IT 253 Project One Memo

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

253

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

3

Uploaded by PresidentLightningChinchilla38

Report
IT 253 Project One DATE: [10/06/23] TO: Company Leadership FROM: Information Security Manager SUBJECT: [Recommendations to Address the Identified Security Risks: Memo] Introduction: [Our Company which was founded in 1993 originally started as a small family run business with a single store front. We quickly expanded to over 250 locations and 850 employees due to a high demand for our competitively priced and quality products and had soon reached an annual revenue of $110 million. However, Due to the increased competition in the field and the cost pressures of running 250 locations the company decided in 2015 to close all Its brick-and-mortar locations to move on to implement an online only model. Due to the company’s ability to provide customized features for its users and high-level customer service it has continued to thrive in this niche market even after such a massive overhaul. Our company’s business objectives include global market growth as well as increasing our revenue by 20%, however this will in turn increase our security risks. We were able to identify these in our objectives as well so we can make sure the proper measures are in place to prevent any cyberattacks that could disrupt business continuity. In order for the company to ensure that there is an alignment of our policies, procedures as well as being in SOX compliance are all things that are listed in our business objective. Any disruption to the e-commerce website and-or our manufacturing supply chain systems is our main priority of concern due to the companies’ lingering concerns of any cyberattacks as well as ransomware attacks.] Laws and Regulations: [The goal for the Security team is to provide the company the highest level of security through our internal policies, however there are a few requirements dictated by laws and regulations that are mandatory for any business to adhere too. The Sarbanes-Oxley Act was put into place to protect shareholders. The SOX act contains specific controls for both physical and systems access. This requires a change of control process, also known as SDLC. A regular backup of our systems and data with a restoration capability, as well as security controls to help detect, stop, and remediate any data breaches.] Technical Controls: [The consultant’s report identified several risks, in order for us to mitigate these risks we need to implement several controls. The first control I would address is the use of WEP (Wireless Security protocol) due to WEP being the oldest and least secure network, I would suggest that we update to use WAP (Wi-Fi Protected Access protocol). The second control that needs to be addressed is our company’s lack of backup power sources. In order to ensure no interruptions to the business’ continuity it is critical that our servers have some form of backup power sources. These can be some form of UPS (Uninterruptible power source) or a backup generator in case of any failures with the main power source. The third control that needs to be addressed is company workstations were found unattended and still logged in posing a risk to 1
unwanted access potentially from outside parties, by implementing a workstation timeout or lock out system we can ensure the security of our company and network is on the right path.] Administrative Controls: [As for our Administrative controls we have identified three important areas to focus on for improvement. The first we will address is the companies’ outdated Information Security Policy, this policy will need to be revised, reviewed, and published which will follow with user training for any of our employees. The second we will address is to ensure employee awareness of any suspicious phishing emails they may receive that they may not know how to handle. In order for us to address this our employees will be trained to ensure they understand proper handling methods of these emails like incorporating a Spam Alert add-in that comes with most email services. Our employees will have monthly testing as well as awareness bulletins posted to provide further reminders to help on a regular basis. The third risk we will address is the company’s absence of a Disaster Recovery plan which are incredibly crucial in case of any cyberattack or ransomware situation, these types of plans must be thoroughly planned and tested to ensure they function properly in case of emergency.] Physical Controls: [The Consultants report highlighted several failures and the Physical controls as well as the PSP (Physical Security Policy) are in place to protect data, equipment, and people from attacks. The first failure that we were able to identify was the Audit team having access to the headquarters building without having a valid Identification badge. This is a major security issue and was able to be accomplished by the audit team member tailgating another team member into the building. Any uncontrolled access to our headquarters is a major security issue, however there are several options to help correct this problem. One option to help mitigate any unwanted access into our headquarters building is to place a security guard at the entrance to physically check and verify each person entering the building as well as keeping a log of these visitors. This would ensure that no visitors who aren’t permitted access into the building gain access through tailgating other employees.] Business Impact: [By implementing the changes I’ve suggested in this memo it will also come with its forms of business impacts. These changes will require most of our stakeholders to engage and evaluate any risks versus the cost of any changes made to the company’s policies and procedures. Due to needing our stakeholders to have an idea of what changes will need to be made and what that would cost we need them directly involved in order to gain support and avoid any missed requirements and have to rework any changes. Our stakeholders must be involved in our business impact assessments in order to identify any risks to the business in the longevity of the company. Another location where uncontrolled access was identified was our data center, as it currently stands any employee with a badge can enter the data center, to ensure that the data center is only being accessed by the proper employees any employee who doesn’t need access should have it restricted. Surveillance monitoring for our data center should also be put into place to further monitor and restrict access.] Conclusion: [By Implementing these recommended controls we can begin to start our new journey in preventing cyberattacks against our company. However, we must understand that this is something that will continue to evolve over time due to the relentlessness of some cyber- criminals. These controls can always be expanded as any threats increase. These elements of foundation will help us to build consumer trust in our company while continuing to help us reach 2
any of our business objectives when it pertains to global expansion. Building multiple layers of security will make it harder for cyber-criminals to breach every layer of our security.] 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Case Study - The Golden State Killer.docx
Screenshot 2023-08-02 093200.png
CYB_230_Module_Five_Lab_Worksheet.docx
CYB_230_Project_One.docx
CYB_250_Final_Project.docx
Project One.docx
CYB_250_Final_Project_Milestone.docx
CYB_250_BYOD_Policy_Update.docx
Gathering Data Status Report.docx
IT 202 Project 2 milestone.docx
IT 202 Project One Site Survey final.docx
IT 253 Project Two Security Plan.docx