposure.
 Network Security

Network Architecture

Figure 1.1 The image above is the INFOAS Music Star’s network architecture

 Firewalls: Serve as the first line of defense, filtering incoming and outgoing
traffic based on predefined security rules. This ensures only legitimate traffic is
allowed while blocking potentially harmful activity
 Intrusion Detection and Prevention Systems (IDS/IPS): Continuously monitor the
network for signs of attacks or unauthorized access. IDS alerts administrators,
 while IPS can automatically block malicious traffic

Security Protocols
 IPSec: Used for securing communication between remote users and the store’s
network through VPNs, ensuring that data in transit remains secure.
 SSL/TLS: Protects web-based communications and payment systems by
encrypting data transfers between the customer and the store
 SSH: Ensures that administrative tasks, such as server management, are securely
handled using key-based authentication

Additional Security Measures

 Endpoint Security: All company devices are protected with antivirus software and
regularly updated to prevent malware infections
 Network Segmentation: VLANs are used to isolate sensitive areas of the network,
such as payment processing systems, from general network traffic, reducing the
impact of a potential breach

Outcome: INFOAS Music Star’s network security protocols protect the company from a
wide range of threats, ensuring secure communications, reliable network traffic
monitoring, and strong access control.
 Incident Response

Incident Response Plan

Figure 1.2 The given flowchart is the Incident Response Plan at INFOAS Music Star

The Incident Response Plan (IRP) at INFOAS Music Star is a structured approach for

detecting, responding to, and recovering from security incidents such as data breaches or

system compromises.

● Detection & Identification: Network and payment systems are continuously

monitored for suspicious activity, and employees are trained to report phishing

attempts or unusual behavior

● Containment: If a breach is detected, affected systems are immediately

disconnected from the network to prevent further damage, and payment systems

are suspended temporarily

 ● Eradication: IT staff work to remove any malware or compromised software,

patch vulnerabilities, and reset compromised credentials.

● Recovery: Once the threat is eradicated, systems are restored from secure

backups, and customers are notified of any potential exposure of their data

Roles and Responsibilities

● IT Support: Maintains the systems, ensuring smooth daily operations and

overseeing data backups.

● Network Engineer: Responsible for network security and infrastructure

management.

● Cybersecurity Personnel: Develops and enforces security policies while also

responding to any potential threats

Real-World Incident Response:

● Target Data Breach (2013): Highlighted the importance of securing third-party

vendors to avoid data exposure. INFOAS should implement continuous

monitoring and vendor risk assessments to prevent similar incidents

● Equifax Data Breach (2017): Demonstrates the importance of patch management

and having clear communication during a crisis.

● WannaCry Ransomware Attack (2017): Stressed the need for regular backups and

employee training on phishing awareness.

● SolarWinds Supply Chain Attack (2020): Shows the necessity of securing the

software supply chain and continuously sharing threat intelligence with partners
Outcome: The IRP minimizes the impact of security incidents, ensuring swift detection,

effective containment, and rapid recovery to maintain INFOAS Music Star’s operational

integrity.
 Conclusion

INFOAS Music Star's security framework provides comprehensive protection

across multiple fronts, including policies, encryption, network security, and incident
response. By implementing these measures, the company ensures compliance with
industry standards and the protection of customer and employee data. Regular reviews,
employee training, and constant adaptation to new threats will further strengthen the
company. Regular reviews of security policies will help identify any gaps or areas for
improvement, allowing the company to stay ahead of potential threats.
Furthermore, adapting to new threats is vital in the ever-evolving digital
landscape. By staying informed about the latest cybersecurity trends and technologies,
INFOAS Music Star can enhance its defenses and respond effectively to incidents.
Ultimately, this proactive approach not only safeguards sensitive information but also
builds trust with customers and employees, ensuring a secure and reliable environment
for all.
In conclusion, by continuously strengthening its security measures, INFOAS
Music Star can maintain its reputation as a trusted retailer in the music industry, fostering
loyalty among its customers and creating a safer workplace for its employees.
 References

[1]: Dierks, T., & Rescorla, E. (2008). The transport layer security (TLS) protocol
version 1.2. IETF. https://tools.ietf.org/html/rfc5246
[2]: Jang-Jaccard, J., & Nepal, S. (2016). A survey of emerging threats in cybersecurity.
Journal of Computer and System Sciences, 80(5), 979-994.
https://doi.org/10.1016/j.jcss.2016.01.007
[3]: National Institute of Standards and Technology (NIST). (n.d.). Framework for
improving critical infrastructure cybersecurity. https://www.nist.gov/cyberframework
[4]: National Institute of Standards and Technology (NIST). (n.d.). Special publication
800-53: Security and privacy controls for information systems and organizations.
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
[5]: National Institute of Standards and Technology (NIST). (n.d.). Advanced encryption
standard (AES). https://csrc.nist.gov/publications/detail/fips/197/final
[6]: Payment Card Industry Security Standards Council. (2021). PCI data security
standard (PCI DSS). https://www.pcisecuritystandards.org/
[7]: Radcliffe, J. (2020). Endpoint security: What you need to know. CSO Online.
https://www.csoonline.com/article/3400917/endpoint-security-what-you-need-to-
know.html
[8]: Whitman, M. E., & Mattord, H. J. (2018). Principles of information security.
Cengage Learning.
[9]:Cloudflare. (2023). What is TLS 1.3 and how does it work?
https://www.cloudflare.com/learning/ssl/what-is-tls-1-3/
[10]: Amazon Web Services. (2023). AWS Key Management Service (KMS).
https://aws.amazon.com/kms/