AB__Assessing Security Culture_

docx

School

University of Texas, San Antonio *

*We aren’t endorsed by this school

Course

UTSA-VIRT-

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

4

Uploaded by AmbassadorIbex3880

Report
Cybersecurity Module 2 Challenge Submission File Assessing Security Culture Make a copy of this document to work in, and then answer each question below the prompt. Save and submit this completed file as your Challenge deliverable. Step 1: Measure and Set Goals 1. Using outside research, indicate the potential security risks of allowing employees to access work information on their personal devices. Identify at least three potential attacks that can be carried out. 1. Employees might connect to unsecured networks that don't have protection against hackers 2. Personal devices are used for various things and the device could be exposed to malware from different sources, such as apps, website links, emails, etc… 3. The device could be stolen or lost allowing anybody who finds the device access to work information and network 2. Based on the previous scenario, what is the preferred employee behavior? (For example, if employees were downloading suspicious email attachments, the preferred behavior would be that employees only download attachments from trusted sources.) 1. Employees should be connected to a VPN so that their IPs are hidden and their connections are always encrypted 2. Employees should only interact with verified and official sources. only download apps from verified sources, visit official websites, click only verified links, etc… © 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.
3. employees should have some kind of tracking software always turned on and available in case their phones are lost or stolen as well as implement strong passcodes for access to the device or remote programs to wipe their phone remotely. 3. What methods would you use to measure how often employees are currently not behaving according to the preferred behavior? (For example, conduct a survey to see how often people download email attachments from unknown senders.) Conduct surveys to see how many employees know what a VPN is and if they have one setup on their devices. Send out controlled phishing emails to employees and monitor how many fall for the attack. 4. What is the goal that you would like the organization to reach regarding this behavior? (For example, to have less than 5% of employees downloading suspicious email attachments.) An acceptable and realistic goal would be to have less than 5% of employees falling for phishing attacks and 100% of employees running VPNs on their devices and physical tracking software. Step 2: Involve the Right People 5. List at least five employees or departments that should be involved. For each person or department, describe in 2–3 sentences what their role and responsibilities will be. Chief Information Officer - CIOs typically are responsible for company IT and Computer Systems that support the company internally. In this case the CIO should lead the overall effort and be responsible for developing a BYOD (bring your own device) policy for the company that requires employee agreement for company provided components such as VPN, tracking, and remote wiping of company data stating “the company data belongs to the company but the device does not.” The CIO should acquire the funding and leverage vendors for these programs and develop a best practice guide. Chief Information Security Officer - The CISO should be responsible for © 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.
implementing the plan and ready the IT department for assisting employees with installation on their devices and ready the cyber security team for monitoring. Once implemented the CISO should conduct training and manage incident response. Chief Privacy Officer - The CPO should first review the policy being made to make sure that the company is not taking part in any malpractice or taking advantage or encroaching on employees privacy and rights. The CPO should also monitor that the company stays within their bounds of the agreement as well as the employee. IT Department - The IT department should be ready and responsible to assist the CISO in implementing the plan company wide. They should assist employees with downloading, installing, and setting up the company provided components as well as make sure that 100% of employees are set-up. Cybersecurity Department - The cybersecurity department should be ready to monitor activity and hopefully see a decrease in incidents within the company. Step 3: Training Plan 6. How frequently will you run training? What format will it take (e.g., in-person, online, a combination of both)? Mandatory in Person training will be held once every six months as well as mandatory training for new hires during the onboarding process. To supplement training the CISO will send out bi-monthly reports of best practices and statistics for incidents and activity over the past 2 months. 7. What topics will you cover in your training, and why? (This should be the bulk of the deliverable.) In training we’ll cover: - What phishing is, different types of phishing attacks and examples of what they may look like. - How to verify that sites, links, and apps we download are legitimate and secure. - The importance of keeping the VPN enabled and deleting company files off personal devices that are not in use or no longer going to be used © 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
- We will also go over company statistics of incidents and breaches over the past six months since our last training. 8. After you’ve run your training, how will you measure its effectiveness? After training we will continue to closely monitor cyber activity as well as send out controlled phishing emails twice a month to find out who falls victim and require supplemental training for that employee after 2 successful attacks. Bonus: Other Solutions 9. List at least two other potential solutions. For each one, indicate the following: a. What type of control is it? Administrative, technical, or physical? b. What goal does this control have? Is it preventive, deterrent, detective, corrective, or compensating? c. What is one advantage of each solution? d. What is one disadvantage of each solution? [Enter Solution 1 here] [Enter Solution 2 here] © 2022 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved. © 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.

Related Documents

Unit Lesson Plan Project.docx.pdf
__Rocking your Network_.docx
AB Web Development Challenge.docx
JLane Week 6 Forensic Report.doc
Week 6 Assignment- Kambra Corbett.docx
Brandon Pina M12 Challenge Submission File.pdf
AFs _ M15 Challenge Submission File.docx
JLane Week 7 Assignment.docx
JLane Week 6 Assignment.docx
Hands-On Project 7-1 (1).docx
ABs__Security 101 Challenge_.docx
Activity_2_AB.docx